Transcript Database Security

Database Security
By Bei Yuan
Why do we need DB Security?
• Make data arranged and secret
• Secure other’s DB
Security Issues:
• Security Policy
• Access Control
• Encryption
• Internet Security
• Threat Monitoring (Auditing)
Security Policy
• Exposures: A form of possible loss of a firm.
• Vulnerabilities: Weakness in an enterprise’s system.
• Threats: Specific, potential attack on the enterprise.
• Controls: Eliminate threats, vulnerabilities and
exposures
A security system is a system.
Access Control
♦ Access Control Models
♦ User Authentication
Access Control Models
• Discretionary Access Control (DAC) Model
• Mandatory Access Control (MAC) Model
• Role-Based Access Control (RABC) Model
Discretionary Access Control
• Ownership-based, flexible, most widely
used, low assurance
• Privileged users: DBA and owners of the
tables
Limitations of DAC
Mandatory Access Control
• Administration-based
• Data flow control rules
• High level of security, but less flexible
MAC Policy
Role-Based Access Control
• Flexible
• Separation of duty
• Able to express DAC, MAC, and userspecific policies using role constraints
• Easy to incorporated into current tech
User Authentication
• Password-Based Authentication
• Host-Based Authentication
• Third Party-Based Authentication
Encryption
• Full Database Encryption
• Partial Database Encryption
• Off-Line Database Encryption
Full Database Encryption
• Limit readability of DB files in the OS
• Redundance
• Time-consuming in changing encryption key
Off-line Database Encryption
A note of caution:
Organizations considering this should thoroughly
test that data which is encrypted before storage offline can be decrypted and re-imported successfully
before embarking on large-scale encryption of
backup data.
Internet Security
• Server Security
— Static Web Pages
— Dynamic Page Generation
• Session Security
Session Security
• Secret-key Security (Using single key)
• Public-key Security (Using two keys)
— SSL protocol
Auditing
• Audit via the database or operating system
• The DBA must be able to log every relevant
user action in order to recreate a series of
actions.
• The series of user actions is called the audit
trail.
Conclusion
Database security will always be the critical
component of every information system.
“Security costs. Pay for it, or pay for not having it.”