Transcript eCommerce&Security

Section 3
Database Security
Section Content
• 3.1 Security Overview
• 3.2 Security Controls
• 3.3 Views
• 3.4 Security in Oracle
• 3.5 Web Database Security
CA306 Introduction
3-2
Security Overview
• Database security is the mechanism that protects the database
against intentional or accidental threats.
• Database security can be considered in the following situations:
+
+
+
+
+
Theft and fraud;
Loss of confidentiality;
Loss of privacy;
Loss of integrity
Loss of availability.
• These are situations in which an organisation should seek to reduce
risk.
• Theft and fraud affect both the database environment and the
entire organisation. The result may not be the alteration of data.
CA306 Introduction
3-3
Breaches
• Confidentiality refers to the need to maintain secrecy over data,
usually that which is critical to the organisation.
• Privacy refers to the need to protect data.
• Breaches of security which results in the loss of confidentiality
could:
+ Lead to a loss of competitiveness;
+ Lead to legal action taken against the organisation.
• Loss of data results in invalid or corrupted data.
CA306 Introduction
3-4
• A threat is any situation or event (intentional or accidental) that
may adversely affect a system and consequently the organisation.
CA306 Introduction
3-5
Threats
• The extent that an organisation suffers depends on a number of
factors: the existence of counter-measures and contingency plans.
• If there is a hardware failure, what is involved (and how long) in
restarting the system with minimal loss of data?
• An organisation must identify the types of threats it may encounter,
and propose plans and counter-measures.
• What are the potential threats to computer systems?
CA306 Introduction
3-6
CA306 Introduction
3-7
Sections Covered
 3.1 Security Overview
• 3.2 Security Controls
• 3.3 Views
• 3.4 Security in Oracle
• 3.5 Web Database Security
CA306 Introduction
3-8
3.2 Security Controls
• The types of controls range from physical controls to administrative
procedures.
• In most cases the DBMS relies of the Operating System to provide a
basic level of security.
• Types of Controls
+
+
+
+
+
CA306 Introduction
Authorisation
Views
Backup and Recovery
Integrity
Encryption
3-9
CA306 Introduction
3-10
Authorisation
•
Authorisation is the granting of privileges that enable a subject to have
legitimate access to a system or some object(s) in the system.
•
Authorisation controls are (generally) built into software, and govern both
the objects for access, and the types of operations possible.
•
The process of authorisation involves authentication of users (applications)
requesting access to objects.
•
Authorisation can be views (conceptually) in the form of a matrix of
privileges.
•
Each object has its own authorisation matrix.
CA306 Introduction
3-11
Authorisation Matrix
User
Mike
Create
X
X
X
X
Monthly_rep
X
Paula
X
CA306 Introduction
Update
Delete
X
X
Joe
Salary_update
Retrieve
X
X
X
3-12
Authentication
• Authentication is the mechanism that determines whether a subject
is who he/she/it claims to be.
• The System Administrator provides access to the computer system
through a username and password. The password is used by the
system to authenticate the user.
• The Database Administrator (DBA) provides access to the DBMS
through a similar process, and authentication is necessary at this
level also.
• In many cases, both forms of authentication can be synchronised
(merged).
CA306 Introduction
3-13
Sections Covered
 3.1 Security Overview
 3.2 Security Controls
• 3.3 Views
• 3.4 Security in Oracle
• 3.5 Web Database Security
CA306 Introduction
3-14
3.3 Views
• A view (or subschema) is the dynamic result of one or more query
operations.
• In relational databases, a view is a virtual relation that does not
exist in the database, but is materialised upon request by the user
(with the required authorisation privileges).
• A view mechanism provides a powerful and flexible means of
security by hiding parts of the database from certain users.
• The user is unaware of the existence of columns or tuples (or both)
that may be missing from a specific table.
CA306 Introduction
3-15
View Structure
• Views may be vertical: a projection of a table.
• Views may be horizontal: a query is used to filter tuples from the
view
• Views may be based on aggregations: an aggregation operator
provides a statistical summary, or overall report. This has the effect
of hiding data from individual tuples.
• A view may be based on multiple tables.
CA306 Introduction
3-16
Sections Covered
 3.1 Security Overview
 3.2 Security Controls
 3.3 Views
• 3.4 Security in Oracle
• 3.5 Web Database Security
CA306 Introduction
3-17
3.4 Security in Oracle
• Oracle uses the concept of privileges to permit execution of SQL
statements and access to another user’s objects.
• Some examples include the right to:
+
+
+
+
Connect to the database (create a session);
Create (and alter) a table;
Select rows (from other user’s tables)
Update rows.
• Oracle provides two distinct categories:
+ System privileges;
+ Object privileges.
CA306 Introduction
3-18
System Privileges
•
A system privilege is the right to perform a particular action, or to perform
an action on schema objects of a particular type.
•
Examples are: the privilege to create tablespaces and users.
•
Oracle provides over 80 distinct system privileges.
•
System privileges are granted to, or revoked from, users and roles.
•
These actions may be achieved through a user interface or through the SQL
GRANT and REVOKE statements.
•
Note that users must have privileges to GRANT or REVOKE privileges.
CA306 Introduction
3-19
Object Privileges
• An object privilege is the right to perform a specific action on a
specific table, view, or procedure.
• Different privileges are available for different types of objects. For
example, the privilege to delete tuples is an object privilege.
• Some schema objects (indexes and triggers) do not have associated
object privileges: their use is controlled with system privileges.
• Users automatically obtain all privileges for schema objects in their
schema. Users can grant any object privilege in any schema object
they own (to any other user or role).
• If this privilege includes the WITH GRANT OPTION, the grantee can
grant further privileges on that object.
• A REVOKE statement will cascade appropriate GRANT privileges.
CA306 Introduction
3-20
CA306 Introduction
3-21
Roles
• A user can receive a privilege in two ways: explicitly and in the
form of a role.
• A user can explicitly grant the privilege (for example) to insert rows
in a table (Employee).
GRANT INSERT ON Employee TO maryb
• Privileges can also be granted to a role (a named group of
privileges), and this role subsequently granted to one or more
users.
• The privilege to select, insert and update rows to the Employee
table may be given to a role called Payroll.
CA306 Introduction
3-22
Role Sample
• The Payroll role can be granted to all users who operate payroll
functions.
• This facilitates easier and better management of privileges.
• Privileges should normally be granted to roles and not to specific
users.
CA306 Introduction
3-23
Sections Covered
 3.1 Security Overview
 3.2 Security Controls
 3.3 Views
 3.4 Security in Oracle
• 3.5 Web Database Security
CA306 Introduction
3-24
3.5 Web Database Security
• The challenge is to transmit and receive information over the
Internet while ensuring:
+
+
+
+
+
Privacy: it is in accessible to anyone except the sender and receiver.
Integrity: data has not been altered during transmission.
Authenticity: the receiver can be sure it came form the sender.
Non-fabrication: the sender is sure that the receiver is genuine.
Non-repudiation: the sender cannot deny sending the data.
• However, data must also be protected at the Web Server. The threetier architecture implies three levels of security.
• A further problem is that HTML pages may contain executable
content, e.g. JavaScript or applets.
CA306 Introduction
3-25
Malicious Actions
• Executable content can perform malicious actions:
+
+
+
+
+
+
+
CA306 Introduction
Corrupt data or executable software.
Reformat disks.
Force the system to shut down.
Collect and download confidential data (eg. passwords)
Impersonate the user in order to attack other sites on the network.
Lock up resources.
Cause non-damaging effects such as messages to appear.
3-26
Proxy Servers
• In Web terms, a proxy server is a computer that sits between a
browser and web server.
• It intercepts all requests to the Web server, to determine if it can
fulfill the requests itself. If not, requests are forwarded to the
server.
• Proxy servers have two main purposes: to improve performance
and to filter requests.
CA306 Introduction
3-27
Improve Performance
• Since a proxy server saves the results of all requests (for some
chosen time limit), it can significantly improve performance for
groups of users.
• For example, suppose A and B access the web through a proxy
server. If B requests a page already selected by A, there is no need
to request this page (again) from the server, unless it has been
modified since.
• Proxy servers such as those used by Compuserve and America
Online can support thousands of users.
CA306 Introduction
3-28
Filter Requests
• Proxy servers can also be used to filter requests.
• An organisation may use a proxy server to prevent access to a
group of sites.
CA306 Introduction
3-29
Firewalls
• A firewall is a system designed to prevent unauthorised access to or
from a private network.
• If a Web server is connected to an internal network (which may
access the company database), firewall technology can help to
prevent unauthorised access.
• Firewalls can be implemented in hardware or software (or both).
• All messages which enter or leave the intranet pass through the
firewall, and are examined to check that security criteria is met.
CA306 Introduction
3-30
Firewall Techniques
• A packet filter is used to look at each packet entering or leaving the
network, and accepts or rejects the packet based on user-defined
rules. Although popular and effective, it is prone to IP spoofing
where an un-trusted machine appears to be a trusted one.
• An application gateway applies security mechanisms to specific
applications (eg. FTP and Telnet servers). This is very effective but
carries performance overheads.
• A circuit-level gateway applies security mechanisms when a TCP
connection is first established. However, once the connection has
been made, packets flow between hosts without further checking.
• A proxy server intercepts all messages entering and leaving the
network. It has the effect of hiding the true network address.
CA306 Introduction
3-31