Chapter 3: Database Security

Yirga Y. (PhD)
byyirga@gmail.com
Department of Information Technology

3/30/2024 Advanced Information Security 1

Outline

 What is database security?

 Why use database security?

 Common threats and challenges

 Best practices for Database security

 Controls and policies

3/30/2024 Advanced Information Security 2

What is database security

• Database security is a complex and

challenging endeavor that involves all aspects
of information security technologies and
practices.
• It’s also naturally at odds with database
usability.
The more accessible and usable the database,
the more vulnerable it is to security threats.
The more invulnerable the database is to
threats, the more difficult it is to access and
use.
3/30/2024 Advanced Information Security 3
…cont.

• Learn the complexities of database security.

 Some of the practices, policies, and technologies that will protect the
confidentiality, integrity, and availability of your data.

3/30/2024 Advanced Information Security 4

…cont.
• Database security must address and protect:
• Data in the database
• Database management system
• Any associated applications
• The physical database server and/or the virtual
database server and the underlying hardware
• The computing and/or network infrastructure used to
access the database

3/30/2024 Advanced Information Security 5

Database Security in DBMS?
• DB security is important for:
• Confidentiality: Safeguarding confidential data
from unauthorized access or disclosure.
• Integrity: Guaranteeing the integrity of data by
preventing any unauthorized alterations or
corruption.
• Availability: Ensuring that data is available to
authorized users when needed.
• Compliance: Meeting regulatory and legal
requirements related to data security and privacy.

3/30/2024 Advanced Information Security 6

Why is it important?
• Compromised intellectual property
• Trade secrets, inventions, proprietary
practices may be critical to maintaining
a competitive advantage in your
market.
• If the intellectual property is stolen or
exposed, your competitive advantage may be
difficult or impossible to maintain or
recover.

3/30/2024 Advanced Information Security 7

…cont.
 Damage to brand reputation
• Customers or partners may be unwilling
to buy your products or services (or do
business with your company) if they don’t
feel they can trust you to protect your data
or theirs.

3/30/2024 Advanced Information Security 8

…con’t
• Business continuity
• Some businesses cannot continue to operate
until a breach is resolved.
• Fines or penalties for non-compliance
• The financial impact of failing to comply
with global regulations.
• Costs of repairing breaches and notifying
customers
• Cost of communicating a breach to
customers, a breached organization must pay
for forensic and investigative activities, crisis
management, triage, repair of the affected
systems, and more.

3/30/2024 Advanced Information Security 9

Types of Database Security
 Physical Security
 Securing the server room, implementing
access controls for the data center, and
employing security cameras and alarms.
 Importance:
 Safeguard the database hardware from
physical harm or theft.
 Preventing unauthorized individuals
from gaining access to the database
servers or storage devices.

3/30/2024 Advanced Information Security 10

…cont.
• Access Control
• It limits database access exclusively to authorized users.
• It also helps prevent unauthorized data modifications or deletions.
• Measures:
• Authentication
• Authorization
• Accounting
• Authentication ensures that only authorized individuals can access the
database by verifying their identity using usernames and passwords.
• Authorization controls what actions each user can perform on the
database based on their role or privileges.
• Accounting ensures that all database activities are logged and audited
for accountability and compliance.

3/30/2024 Advanced Information Security 11

…cont.
• Auditing and Logging
• It used for overseeing and tracing all actions
executed on the database, aiming to identify and
prevent security breaches.
• Focus on the comprehensive recording of various
database activities, including user logins, data
modifications, and system events.
• They provide a record of all activities
performed on the database.
• It also help meet regulatory and compliance
requirements related to data security and
privacy.
3/30/2024 Advanced Information Security 12
…cont.
• Network Security
• Safeguarding the database against
unauthorized network access.
• It measures include using firewalls, intrusion
detection systems, and encryption.
• Importance:
• It ensures that data is transmitted securely over the
network.
• Unauthorized individuals cannot intercept or modify
the data in transit.
• To protect the database from external attacks such as
hacking and malware.

3/30/2024 Advanced Information Security 13

 …cont.
• Data Encryption
• It used to protect data stored in a database from
unauthorized access by encrypting it.
• Encryption ensures that even if an unauthorized
individual gains access to the data, they cannot
read or use it.
• Importance:
• It ensures that sensitive data is protected
even if it falls into the wrong hands.
• Encryption also helps prevent data breaches
and unauthorized access to the database.

3/30/2024 Advanced Information Security 14

Database Security Threats

3/30/2024 Advanced Information Security 15

Insider threats
 An insider threat is a security threat from any
one of three sources with privileged access to the
database.
 A malicious insider who intends to do
harm.
 A negligent insider who makes errors that
make the database vulnerable to attack.
 An infiltrator an outsider who somehow
obtains credentials via a scheme such as
phishing or by gaining access to the credential
database itself.

3/30/2024 Advanced Information Security 16

…cont.

3/30/2024 Advanced Information Security 17

…cont.
• SQL Injection
• It occurs when an attacker inserts malicious
SQL code into a query to fool a database.
• Performing unintended commands that
lead to unauthorized data access,
manipulation, or even the complete
compromise of a database.
• Result: accessing or altering sensitive
information without authorization and
creating potential access violations for
further attacks against it.

3/30/2024 Advanced Information Security 18

…cont.
• DoS Attacks
• DoS attack seek to disrupt the availability and
functionality of databases by:
• Flooding them with requests or malicious traffic
• Leading to them becoming inaccessible or even
crashing
• Potentially leading to service disruptions
• Data loss

3/30/2024 Advanced Information Security 19

…cont.

• Unauthorized Access
• Any unauthorized use, disclosure, or
manipulation of sensitive data stored in a
database system.
• Individuals gain entry via:
• stolen credentials
• weak authentication mechanisms
• improper access control settings

3/30/2024 Advanced Information Security 20

…cont.
• Malware Attacks
• Such as viruses, worms, or
ransomware pose significant dangers
to databases.
• It can enter through infected files
or malicious links.
• It leads to data breaches, corruption
of the database contents, or hijacking
for illicit uses.

3/30/2024 Advanced Information Security 21

Human error
• Accidents
• Weak passwords
• Password sharing and other unwise
or uninformed user behaviours
continue to be the cause of nearly
49% of all reported errors.

3/30/2024 Advanced Information Security 22

Best Practices for Database Security
• Use Strong Passwords
• Passwords serve as the initial barrier against
unauthorized entry into databases.
• Using weak passwords makes it easier for
hackers to gain access to sensitive information.
• It is crucial to use strong passwords that are
complex and difficult to guess.
• A robust password comprises a blend of
uppercase and lowercase letters, numbers, and
special characters.
• It is also essential to change passwords
frequently, especially when an employee leaves
the company.
• This ensures the previous employee cannot
access the database using their old credentials.
3/30/2024 Advanced Information Security 23
…cont.
Limit Access
 It is an effective way to prevent
unauthorized access to sensitive data.
 Not all employees or users require access to all
the data stored in the database.
 It is important to restrict access based on
the principle of least privilege, which
means granting only the minimum access
required to perform a particular task.
 For example, if an employee requires access to
customer data, they should only have access to
that section of the database.

3/30/2024 Advanced Information Security 24

…cont.
• Update and Patch Regularly
• Keeping the database software up-to-
date is crucial.
• Regular updates and patches ensure
that any known security.
• It is essential to schedule regular
backups and securely store them in a
protected location to prevent
unauthorized access and ensure data
integrity.
3/30/2024 Advanced Information Security 25
…cont.
• Monitor for Anomalies
• Detecting and preventing potential security threats
can be effectively achieved through the
monitoring of database anomalies.
• Anomaly detection entails the continuous
observation of database activities to identify any
unusual or abnormal behavior that deviates
from the expected norms.
• For instance, a sudden surge in database traffic
or an unauthorized attempt to access restricted
data can be flagged as anomalous activity.
• This will trigger appropriate actions for
investigation and mitigation.
3/30/2024 Advanced Information Security 26
Controls and policies
• Administrative controls
• To govern installation, change, and configuration
management for the database.
• Preventative controls
• To govern access, encryption, tokenization, and masking.
• Detective controls
• To monitor database activity monitoring and data loss
prevention tools. These solutions make it possible to
identify and alert on anomalous or suspicious
activities.
• Note: Database security policies should be integrated
with and support your overall business goals.

3/30/2024 Advanced Information Security 27

 Future Scope of Database Security

 Research Directions
Database security with AI and ML technologies
Blockchain Technology
Cloud-Based Database Security
Quantum Computing
an emerging technology, holds the potential to influence
database security.

3/30/2024 Advanced Information Security 28

Resource used
• Database Security - Defintion, Types and Threats
• Database Security – javatpoint
• Database Security Best Practices and Solutions | Microsoft Azure
• Database Security: An Essential Guide | IBM

3/30/2024 Advanced Information Security 29

 Thank you!

3/30/2024 Advanced Information Security 30