JORDAN UNIVERSITY COLLEGE (JUCO)

A CONSTITUENT COLLEGE OF ST. AUGUSTINE UNIVERSITY IN TANZANIA

FACULTY OF ARTS AND SOCIAL SCIENCE.

DEPARTMENT OF INFORMATION SCIENCE.

BACHELOR OF SCIENCE IN COMPUTER SCIENCE

COURSE CODE : BSC 301.

COURSE NAME : DATABASE ADMINISTRATION.

LECTURE NAME : MR. M KAJUBILI.

SUBMISSION DATE : 5TH JANUARY 2024.

GROUP MEMBERS:

SN STUDENT NAME REGISTRATION NUMBER SIGNATURE

1. ADAMU CHENGULA BSCCS/0065/2021
2. FLORA ELIAS NGANGA BSCCS/0040/2021
3. MABULA IBRAHIMU ZENGO BSCCS/0054/2021
4. MPAJI NGUA BSCCS/0025/2021
5. ZABRONI AMINI BSCCS/0050/2021

QUESTION:

To explain the concepts of database security.

Database security. It is the protection of a database against accidental or intentional loss,
destruction or misuse. The database environment has grown more complex, and access to data has
become more open through the internet as a result managing database security effectively has
become more difficult and time-consuming.

Database security can be further explained as measures taken to ensure the confidentiality,
integrity, and availability of a database. It involves protecting the database management system
(DBMS), the database itself, and the data stored within it from unauthorized access, data breaches,
as well as the whole infrastructure that the database runs and other security threats.

The database administrator is often responsible for developing overall policies and procedures to
protect databases and administering database security daily. Also, all persons in an organization
must be responsible for security and take measures to protect the data within their domains.

Most database management systems typically support either or both of two broad approaches to
data security, discretionary control and mandatory control. In both cases, the unit of data that might
need to be protected can range from an entire database, on the one hand, to a specific component
of a specific tuple on the other. How the two approaches differ is indicated by the following brief
explanations.

Discretionary security mechanisms. These are used to grant privileges to users including the
capability to access specific data files, records or fields in a specified mode such as read, insert,
delete, or update.

Mandatory security mechanism. These are used to enforce security multilevel security by
classifying the data and users into various security classes (or levels and then implementing the
appropriate security policy of the organization.

Database security is crucial for all databases both large and small because sometimes some of the
information that is stored in the database is not meant to be shared by any part that is not directly
involved or requires such data to complete their task. Here are the reasons why we need database
security.
Confidentiality. This is a critical aspect of information security, especially when it comes to
databases that store sensitive and confidential information, this information can include personal
data (such as names, addresses, and contact details), financial records (like bank account
information and transaction details), and proprietary business information (such as trade secrets,
intellectual property, and strategic plans).

Unauthorized access to this data can have severe consequences, including breaches of privacy,
identity theft, financial fraud, and damage to the reputation of individuals and organizations.

Availability. Ensuring the availability of data is a crucial aspect of database security. Availability
means that the data stored in a database should be accessible and usable whenever it is needed.
Various measures are implemented to safeguard against disruptions, both intentional and
unintentional, to prevent data loss and minimize downtime. Measures used to ensure database
security and availability are Data Backups, Disaster Recovery Planning, Intrusion Detection and
Prevention Systems (IDPS), Geographical Distribution.

Integrity. In the context of database refers to the accuracy, consistency, and reliability of
information throughout its lifecycle. Ensuring data integrity is crucial in various fields, including
business, healthcare, finance, and more, as it directly impacts decision-making processes and the
overall trustworthiness of the database. Unauthorized modifications, deletions, or insertions can
compromise data integrity, leading to potential inaccuracies and misinformation.

Authentication is the process of verifying the identity of a user, system, or application attempting
to access the database. It ensures that the entity claiming a particular identity is who it is supposed
to be. Authentication prevents unauthorized individuals or entities from gaining access to the
database. Without proper authentication, malicious actors could impersonate legitimate users and
potentially compromise sensitive data.

Common authentication methods include Username and Password, Users provide a unique
username and a secret password, and Multi-factor authentication (MFA) which requires users to
provide additional verification, such as a temporary code sent to their mobile device.
Authorization. Is the process of granting or denying access to specific resources or actions within
the database based on the authenticated user's identity and privileges, authorization ensures that
even authenticated users can only perform actions they are explicitly allowed to perform. This
helps to prevent unauthorized modifications, deletions, or retrievals of data.

i. Privileges and Roles. Users are assigned specific privileges that determine the actions
they can perform (e.g., read, write, delete) on particular database objects (e.g., tables,
views). Roles group privileges together, simplifying permission management.
ii. Access Control Lists (ACLs). Fine-grained control is achieved by specifying which
users or groups have permissions for specific operations on specific database objects.

Focusing on database security alone, however, will not ensure a secure database. All parts of the
system must be secure, including the database itself, the network it operates in, the operating
system used in serves and client machine, and the building(s) in which the database resides
physically and all personnel who have the opportunity to access the database. The following are
the potential threats to database security.

Accidental loss. This includes all incidents that occur and is completely out of the control of
human being i.e. normal human error, software and hardware–caused breaches. As in any efforts
that involve human beings, some losses are inevitable but well-organized policies and procedures
should reduce the amount of losses in the database.

Theft and fraud. These activities are going to be conducted by people, quite possibly through
electronic means and may or may not alter data. Physical security should also be provided for
employees' offices and any other locations where the database resides of easily accessed. Also, the
firewall should be used to protect against unauthorized access to inappropriate parts of the
database. Through outside communication links.

Loss of privacy and confidentiality. Loss of privacy is usually taken to mean loss of protection
of data about individuals whereas loss of confidentiality is usually taken to mean loss of protection
of critical organizational data that may have strategic value to the organization. Failure to control
the privacy of information may lead to blackmail, public embarrassment or stealing of user
passwords. Failure to control confidentiality may lead to loss of competitiveness security
mechanisms must enforce the implementation of existing national and company privacy policies.
Loss of data integrity. When data integrity is compromised, data will be invalid or corrupted
unless data integrity can be restored through established backup and recovery procedures and the
organization may suffer serious losses or make incorrect and expensive decisions based on the
invalid data.

Loss of availability. Sabotage of hardware, networks or applications may cause the data to become
unavailable to users which again may lead to severe database operational difficulties. This category
of threat includes the introduction of viruses intended to corrupt data or software or to render the
system unusable. It is important to counter this threat by always installing the most current
antivirus software, as well as educating employees on the source of viruses.

Badly written application code. There are many ways in which the security of an application can
be compromised, even if the database is itself secure, due to badly written application code. This
provides security loopholes that can permit hackers to carry out actions that bypass the
authentication and authorization checks carried out by the application with the use of badly written
application code. Attackers can do either of the following actions to the database.

i. SQL injection attack. The attacker manages to get an application to execute an SQL
query created by the attacker. An example of an SQL injection vulnerability is if user
inputs are concatenated directly with an SQL query submitted to the database.
Example. String query = “SELECT * FROM student WHERE name like
‘%” + name +” %’”;
ii. Cross-site scripting and request forgery. In such an attack, hackers enter code written
in a client-side scripting language, such as JavaScript or Flash. Instead of entering valid
data. And when another user views the data in the browser the browser executes the
script, which can carry out actions such as sending private cookie information back to
the hacker.
Control measures to encounter database security threats.

The following are the major three countermeasures used to provide the security of data in the
database.

Employee Training and Awareness. Train employees on security best practices and make them
aware of potential threats. Enforce strong password policies and ensure employees follow secure
practices.

Access control. Is a security mechanism that must include provisions for restricting access to the
database system as a whole, it is handled by creating user accounts and roles to control the access
of database data, and ensuring that the user can only access the data that he/she is permitted to
access.

Flow control. It prevents the information from flowing in such a way that it reaches unauthorized
users.

Implement and use a firewalls and Network Security. Use firewalls to restrict access to the
database server from unauthorized networks. Implement network segmentation to isolate
databases from other parts of the network.

Data encryption. Used to protect sensitive data that is in the database (such as credit card
numbers). Also, it provides additional protection for sensitive portions of a database. The data is
encoded using some encryption algorithm. Unauthorized users who access the encoded data will
have difficulty deciphering it, but authorized users are given a decoding or decryption algorithm
(or decryption key) to decipher the data. An example of encryption techniques is public key
encryption which is heavily used to support security and encryption in web-based applications.

Database regular Audits and Monitoring. Conduct regular security audits to identify
vulnerabilities and weaknesses. Implement monitoring tools to track database activity and detect
unusual patterns or suspicious behaviour.
 REFERENCES.

Campbell, L., & Majors, C. (2017). Database Reliability Engineering. O’Reilly Media.

Edition, S. (2017). Database Design Using Entity Relationship Diagrams.

Gehrke, J., Derstadt, J., Selikoff, S., & Zhu, L. (n.d.). Database Management Systems Solutions
Manual Contents Introduction to Database Design the Relational Model Relational Algebra
and Calculus Database Application Development Internet Applications Overview of Storage
and Indexing. Security.

Silberschatz, A., Korth, H. F., & Sudarshan, S. (n.d.). Database system concepts.