Transcript Notes 2
Overview of Database Security
Introduction
Security Problems
Security Controls
Designing Database Security
Outline
Threats to database security
Database protection requirements
Security Problems
Threats to Database Security
What is a threat?
Three Consequences
Two Kind of threats
Security Problems
What is a threat?
A threat can be defined as a hostile
agent that, either casually or by using
specialized technique, disclose, modify
or delete the information managed by a
database management system.
Security Problems
Three Consequences
Improper release of information
Improper modification of data
Denial of service
Security Problems
Two Kinds of Threat
Accidental (Non-fraudulent)
Intentional (fraudulent)
Security Problems
Causes of Non-fraudulent Threat
Natural or accidental disasters
Errors or bugs in hardware or software
Human errors
Security Problems
Fraudulent Threat from Two Classes
of User
Authorized users
Those who abuse their privileges and
authority
Hostile agents
Those improper users (outsider or insiders)
who attack the software and/or hardware
system, or improperly read or write data in
a database
Security Problems
Three Typical Attacks
Virus
Trojan Horse
Trapdoor
Security Problems
Virus
A code able to copy itself and to
damage permanently and often
irreparably the environment where it
gets reproduced
Security Problems
Trojan Horse
A program which, under an apparent
utility, collects information for its own
fraudulent use
Security Problems
Trapdoor
A code segment hidden within a
program; a special input will start this
segment and allow its owner to skip the
protection mechanisms and to access the
database beyond his or her privileges
Security Problems
Database Protection Requirements
Protection from Improper Access
It consists of granting access to a database only to
authorized users
Protection from Inference
Users must be prevented from tracking back to information
on individual entities starting from statistical aggregated
information
Integrity of the Database
Ensuring the logical consistency of data in a database
User Authentication
Identifying uniquely the database users
Security Problems
Database Protection Requirements
Accountability and Auditing
Recording all accesses to the database for analysis and for
deterrence of unauthorized accesses
Management and Protection of Sensitive Data
Protecting the sensitive data from unauthorized users
Multilevel Protection
Information may be classified at various levels of protection
Confinement
To avoid undesired information transfer between
systems
Security Problems