Database Security Overview - PowerPoint PPT Presentation

1 / 22
About This Presentation
Title:

Database Security Overview

Description:

General Security Goals - CIAA. Confidentiality. Integrity. Availability. Authentication. These general goals all apply to DB security. C protect from unauthorized ... – PowerPoint PPT presentation

Number of Views:319
Avg rating:3.0/5.0
Slides: 23
Provided by: lyleSmuE61
Learn more at: https://s2.smu.edu
Category:

less

Transcript and Presenter's Notes

Title: Database Security Overview


1
Database Security Overview
  • Blake Middleton
  • CSE 7330 Fall 2009

2
Protecting a Critical Resource
  • Banking/Financial Records
  • Medical Records
  • Inventory
  • Customer Information
  • Personnel Records
  • Student Records

3
Threats to Data
  • Copy
  • Destroy
  • Modify
  • Securing the Database may be the single biggest
    action an organization can take to protect its
    assets. David Knox

4
Results of an Incident
  • Loss of reputation
  • Loss of
  • Lawsuits (more loss of )
  • TJX 45M credit/debit cards,
  • 256M as of 8/2007
  • -Boston Globe Online

5
General Security Goals - CIAA
  • Confidentiality
  • Integrity
  • Availability
  • Authentication

6
Threat Sources
  • External
  • fame or gain
  • Internal
  • gain or revenge

7
Big Picture
  • Physical security
  • Network security
  • Operating System Security
  • Application Security
  • DBMS (yes, these have vulnerabilities too)

8
Access Control
  • Data Control Language DCL
  • GRANT priv ON object TO user WITH GRANT OPTION
  • REVOKE priv ON object FROM user

9
Examples
  • Table Level Privileges
  • GRANT INSERT, UPDATE ON Students TO fred
  • GRANT DELETE ON Students TO sam WITH GRANT OPTION
  • GRANT ALL ON Students TO barney
  • REVOKE INSERT ON Students FROM fred

10
Examples
  • Column Level (Select and Update)
  • GRANT UPDATE ON Students (address) TO fred

11
Examples
  • Object privileges
  • GRANT CREATE table TO fred

12
Oracle Virtual Private Database (VPD)
  • Provides row-level security
  • Presents partial view of tables based on policies

13
VPD - Examples
  • Restrict user to only see courses from CSE
  • User
  • SELECT FROM Courses
  • Executed
  • SELECT FROM Courses
  • WHERE department CSE
  • source Oracle Database 10g Top 20 DBA
    Features

14
VPD Examples Selective Columns
  • Restrict user to only see students with GPA above
    3.0
  • SELECT FROM Students --Will return rows 1
    and 3
  • SELECT COUNT() FROM Students --Will return
    2
  • source Oracle Database 10g Top 20 DBA Features

ID Name GPA
100 Jones 3.1
101 Smith 2.6
102 Smart 4.0
15
VPD Examples Column Masking
  • Restrict user to only see GPA values above 3.0
  • SELECT FROM Students
  • source Oracle Database 10g Top 20 DBA
    Features

ID Name GPA
100 Jones 3.1
101 Smith 2.6
102 Smart 4.0
ID Name GPA
100 Jones 3.1
101 Smith ltnullgt
102 Smart 4.0
16
Oracle Label Security
  • Access based on
  • data sensitivity labels
  • user label authorizations
  • Provides multi-level security capability

17
Oracle Label Security
  • Data Sensitivity Labels have 3 components
  • Level required
  • Compartment optional
  • Group - optional
  • A policy can have up to 999 levels and 9,999
    groups and compartments
  • -Source Oracle Label Security Best Practices
    White Paper

18
Oracle Label Security - Example
  • -Source Oracle Label Security Best Practices
    White Paper

ID SSN DL_Num Lname Pol1_sec_lab
100 123-45-6789 09234554 Miller SensitivePIIHR
101 234-56-6887 10854834 Arnold PrivatePIIHR
19
Inference
  • Simple example (from Viega McGraw)
  • SELECT AVG(income) FROM customers
  • WHERE state VA OR
  • (city Reno AND state NV
    AND age 72)
  • Followed by
  • SELECT AVG(income) FROM customers
  • WHERE state VA

20
Good Practices
  • Use views
  • Use stored procedures
  • Keep up to date on patches
  • Limit privileges
  • Have a security policy and follow it
  • Encrypt sensitive data
  • Do audits/monitor employees
  • Regular security assessments
  • Enforce strong passwords

21
Future
  • More data to protect
  • More sophisticated attacks
  • More emphasis on security education (hopefully)

22
Bibliography
  • Alapati, S. R., Kim, C. (2007). Oracle Database
    11g New Features for DBAs and Developers.
    Apress.
  • Bauer, M. D. (2005). Linux Server Security (2nd
    ed.). O'Reilly Media, Inc.
  • Defense Information Systems Agency. (2007, Sep.
    19). Security Technical Implementation Guides.
    Retrieved Oct 26, 2009, from http//iase.disa.mil/
    stigs/stig/database-stig-v8r1.zip
  • Knox, D. (2004). Effective Oracle Database 10g
    Security by Design. McGraw-Hill.
  • Litchfield, D., Anley, C., Heasman, J.,
    Grindlay, B. (2005). The Database Hacker's
    Handbook Defending Database Servers. Wiley.
  • Mullins, C. S. (2002). Database Administration
    The Complete Guide to Practices and Procedures.
    Addison-Wesley Professional.
  • Needham, P. (2008). Oracle Label Security Best
    Practices. Oracle.
  • Oracle. (n.d.). Oracle Database 10g Top 20 DBA
    Features. Retrieved 10 26, 2009, from
    http//www.oracle.com/technology/pub/articles/10gd
    ba/week14_10gdba.html
  • Pfluger, C. P., Lawrence, S. (2006). Security
    in Computing (4th ed.). Prentice Hall.
  • Viega, J., McGraw, G. (2002). Building Secure
    Software. Addison-Wesley Professional.
Write a Comment
User Comments (0)
About PowerShow.com