DATABASE SECURITY

CSEC3360
Chapter 1: Security for Today’s World

Dr. Ruba Awadallah

Textbook: David C. Knox, William Maroulis, and Scott Gaetjen:Oracle Database 12c
[Link] to Engineer Saif

01/03/2025 Dr. Ruba Awadallah

 2
Dr. Ruba Awadallah

Introduction

▪ Computer security is a vast and complex subject.

▪ Ensuring the security of information within database systems
can be challenging.
▪ Good News: approaches to implement security are available.
▪ Covers the most relevant topics but not everything about
database security, there is more!

01/03/2025
 3
Dr. Ruba Awadallah

The Security Landscape

➢ Security Approach:
• Identify your critical data assets
• Understand the risks and vulnerabilities to those assets
• Mitigate the risks to those assets.

➢ Understand WHAT you need to secure and WHY.

➢ Your job is to match the security measures you plan with the
goals you want them to achieve.

01/03/2025
 4
Dr. Ruba Awadallah

The Security Landscape

➢ In most cases, money, time and effort are wasted on low-risk systems.
➢ High-risk areas are often overlooked.

❖ General guidelines:
1. Assume Compromise: start with the assumption that malicious people
can penetrate your networks and get to your databases.
2. It’s About the Data: Databases often hold much of important data.
3. The Insider Threat Is Always Present: Insider threats are serious
problems.

01/03/2025
 5
Dr. Ruba Awadallah

Database Security Today

Examples:
1. The creation of record- or column-level access controls via
transparent query modifications (virtual private database).
2. The ability to perform conditional auditing—aka (fine-grained
auditing).

➢ Many of the security design patterns are focused on the security

needs of about 15 years ago
➢ Oracle Database 12c has incorporated significant advances in
allowing these outdated architectures to be retired.

01/03/2025
 6
Dr. Ruba Awadallah

Evolving Security Technologies

There are many useful ways to think about the elements and
dimensions of security.
1. Integrity of the data and the system.
2. Ensuring the availability of the system.
3. Confidentiality of the data stored.

❖ Security can be described as an understanding of who gets

access to what, from where, when, and how.

01/03/2025
 7
Dr. Ruba Awadallah

The Evolving Four

Authentication Access
Present an identity (who is Separation of
trying to perform what action) duties
and verify it is authentic.
Authentication is the technique
used to prove a user is who he
says he is.
Auditing, and Monitoring
Authorization Tracking, analyzing,
ensuring compliance,
Determines whether the protection. Auditing captures
system should allow or action successes and failures
prevent users from for accountability purposes.
performing specific actions or
accessing specific data.
(who gets access to what).

01/03/2025
 8
Dr. Ruba Awadallah

❑ Difference between Authorization and Control:

✓ Authorizations do not actually control who gets access to what.

✓ Database security controls enforce access between user and data.

✓ Authorizations and the controls that ensure the enforcement of the

authorizations are not the same.

01/03/2025
 9
Dr. Ruba Awadallah

How security has evolved over time

Proxy Authentication
Allow applications to use Enterprise User Security (EUS)
connection pools and pre- The end users (or application
create database connections, users) are managed in a central
i.e. Real Application Security Lightweight Directory Access
(RAS) Protocol (LDAP) with role
mapping

Multifactor Identity
No Anonymity
Security and access control can
Identity preservation: be based on authorization
process of maintaining the models that use roles and groups
end user’s identity from the because users might be
end user’s device to the unknown.
database

01/03/2025
Dr. Ruba Awadallah

Security Motivators
➢ Many applications are focused on functions with no consideration
for creating a security design in the overall architecture.
❑ Reasons:
1. Security may not make it into the first version of the application.
2. Adding security after the first version can be more costly than it
would be if it were designed from the start.
➢ Many believe that security is more important than ever,
reasons are:
3. Regulatory compliance.
4. The negative impacts that a compromise or data breach can have
on an organization.

01/03/2025
Dr. Ruba Awadallah

Sensitive Data Categorization

➢ Categorizing data and understanding how it is used helps us:

1. Understand its importance and subsequently derive a protection
plan.
2. Dictate how to protect the data.
3. Guidance for which database technologies and techniques to use.

➢ Categories of data:
• Personally identifiable information (PII).
• Protected health information (PHI), i.e. HIPAA in USA.
• Proprietary information and intellectual property.

01/03/2025
Dr. Ruba Awadallah

Principles
➢ You should adhere to a few principles when considering a solution to
your security challenges.
➢ Implementing the right amount of security is a delicate balance of
preserving:
✓ Ease of use
✓ Performance
✓ Manageability
➢ Doing so may assist you in preserving:
✓ Company brand.
✓ Reputation
✓ Viability
✓ Protecting your reputation and employability

01/03/2025
Dr. Ruba Awadallah

Layers of Common Security Policies

➢ Design your system with multiple layers of security wherever possible

❖ Security technologies such as Transparent Data Encryption (TDE) can
add a layer of security (encryption at rest)
❖ Adding a second layer of security by encrypting network packets to
and from the Database (encryption in motion) increases the security
posture of the system even more.

➢ Also, apply a security layer as close to the data as possible

01/03/2025
Dr. Ruba Awadallah

Summery

➢ Threatsto computersystemsarecontinuallychanging, so

security technologiesmustadapt accordingly

➢ Security landscaperhas changed

➢ Understand what youare toaccomplish

➢ Commonsecurity motivatorsserveas good referencemarkers

01/03/2025