JORDAN UNIVERSITY COLLEGE (JUCO)

A CONSTITUENT COLLEGE OF ST. AUGUSTINE UNIVERSITY IN TANZANIA

FACULTY OF ARTS AND SOCIAL SCIENCE.

DEPARTMENT OF INFORMATION SCIENCE.

BACHELOR OF SCIENCE IN COMPUTER SCIENCE

COURSE CODE : BSC 301.

COURSE NAME : DATABASE ADMINISTRATION.

LECTURE NAME : MR. M KAJUBILI.

SUBMISSION DATE : 5TH JANUARY 2024.

GROUP MEMBERS:

SN STUDENT NAME REGISTRATION NUMBER SIGNATURE

1. ADAMU CHENGULA BSCCS/0065/2021
2. FLORA ELIAS NGANGA BSCCS/0040/2021
3. MABULA IBRAHIMU ZENGO BSCCS/0054/2021
4. MPAJI NGUA BSCCS/0025/2021
5. ZABRONI AMINI BSCCS/0050/2021

QUESTION:

To explain the concepts of database security.

Database security. It is the protection of a database against accidental or intentional loss,
destruction or misuse. The database environment has grown more complex, and access to data
has become more open through the internet as a result managing database security effectively has
become more difficult and time-consuming.

Database security can be further explained as measures taken to ensure the confidentiality,
integrity, and availability of a database. It involves protecting the database management system
(DBMS), the database itself, and the data stored within it from unauthorized access, data
breaches, as well as the whole infrastructure that the database runs and other security threats.

The database administrator is often responsible for developing overall policies and procedures to
protect databases and administering database security daily. Also, all persons in an organization
must be responsible for security and take measures to protect the data within their domains.

Most database management systems typically support either or both of two broad approaches to
data security, discretionary control and mandatory control. In both cases, the unit of data that
might need to be protected can range from an entire database, on the one hand, to a specific
component of a specific tuple on the other. How the two approaches differ is indicated by the
following brief explanations.

Discretionary security mechanisms. These are used to grant privileges to users including the
capability to access specific data files, records or fields in a specified mode such as read, insert,
delete, or update.

Mandatory security mechanism. These are used to enforce security multilevel security by
classifying the data and users into various security classes (or levels and then implementing the
appropriate security policy of the organization.

Database security is crucial for all databases both large and small because sometimes some of the
information that is stored in the database is not meant to be shared by any part that is not directly
involved or requires such data to complete their task. Here are the reasons why we need database
security.
Confidentiality. This is a critical aspect of information security, especially when it comes to
databases that store sensitive and confidential information, this information can include personal
data (such as names, addresses, and contact details), financial records (like bank account
information and transaction details), and proprietary business information (such as trade secrets,
intellectual property, and strategic plans).

Unauthorized access to this data can have severe consequences, including breaches of privacy,
identity theft, financial fraud, and damage to the reputation of individuals and organizations.

Availability. Ensuring the availability of data is a crucial aspect of database security.

Availability means that the data stored in a database should be accessible and usable whenever it
is needed. Various measures are implemented to safeguard against disruptions, both intentional
and unintentional, to prevent data loss and minimize downtime. Measures used to ensure
database security and availability are Data Backups, Disaster Recovery Planning, Intrusion
Detection and Prevention Systems (IDPS), Geographical Distribution.

Integrity. In the context of database refers to the accuracy, consistency, and reliability of
information throughout its lifecycle. Ensuring data integrity is crucial in various fields, including
business, healthcare, finance, and more, as it directly impacts decision-making processes and the
overall trustworthiness of the database. Unauthorized modifications, deletions, or insertions can
compromise data integrity, leading to potential inaccuracies and misinformation.

Authentication is the process of verifying the identity of a user, system, or application

attempting to access the database. It ensures that the entity claiming a particular identity is who it
is supposed to be. Authentication prevents unauthorized individuals or entities from gaining
access to the database. Without proper authentication, malicious actors could impersonate
legitimate users and potentially compromise sensitive data.

Common authentication methods include Username and Password, Users provide a unique
username and a secret password, and Multi-factor authentication (MFA) which requires users to
provide additional verification, such as a temporary code sent to their mobile device.
Authorization. Is the process of granting or denying access to specific resources or actions
within the database based on the authenticated user's identity and privileges, authorization
ensures that even authenticated users can only perform actions they are explicitly allowed to
perform. This helps to prevent unauthorized modifications, deletions, or retrievals of data.

i. Privileges and Roles. Users are assigned specific privileges that determine the
actions they can perform (e.g., read, write, delete) on particular database objects (e.g.,
tables, views). Roles group privileges together, simplifying permission management.
ii. Access Control Lists (ACLs). Fine-grained control is achieved by specifying which
users or groups have permissions for specific operations on specific database objects.

Focusing on database security alone, however, will not ensure a secure database. All parts of the
system must be secure, including the database itself, the network it operates in, the operating
system used in serves and client machine, and the building(s) in which the database resides
physically and all personnel who have the opportunity to access the database. The following are
the potential threats to database security.

Accidental loss. This includes all incidents that occur and is completely out of the control of
human being i.e. normal human error, software and hardware–caused breaches. As in any efforts
that involve human beings, some losses are inevitable but well-organized policies and procedures
should reduce the amount of losses in the database.

Theft and fraud. These activities are going to be conducted by people, quite possibly through
electronic means and may or may not alter data. Physical security should also be provided for
employees' offices and any other locations where the database resides of easily accessed. Also,
the firewall should be used to protect against unauthorized access to inappropriate parts of the
database. Through outside communication links.

Loss of privacy and confidentiality. Loss of privacy is usually taken to mean loss of protection
of data about individuals whereas loss of confidentiality is usually taken to mean loss of
protection of critical organizational data that may have strategic value to the organization.
Failure to control the privacy of information may lead to blackmail, public embarrassment or
stealing of user passwords. Failure to control confidentiality may lead to loss of competitiveness
security mechanisms must enforce the implementation of existing national and company privacy
policies.

Loss of data integrity. When data integrity is compromised, data will be invalid or corrupted
unless data integrity can be restored through established backup and recovery procedures and the
organization may suffer serious losses or make incorrect and expensive decisions based on the
invalid data.

Loss of availability. Sabotage of hardware, networks or applications may cause the data to
become unavailable to users which again may lead to severe database operational difficulties.
This category of threat includes the introduction of viruses intended to corrupt data or software
or to render the system unusable. It is important to counter this threat by always installing the
most current antivirus software, as well as educating employees on the source of viruses.

Badly written application code. There are many ways in which the security of an application
can be compromised, even if the database is itself secure, due to badly written application code.
This provides security loopholes that can permit hackers to carry out actions that bypass the
authentication and authorization checks carried out by the application with the use of badly
written application code. Attackers can do either of the following actions to the database.

i. SQL injection attack. The attacker manages to get an application to execute an SQL
query created by the attacker. An example of an SQL injection vulnerability is if user
inputs are concatenated directly with an SQL query submitted to the database.
Example. String query = “SELECT * FROM student WHERE name like
‘%” + name +” %’”;
ii. Cross-site scripting and request forgery. In such an attack, hackers enter code
written in a client-side scripting language, such as JavaScript or Flash. Instead of
entering valid data. And when another user views the data in the browser the browser
executes the script, which can carry out actions such as sending private cookie
information back to the hacker.
Control measures to encounter database security threats.

The following are the major three countermeasures used to provide the security of data in the
database.

Employee Training and Awareness. Train employees on security best practices and make them
aware of potential threats. Enforce strong password policies and ensure employees follow secure
practices.

Access control. Is a security mechanism that must include provisions for restricting access to the
database system as a whole, it is handled by creating user accounts and roles to control the access
of database data, and ensuring that the user can only access the data that he/she is permitted to
access.

Flow control. It prevents the information from flowing in such a way that it reaches
unauthorized users.

Implement and use a firewalls and Network Security. Use firewalls to restrict access to the
database server from unauthorized networks. Implement network segmentation to isolate
databases from other parts of the network.

Data encryption. Used to protect sensitive data that is in the database (such as credit card
numbers). Also, it provides additional protection for sensitive portions of a database. The data is
encoded using some encryption algorithm. Unauthorized users who access the encoded data will
have difficulty deciphering it, but authorized users are given a decoding or decryption algorithm
(or decryption key) to decipher the data. An example of encryption techniques is public key
encryption which is heavily used to support security and encryption in web-based applications.

Database regular Audits and Monitoring. Conduct regular security audits to identify
vulnerabilities and weaknesses. Implement monitoring tools to track database activity and detect
unusual patterns or suspicious behaviour.
 REFERENCES.

Campbell, L., & Majors, C. (2017). Database Reliability Engineering. O’Reilly Media.

Edition, S. (2017). Database Design Using Entity Relationship Diagrams.

Gehrke, J., Derstadt, J., Selikoff, S., & Zhu, L. (n.d.). Database Management Systems Solutions
Manual Contents Introduction to Database Design the Relational Model Relational Algebra and
Calculus Database Application Development Internet Applications Overview of Storage and
Indexing. Security.

Silberschatz, A., Korth, H. F., & Sudarshan, S. (n.d.). Database system concepts.