Database Security [Link]
html#1
CSIT115 Data Management and Security
Database Security
Dr Janusz R. Getta
School of Computing and Information Technology -
University of Wollongong
1 of 19 10/2/22, 8:58 pm
�Database Security [Link]
Database Security
Outline
What is Database Security ?
Threats
Countermeasures
Authorization and authentication
Access Control
Encryption
TOP Created by Janusz R. Getta, CSIT115 Data Management and Security, Autumn 2022 2/19
2 of 19 10/2/22, 8:58 pm
�Database Security [Link]
What is Database Security
Database security means protection of a database against unauthorized
access, either intentional or unintentional
Database security requires the mechanisms, that protect a database
against the intentional or accidental threats
Such mechanisms aQect the hardware, software, people, and data
components of a database management system
Database security protects against:
- Theft and fraud,
- Loss of conUdentiality
- Loss of privacy
- Loss of integrity
- Loss of availability
TOP Created by Janusz R. Getta, CSIT115 Data Management and Security, Autumn 2022 3/19
3 of 19 10/2/22, 8:58 pm
�Database Security [Link]
Database Security
Outline
What is Database Security ?
Threats
Countermeasures
Authorization and authentication
Access Control
Encryption
TOP Created by Janusz R. Getta, CSIT115 Data Management and Security, Autumn 2022 4/19
4 of 19 10/2/22, 8:58 pm
�Database Security [Link]
Threats
A threat is any situation or event, whether intentional or accidental, that
may adversely aQect a system
Sample threats:
- Unauthorized amendment or copying of data
- Using another person's means of access
- Program alteration
- Wire tapping
- Illegal entry by hacker
- Blackmail
- Theft
- Failure of security mechanisms
- And the others …
TOP Created by Janusz R. Getta, CSIT115 Data Management and Security, Autumn 2022 5/19
5 of 19 10/2/22, 8:58 pm
�Database Security [Link]
Database Security
Outline
What is Database Security ?
Threats
Countermeasures
Authorization and authentication
Access Control
Encryption
TOP Created by Janusz R. Getta, CSIT115 Data Management and Security, Autumn 2022 6/19
6 of 19 10/2/22, 8:58 pm
�Database Security [Link]
Countermeasures
Countermeasures range from the physical controls to the administrative
controls
Security of Database Management System (DBMS) is as good as security
of an operating system running DBMS
We consider the following computer-based security controls in a
multiuser environment
- Authorization and authentication
- Encryption
- Views
- Backup and recovery
- Integrity
TOP Created by Janusz R. Getta, CSIT115 Data Management and Security, Autumn 2022 7/19
7 of 19 10/2/22, 8:58 pm
�Database Security [Link]
Database Security
Outline
What is Database Security ?
Threats
Countermeasures
Authorization and authentication
Access Control
Encryption
TOP Created by Janusz R. Getta, CSIT115 Data Management and Security, Autumn 2022 8/19
8 of 19 10/2/22, 8:58 pm
�Database Security [Link]
Authorization and authentication
Authorization means granting a right or a privilege to have a legitimate
access to a system or the resources operated by a system
Authorization is usually built into the software and it determines what
system or object a user can access and what a user is allowed to do with
it
In a process of authorization a subject representing a user or a program
requests and obtains access to an object, that represent relational table,
relational view, etc
A process of authorization requires authentication of a subject
TOP Created by Janusz R. Getta, CSIT115 Data Management and Security, Autumn 2022 9/19
9 of 19 10/2/22, 8:58 pm
�Database Security [Link]
Authorization and authentication
Authentication is a mechanism, that determines whether a user is who
he or she claims to be
A system administrator is responsible for allowing the users to have
access to a computer system by creating the individual user accounts
When an account is created a user is given a unique identiUer and a user
picks a password associated with the identiUer
To reduce the total number of user names and passwords it is possible
to authenticate user's access to a database system through earlier
authentication of access to an operating system
Such solution is not as safe as two separate passwords and it is
consistent with a principle saying, that simpliUcation of data access
always reduces data security
TOP Created by Janusz R. Getta, CSIT115 Data Management and Security, Autumn 2022 10/19
10 of 19 10/2/22, 8:58 pm
�Database Security [Link]
Database Security
Outline
What is Database Security ?
Threats
Countermeasures
Authorization and authentication
Access Control
Encryption
TOP Created by Janusz R. Getta, CSIT115 Data Management and Security, Autumn 2022 11/19
11 of 19 10/2/22, 8:58 pm
�Database Security [Link]
Access Control
A typical way to control access to a database system is based on
granting and revoking privileges
A privilege allows a user to create, to drop, or to access in read or write
mode some database objects like relational tables, relational views,
index, etc or to perform certain operations
The privileges are granted to a user to accomplish their task
The excessive privileges can compromise security
A user who creates a database object becomes an owner of the object
and he/she automatically gets all privileges on the object
DBMS keeps track of all granted privileges to ensure that only selected
user can access and can perform operations on the database objects
TOP Created by Janusz R. Getta, CSIT115 Data Management and Security, Autumn 2022 12/19
12 of 19 10/2/22, 8:58 pm
�Database Security [Link]
Access Control
There are two diQerent strategies of access control:
- Discretionary Access Control (DAC)
- Mandatory Access Control (MAC)
In Discretionary Access Control each user is given the access rights
(privileges) on the speciUc database objects
A user obtains the privileges in a moment when he/she creates an object
and the access of other users to the object is at a discretion of an owner
It is an eQective system with some weaknesses, for example:
- a user Alice creates a new relational table R and grants write access to such
table to a user Bob
- a user Bob owns a relational table S, which is not accessible to a user Alice
- a user Alice modiUes a software used by a user Bob, such that it copies the
contents of a table S to a table R
- user Alice returns a software used by user Bob to its original state
TOP Created by Janusz R. Getta, CSIT115 Data Management and Security, Autumn 2022 13/19
13 of 19 10/2/22, 8:58 pm
�Database Security [Link]
Access Control
There are two diQerent strategies of access control:
- Discretionary Access Control (DAC)
- Mandatory Access Control (MAC)
Mandatory Access Control is based on system-wide policies that cannot
be changed by the individual users
Each database object is assigned a security class and each user is
assigned a clearance for a security class and the rules are imposed on
reading and writing the database objects by the users
DBMS determines whether a user can read or write a database object
based on certain rules, that involve a security level of the object and a
clearance of the user
TOP Created by Janusz R. Getta, CSIT115 Data Management and Security, Autumn 2022 14/19
14 of 19 10/2/22, 8:58 pm
�Database Security [Link]
Access Control
A popular model for MAC is Bell-LaPadula model (Bell and LaPadula
1974)
The model uses the terms of objects (relations, views, indexes, etc),
subjects (users and programs), and security classes and clearances
TOP Created by Janusz R. Getta, CSIT115 Data Management and Security, Autumn 2022 15/19
15 of 19 10/2/22, 8:58 pm
�Database Security [Link]
Access Control
The principles of Bell-LaPadula model are the following:
- Each database object is assigned a security class
- Each subject is assigned a clearance class
- The security classes are ordered, with the most secure class and the least
secure class, e.g. top secret (TS), secret (S), conUdential (C), and unclassiUed (U)
- TS > S > C > U
- Simple Security Property: A subject S is allowed to read an object O only if class
of subject S > class of O
- * Property: A subject S is allowed to write an object O only if class of S ≤ class of
O
TOP Created by Janusz R. Getta, CSIT115 Data Management and Security, Autumn 2022 16/19
16 of 19 10/2/22, 8:58 pm
�Database Security [Link]
Database Security
Outline
What is Database Security ?
Threats
Countermeasures
Authorization and authentication
Access Control
Encryption
TOP Created by Janusz R. Getta, CSIT115 Data Management and Security, Autumn 2022 17/19
17 of 19 10/2/22, 8:58 pm
�Database Security [Link]
Encryption
Encryption of data means encoding of data by a special algorithm, that
renders the data unreadable by any program without the decryption key
Sensitive data can be encoded to protect it against external threats or
access
Some DBMS provide special facilities to encrypt data and to access
encrypted data after decoding it
Usually there is a degradation in performance because of time needed
to decode data
A typical cryptosystem includes:
- An encryption key to encrypt data (plaintext)
- An encryption algorithm that with the encryption key transfroms plaintext into
ciphertext
- A decryption key to decrypt the ciphertext
- A decryption algorithm to use decryption key with cipher text and to create the
original plaintext
TOP Created by Janusz R. Getta, CSIT115 Data Management and Security, Autumn 2022 18/19
18 of 19 10/2/22, 8:58 pm
�Database Security [Link]
References
C. Coronel, S. Morris, A. Basta, M. Zgola, Data Management and Security,
Chapters 7 and 8, Cengage Compose eBook, 2018, eBook: Data
Management and Security, 1st Edition
T. Connoly, C. Begg, Database Systems, A Practical Approach to Design,
Implementation, and Management, Chapters 20.1 Database Security,
20.2 Countermeasures - Computer-Based Controls (except 20.2.7),
Pearson Education Ltd, 2015
TOP Created by Janusz R. Getta, CSIT115 Data Management and Security, Autumn 2022 19/19
19 of 19 10/2/22, 8:58 pm
