Professional Documents
Culture Documents
Database Security: Preparedby: Birjutank Gtu Pgschool, Bisag, Gandhinagar
Database Security: Preparedby: Birjutank Gtu Pgschool, Bisag, Gandhinagar
PR E PA R ED BY : B IR JU TA N K
GTU PG S C H O O L , B I SAG, GA N D H I NAGAR
E M A I L : b irj u ta n k 27@gma il. com
GTU PG SCHOOL 1
What is Database Security.?
DataBase
It is a collection of information stored in computer
GTU PG SCHOOL 2
What is Database Security.?
DataBase
It is a collection of information stored in computer
Security
It is being free from danger
GTU PG SCHOOL 3
What is Database Security.?
DataBase
It is a collection of information stored in computer
Security
It is being free from danger
Database Security
It is the mechanism that protect the database against intentional or
accidental threats.
Or
Protection from malicious attempts to steal (view) or modify data.
GTU PG SCHOOL 4
Security risk to database includes
• Bank Accounts
GTU PG SCHOOL 5
What is Threats.?
• Computer System
• Databases
GTU PG SCHOOL 6
Threats
Hardware :
Fire/Flood/Bomb DBMS & Application s/w :
Data corruption Failure of security mechanism
due to power loss giving greater access
Theft of program
Database :
Communication Networks : Unauthorized access or
Wire tapping copying of data
Breaking or disconnection of Data corruption
cables
GTU PG SCHOOL 7
Definition of Database Security
Database security is defined as the process by which “Confidentiality, integrity, and
Availability” of the database can be protected.
Countermeasure
• Authorization
• Access Control
• Views
• Backup and Recovery
• Encryption
• RAID Technology
GTU PG SCHOOL 8
Database Security Concepts
Three main aspects :
• Confidentiality
• Integrity
• Availability
Threats to database :
• Loss of Integrity
• Loss of Availability
• Loss of Confidentiality
GTU PG SCHOOL 9
Confidentiality
• No one can read our data / communication unless we want them to
• It is protecting the database from unauthorized users.
• Ensures that users are allowed to do the things they are trying to do.
• For example :
• The employees should not see the salaries of their managers.
Data
GTU PG SCHOOL 10
Integrity
• No one can manipulate our data / processing / communication unless we want them
to
• Protecting the database from authorized users
• Ensures that what users are trying to do is correct
• For example :
• An employee should be able to modify his or her own information
Data
GTU PG SCHOOL 11
Availability
• We can access our data / conduct our processing / use our communication
capabilities when we want to
• Authorized users should be able to access data for legal purpose as necessary
• For example
• Payment orders regarding taxes should be made on time by the tax law
Data
Availability
GTU PG SCHOOL 12
Relationship between Confidentiality,
Integrity and Availability
Confidentiality
Data
Secure
Integrity Availability
GTU PG SCHOOL 13
Methods for securing the Database
• Authorization – privileges, vies.
• Authentication – passwords
GTU PG SCHOOL 14
Security of the database through
FIREWALLS
• A FIREWALL is dedicated software on another computer which inspects network
traffic passing through it and denies (or) permits passage based on set of rules.
• Basically it is a piece of software that monitors all traffic that goes from your system
to another via the internet or network and vice versa.
• Database FIREWALLS are type of Web Application Firewalls that monitor databases
to identify and protect against database specific attack that mostly seek to access
sensitive information stored in the database.
GTU PG SCHOOL 15
How database FIREWALL works
• The database firewalls includes a set of pre-defined, customizable security audit
policies and they can identify database attacks based on threat patterns called
signatures.
• The SQL input statements (or) queries are compared to these signatures, which are
updated frequently by the vendors to identify known attacks on the databases.
• Database firewalls build (or come with) white list of approved SQL Commands (or)
statements that are safe.
• All the input commands are compared with this white list and only those that are
already present in the white list are sent to the database.
GTU PG SCHOOL 16
Advantages of using FIREWALLS
• Database firewalls maintains the black list of certain specific and potential harmful
commands (or) SQL statements and do not allow this type of inputs.
• Database firewalls monitors for database responses (from the db server) to block
potential data leakage.
• Database firewalls notifies the suspicious activity, instead of blocking them right
away.
GTU PG SCHOOL 17
How data encryption works
• Data encryption is a key-based access control system. Even if the encrypted data is
received, it cannot be understood until authorized decryption occurs, which is
automatic for users authorized to access the tables.
• When a table contains the encrypted columns, a single key is used regardless of the
number of encrypted columns. This key is called the column encryption key.
• The column encryption key for all tables, containing encrypted columns, are
encrypted with the database server master encryption key and stored in a dictionary
table in the database.
• The master encryption key is stored in an external security module that is outside the
database and accessible only to the security administrator.
GTU PG SCHOOL 18
Advantages of Data Encryption
• As a security administrator, one can sure that sensitive data is safe in case the storage
media or data file gets stolen.
• You do not need to create triggers or views to decrypt data. Data from tables is
decrypted for the database user.
• Database users need not be aware of the fact that the data they are accessing is
stored in encrypted form. Data is transparently decrypted for the database users and
does not require an action on their part.
GTU PG SCHOOL 19
Authorization
• Read Authorization – allows reading, but not modification of data
• Insert authorization – allows insertion of new data, but not modification of existing
data
GTU PG SCHOOL 20
Security Controls
• Type of Database Security controls
1. Flow Control
2. Inference Control
3. Access Control
GTU PG SCHOOL 21
Flow Control
• Flow controls regulates the distribution (flow) of information among accessible
objects.
• A flow between object X and object Y occurs when a statement reads values from X
and writes into Y.
GTU PG SCHOOL 22
Inference Control
• Inference control aim at protecting data from indirect deletion.
• Information inference occurs when: a set X of data items to be read by a user can be
used to get the set Y of data.
• An inference channel is a channel where users can find an item X and then use X to
get Y as Y=f(X)
GTU PG SCHOOL 23
Access Control
• Access control in information system are responsible for ensuring that all direct
accesses to the system objects occur base on models and rules fixed by protection
policies.
GTU PG SCHOOL 24
Conclusion
• The goal of database security is to protect your critical and confidential data from
unauthorized access.
• Each organization should have a data security policy, which is a set of high-level
guidelines determined by:
• User requirements.
• Environmental aspects.
• Internal regulations.
• Governmental laws.
GTU PG SCHOOL 25
Thank you for your patience
GTU PG SCHOOL 26