Professional Documents
Culture Documents
Week 1 Lecture
Week 1 Lecture
Week 1 Lecture
Whenlookingatsecurityobjectiveswemustidentifythedatawhichmustbe
protectedandwhyitmustbeprotected.Securityobjectivesneedtoidentifyany
potentialapplicationdesignproblems.Inthesecurityprocessanorganizationmust
definethesecurityobjectivesandlocatethesecurityholeswithinanapplication.
Duringthesecurityplanningprocesstheorganizationwilldevelopsecuritypolicies.
Ithasbeensaidyoursecurityisasstrongastheweakestlink.Whenlookingat
securitywemustconsiderallthecomponentsinvolvednotjustthedatabase.The
componentsofaninformationsystemincludedata,procedures,hardware,software,
networkandpeople.ThesesystemscanbebrokendownintotheTransaction
ProcessingSystems(TPSs),DecisionSupportSystems(DSSs),orExpertSystems
(ESs).
Securityinlayersprovidesanoverallbenefit.Itisimportanttodesignyoursystem
withmultiplelayersofsecuritywhereverpossible,sothattheremovalofonelayer
bycompromiseormisconfigurationdoesnotexposetheentiresystem.Duringour
coursewewilllookatthevariouscomponentswithsecuritymethodstooffer
protectionatvariouslayers.
TheDatabaseManagementSystem
Thedatabasemanagementsystem(DBMS)isacollectionofprogramsthatmanage
database.TheDBMSmustprovidefortheorganizationofthedata,storeand
retrievedataefficientlymanipulatedata(updateanddelete)enforcereferential
integrityandconsistencyenforceandimplementdatasecuritypoliciesand
proceduresandbackup,recoverandrestoredata.
TherequiredcomponentsofaDBMSinordertocompletethesefunctions
includesthedata,hardware,software,networks,proceduresandthe
databaseusers.
SecurityFunctions
Securityfunctionscanbestrategic,tacticaloroperational.Securityfunctionsare
implementedintermsoftechnology,processesandpeople.Securityfunctions
shouldbedocumentedwithaccountabilityagainstorganizationalroles.
Accountabilityforsecurityfunctionsmaybeconcentratedinasinglesecurity
group,orallocatedtootherareasthathavecommonobjectives.Forexample,the
accountabilityforbusinesscontinuitymaybeallocatedtoanoperationalsupport
group.Asecuritystrategicplanshouldincludeobjectivesforallsecurityfunctions
regardlessofwheretheyareplacedwithintheorganization
CIA:Confidentiality,Integrity,Availability
Confidentialityaddressesthepreventionofunauthorizedaccessandinformation
disclosurebasedonclassification,Integrityprovidesconsistentandvaliddata
yieldstoaccurateinformation.Thismeanstheinformationisaccurateandithasnot
beentamperedwithintentionallyorunintentionally.Availabilitymeansmaking
surethatasystemmustalwaysbeaccessibletoauthorizedusersandthatitshould
determinewhatuserscandowiththeinformation.
DataBreachesandHowtoPreventThem
Weoftenthinkofthebreachtargetbeingthesensitivecustomerorindividualdata.
Thedatamightincludethecompanysdigitalcurrency,proprietaryfinancial
information,andintellectualproperty.Wecanbreakdowndataintopersonally
identifiableinformation(PII),protectedhealthinformation(PHI)andproprietary
informationandintellectualproperty
Authenticationisthetechniqueusedtoproveauseriswhohesaysheis.
Authorizationenforcementdetermineswhetherthesystemshouldalloworprevent
usersfromperformingspecificactionsoraccessingspecificdata.Accesscontrol
determineswhogetsaccesstowhat.Databasesecuritycontrolsenforceaccess
betweenuseranddata.Theenforcementcontrolsaresupposedtoalignwiththe
authorizations.Auditingcapturesactionsuccessesandfailuresforaccountability
purposes.
SecurityMethodology
Securitymethodologycanbebrokendownintothesesteps:
1. Identification
2. Assessment
3. Design
4. Implementation
5. Evaluation
6. Auditing
Securitypolicycomponentsinclude:
1. Policiesandprocedures
2. Securitypersonnelandadministrators
3. Detectionequipment
4. Securityprograms
5. Monitoringequipment
6. Monitoringapplications
7. Auditingproceduresandtools
Wewilldiscussthesecuritymethodologiesandcomponentsinvolvedindatabase
securityasweprogressthroughthecourse.