Date post: | 15-Apr-2017 |
Category: |
Engineering |
Upload: | ershubham-tiwari |
View: | 846 times |
Download: | 0 times |
Introduction
IntroductionMost DBMS did not have a secure mechanisms
for authentication and encryption until recently.
DBA is required to have an additional skill-that of implementing security policies that protect one of the most valuable assets of company-its data.
Database Security is degree to which all data is fully protected from tampering and unauthorized acts.
CIA Triangle
Three Key ObjectivesConfidentiality
Data confidentialityPrivacy
IntegrityData integritySystem integrity
Availability
ConfidentialityAddresses two aspects
First aspect is prevention of unauthorized individuals from accessing secret information.
Second aspect is process of safe guarding confidential information and disclosing secret information only to authorized individuals by means of classifying information
Confidentiality Classification
Less
More
Control
Few
Many
People
IntegrityConsistent and valid data
Data is considered to have integrity if it is accurate and has been tampered with intentionally or accidentally.
Degradation of data integrityInvalid data
Redundant Data (lead to inconsistency and data anomalies)
Inconsistent data (redundant data resides in several places, is not identical)
Data Anomalies (occurs when one occurrence of the repeated data is changed and the other occurrences are not)
Degradation of data integrityData read inconsistency (data changes that are
made by the user are visible to others before changes are committed; indicates user does not always read the last committed data)
Data non concurrency
AvailabilitySystem should be available to individuals who
are authorized to access the information.
Database security access pointsA security access point is place where
database security must be protected and applied.
People (secure data within the DB against violations caused by people)
Applications (when granting security privileges to applications, be cautious, permissions shouldn’t too loose/too restrictive)
Network
Database security access pointsOS (gateway to data, security credentials must be
verified)
DBMS
Data Files (make use of encryption and permissions to protect data files belonging to database)
Data
Data Integrity violation processSecurityAccess pointsAreunprotected
DataIntegrityViolation
Process of security gap resulting in security breach
Data Integrity violation processSecurity gaps are points at which security is
missing, and thus system is vulnerable.
Vulnerability is state in which an object can potentially be affected by a force or another object or even a situation but not necessarily is or will be.
Threat is defined as security risk that has high possibility of becoming a system breach.
Database Security Levels
Database Security LevelsVIEW database object is stored query that returns
columns and rows from selected tables.
Data provided by view object is protected by database system functionality that allows schema owners to grant or revoke privileges.
Data files in which data resides are protected by database and that protection is enforced by OS file permissions.
Finally database is secured by DBMS (through accounts and password mechanism, privileges, permissions to few)
Menaces to DatabasesSecurity VulnerabilitySecurity Threat (security violation that can happen
any time because of security vulnerability)Security Risk (A known security gap that company
intentionally leaves open)
Types of VulnerabilitiesSusceptible to attack
Intruders, attackers exploit in our environment to start their attacks.
Hackers usually explore the weak points of a system until they gain entry through gap in protection.
Types of VulnerabilitiesInstallation and configuration (results from default
installation/configuration which is known publicly and we don’t enforce any security measures)
User mistakes (due to carelessness in implementing procedures)
Software (found in commercial softwares, patches not applied)
Design and implementation (due to improper software analysis, design as well as coding deficiencies)
Types of ThreatsPeople (people intentionally/unitentionally inflict
damage, e.g. hackers,terrorists)
Malicious code (software code that is intentionally written to damage the components, e.g. viruses)
Natural disasters
Technological disasters (malfunction in equipment, e.g. network failure, hardware failure)
Virus
Worm
Back Door
Trojan Horse
Rootkits
Types of RisksPeople (loss of people who are vital components of DB,
e.g. due to resignation)
Hardware (results in hardware unavailability, down due to failure, malfunction)
Data (data loss, corruption)
Confidence (loss of public confidence in data produced by company)
Asset Types and their valuesPhysical Assets (hardware, cars)
Logical Assets (purchased softwares, OS, DB)
Intangible Assets (business reputation, confidence)
Human Assets (human skills, knowledge)
Security MethodsPeoplea.Security policies & proceduresb.Process of identification and authenticationc.Training courses on importance of securityd.Physical limits on access to hardware and
documents
Security MethodsApplicationsa.Authentication of users who accessb.Business rulesc.Single sign on ( signing on once for different
applications)
Security MethodsNetworka.Firewallsb.VPNc.Authentication
Security MethodsOSa.Authenticationb.Intrusion Detectionc.Password Policyd.User Accounts
Security MethodsDBMSa.Authenticationb.Audit Mechanismsc.Database resource limitsd.Password Policy
Security MethodsData Filesa.File Permissionsb.Access Monitoring
Dataa.Validationb.Data accessc.Encryptiond.Data constraints
Database Security MethodologyIdentification (investigation of resources reqd., policies
to be adopted)Assessment (analysis of vulnerabilities, threats and
risks)Design (blueprint of adopted security model)Implementation (code developed, tools purchased)Evaluation (testing system against attacks, failures,
disasters)Auditing