Database Security

PR E PA R ED BY : B IR JU TA N K
GTU PG S C H O O L , B I SAG, GA N D H I NAGAR
E M A I L : b irj u ta n k 27@gma il. com

GTU PG SCHOOL 1
What is Database Security.?
DataBase
It is a collection of information stored in computer

GTU PG SCHOOL 2
What is Database Security.?
DataBase
It is a collection of information stored in computer

Security
It is being free from danger

GTU PG SCHOOL 3
What is Database Security.?
DataBase
It is a collection of information stored in computer

Security
It is being free from danger

Database Security
It is the mechanism that protect the database against intentional or
accidental threats.
Or
Protection from malicious attempts to steal (view) or modify data.

GTU PG SCHOOL 4
Security risk to database includes

• Bank Accounts

• Credit card, salary, income tax data

• University Admissions, marks/grades

• Land records, licences

GTU PG SCHOOL 5
What is Threats.?

Threats – Any situation or event, whether intentional or accidental, that may

adversely affect a system and consequently the organization.

• Computer System
• Databases

GTU PG SCHOOL 6
Threats
Hardware :
Fire/Flood/Bomb DBMS & Application s/w :
Data corruption Failure of security mechanism
due to power loss giving greater access
Theft of program

Database :
Communication Networks : Unauthorized access or
Wire tapping copying of data
Breaking or disconnection of Data corruption
cables

GTU PG SCHOOL 7
Definition of Database Security
Database security is defined as the process by which “Confidentiality, integrity, and
Availability” of the database can be protected.

Countermeasure
• Authorization
• Access Control
• Views
• Backup and Recovery
• Encryption
• RAID Technology

GTU PG SCHOOL 8
Database Security Concepts
Three main aspects :
• Confidentiality
• Integrity
• Availability

Threats to database :
• Loss of Integrity
• Loss of Availability
• Loss of Confidentiality

GTU PG SCHOOL 9
Confidentiality
• No one can read our data / communication unless we want them to
• It is protecting the database from unauthorized users.
• Ensures that users are allowed to do the things they are trying to do.
• For example :
• The employees should not see the salaries of their managers.

Data

GTU PG SCHOOL 10
Integrity
• No one can manipulate our data / processing / communication unless we want them
to
• Protecting the database from authorized users
• Ensures that what users are trying to do is correct
• For example :
• An employee should be able to modify his or her own information

Data

GTU PG SCHOOL 11
Availability
• We can access our data / conduct our processing / use our communication
capabilities when we want to
• Authorized users should be able to access data for legal purpose as necessary
• For example
• Payment orders regarding taxes should be made on time by the tax law

Data

Availability
GTU PG SCHOOL 12
Relationship between Confidentiality,
Integrity and Availability

Confidentiality

Data
Secure

Integrity Availability

GTU PG SCHOOL 13
Methods for securing the Database
• Authorization – privileges, vies.

• Encryption – public key / private key, secure sockets.

• Authentication – passwords

• Logical – firewalls, net proxies.

GTU PG SCHOOL 14
 Security of the database through
FIREWALLS
• A FIREWALL is dedicated software on another computer which inspects network
traffic passing through it and denies (or) permits passage based on set of rules.

• Basically it is a piece of software that monitors all traffic that goes from your system
to another via the internet or network and vice versa.

• Database FIREWALLS are type of Web Application Firewalls that monitor databases
to identify and protect against database specific attack that mostly seek to access
sensitive information stored in the database.

GTU PG SCHOOL 15
How database FIREWALL works
• The database firewalls includes a set of pre-defined, customizable security audit
policies and they can identify database attacks based on threat patterns called
signatures.

• The SQL input statements (or) queries are compared to these signatures, which are
updated frequently by the vendors to identify known attacks on the databases.

• Database firewalls build (or come with) white list of approved SQL Commands (or)
statements that are safe.

• All the input commands are compared with this white list and only those that are
already present in the white list are sent to the database.

GTU PG SCHOOL 16
Advantages of using FIREWALLS
• Database firewalls maintains the black list of certain specific and potential harmful
commands (or) SQL statements and do not allow this type of inputs.

• Database firewalls identifies the database, operating system and protocol

vulnerabilities in the databases and intimate the administrator, who can take steps
to patch them.

• Database firewalls monitors for database responses (from the db server) to block
potential data leakage.

• Database firewalls notifies the suspicious activity, instead of blocking them right
away.

GTU PG SCHOOL 17
How data encryption works
• Data encryption is a key-based access control system. Even if the encrypted data is
received, it cannot be understood until authorized decryption occurs, which is
automatic for users authorized to access the tables.

• When a table contains the encrypted columns, a single key is used regardless of the
number of encrypted columns. This key is called the column encryption key.

• The column encryption key for all tables, containing encrypted columns, are
encrypted with the database server master encryption key and stored in a dictionary
table in the database.

• The master encryption key is stored in an external security module that is outside the
database and accessible only to the security administrator.
GTU PG SCHOOL 18
Advantages of Data Encryption
• As a security administrator, one can sure that sensitive data is safe in case the storage
media or data file gets stolen.

• You do not need to create triggers or views to decrypt data. Data from tables is
decrypted for the database user.

• Database users need not be aware of the fact that the data they are accessing is
stored in encrypted form. Data is transparently decrypted for the database users and
does not require an action on their part.

• Applications need not be modified to handle encrypted data. Data

encryption/decryption is managed by the database.

GTU PG SCHOOL 19
Authorization
• Read Authorization – allows reading, but not modification of data

• Insert authorization – allows insertion of new data, but not modification of existing
data

• Update authorization – allows modification, but not deletion of data

• Delete authorization – allows deletion of data.

GTU PG SCHOOL 20
Security Controls
• Type of Database Security controls

1. Flow Control

2. Inference Control

3. Access Control

GTU PG SCHOOL 21
Flow Control
• Flow controls regulates the distribution (flow) of information among accessible
objects.

• A flow between object X and object Y occurs when a statement reads values from X
and writes into Y.

• Copying data from X to Y is the typical example of information flow.

GTU PG SCHOOL 22
Inference Control
• Inference control aim at protecting data from indirect deletion.

• Information inference occurs when: a set X of data items to be read by a user can be
used to get the set Y of data.

• An inference channel is a channel where users can find an item X and then use X to
get Y as Y=f(X)

GTU PG SCHOOL 23
Access Control
• Access control in information system are responsible for ensuring that all direct
accesses to the system objects occur base on models and rules fixed by protection
policies.

• An access control system includes :

• Subjects (Users, processes)

• Who access objects (data, programs)
• Through operations (‘read’ , ‘write’, ‘run’)

GTU PG SCHOOL 24
Conclusion
• The goal of database security is to protect your critical and confidential data from
unauthorized access.

• Each organization should have a data security policy, which is a set of high-level
guidelines determined by:

• User requirements.
• Environmental aspects.
• Internal regulations.
• Governmental laws.

GTU PG SCHOOL 25
Thank you for your patience 

GTU PG SCHOOL 26