1 / 69

Security & Integrity

Security & Integrity Information maintained in a DBMS is often used both in day-to-day operation of an enterprise, and in management support: forecasting, budgeting, financial control. This information is a very valuable resource for an enterprise, and must be protected.

damita
Download Presentation

Security & Integrity

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security & Integrity Information maintained in a DBMS is often used both in day-to-day operation of an enterprise, and in management support: forecasting, budgeting, financial control. This information is a very valuable resource for an enterprise, and must be protected. Threats are of three basic types: • Loss of availability / Denial of service • Loss of reliability / Corruption of data • Loss of confidentiality / Snooping http://csiweb.ucd.ie/staff/acater/comp30150.html

  2. Security: concerned with protection of database against unauthorised disclosure, alteration, or destruction; granting access to confidential information for authorised users only. Some info can be so crucial that its loss could ruin an enterprise. • Integrity: concerned with preserving the consistency and the accuracy of data; protecting against both malicious and accidental interference even by authorised users. (Recovery techniques and Concurrency Control may be seen as ways of defending database integrity) http://csiweb.ucd.ie/staff/acater/comp30150.html

  3. Examples of sensitive data: Financial Banks Customer accounts Credit reference Credit ratings Medical Hospitals, clinics Patient data Military Army, Navy etc Secret weapons Force deployments Commercial Retail sales Mailing lists Distribution Selling strategies Industrial Manufacturing Processes New product plans http://csiweb.ucd.ie/staff/acater/comp30150.html

  4. How much should one invest in security and integrity? It can be difficult to quantify the value of information. Often it does have a clear economic value; but in a hospital, data corruption in the DBMS might lead to patients receiving the wrong treatment, or none at all. Another important consideration is privacy of individuals: many countries now have privacy laws; these may require that information be used only for that purpose for which it was collected, and that it be accurate. http://csiweb.ucd.ie/staff/acater/comp30150.html

  5. Kinds of misuse of Computer Systems: • theft of money eg EFT • theft of goods managed by computer • access to proprietary information such as trade secrets • access to sensitive information, for blackmail, for espionage, for terrorism • harmful/illegal revelation of personal data • theft of computer services • theft of computer software • long-term or short-term denial of service (by virus, worm) (Only the last 3 unique to computer systems) http://csiweb.ucd.ie/staff/acater/comp30150.html

  6. DBMS security, integrity DBMS give rise to different problems than general systems, problems which are therefore amenable to different solutions. • DBMS have many different users • DBMS store many kinds of information Data is shared, hence need to restrict users to those portions of database that are required for their legitimate activities, and need to control the changes that users can make. When data is changed, in a DBMS the old data is lost; hence need for a recovery mechanism. Because data is shared, concurrency control is needed to maintain integrity. http://csiweb.ucd.ie/staff/acater/comp30150.html

  7. Some security issues are external to DBMS: • operating system & hardware - vulnerabilities, security mechanisms • physical controls - locked rooms & terminals, guards at doors • fireproof safes for backups • policy questions: • how to decide who sees what? • what about hiring and using and trusting computer staff? • legal/social/ethical issues: • perhaps the public has a legal right to see certain data http://csiweb.ucd.ie/staff/acater/comp30150.html

  8. Some terminology exists: (page 1 of 5) Information security: protection of information against unauthorised disclosure, alteration, destruction. Database security: protection of information maintained in a database. Protection: refers to techniques that control the access of executing programs to stored information; includes hardware and OS features. [All access to computerised data must be by program]. [Printouts thrown in bins, forensic scans of disks, are beyond scope] http://csiweb.ucd.ie/staff/acater/comp30150.html

  9. Terminology 2/5 Auditing: examination of information by persons other than those who produced it, often a considerable time after it was created or modified, focusing on what was done and by whom. Privacy: all legal and ethical aspects of personal data systems (systems containing information about individuals). Individuals usually have a legal right to some control over information maintained about them. Authorisation: the specification of rules about who has what type of access to what information. An “authoriser” writes “access rules”. http://csiweb.ucd.ie/staff/acater/comp30150.html

  10. Terminology 3/5 Access control: ensuring that information is accessed only in authorised ways. Information transfer to program is permitted subject to access rules. http://csiweb.ucd.ie/staff/acater/comp30150.html

  11. Terminology 4/5 Intentional resolution: when rules aim also to control actions on data once legally accessed. System limits the user program actions. Information flow control: prevention of security leaks as information flows through the system. http://csiweb.ucd.ie/staff/acater/comp30150.html

  12. Terminology 5/5 Integrity: consistency, reasonableness, correctness of data Integrity subsystem: the mechanisms that help ensure integrity of data System integrity: ability of system to function according to specification even in the face of “hacking”. Semantic integrity: concerned with the correctness, especially the internal consistency, of the data in the database in the presence of user updates. Data model may impose specific integrity constraints. Concurrency control & recovery mechanisms are significant here. http://csiweb.ucd.ie/staff/acater/comp30150.html

  13. Relationship between security & integrity: attempted http://csiweb.ucd.ie/staff/acater/comp30150.html

  14. Privacy requirements Decision making is increasingly based on impersonal recorded information rather than on personal knowledge. What is privacy - the right to be let alone? Information privacy has been defined as “… the claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated to others.” http://csiweb.ucd.ie/staff/acater/comp30150.html

  15. The concept of “administrative secrecy” is related, and is usually covered by much more powerful legislation: e.g. the British Official Secrets Act makes it an imprisonable crime for a government servant to reveal official information. Different legislatures take different approaches to privacy legislation. http://csiweb.ucd.ie/staff/acater/comp30150.html

  16. USA Fair Credit Reporting Act - affects private sector information systems - obliges credit bureaux to allow customers of credit institutions to review their own files It is a law tailored to one specific industry. Other specific laws cover other industries. http://csiweb.ucd.ie/staff/acater/comp30150.html

  17. USA Code of Fair Information Practices - for health, education & welfare depts - no secret systems - individuals can find out what info is kept and how it is used - individuals may correct info - info collected for one purpose is not to be used for any other without consent - an organisation maintaining personal information must guarantee its reliability and must take precautions against its misuse Last stipulation is very important for DBMS. http://csiweb.ucd.ie/staff/acater/comp30150.html

  18. USA Privacy Protection Study Commission opted for laws tailored to specific private sector industries rather than using same provisions as for public sector (which is the approach taken in Europe). It recommended 3 basic objectives: minimise intrusiveness: • individuals must be informed about any record-keeping taking place • some info not collected at all • limit methods of collection http://csiweb.ucd.ie/staff/acater/comp30150.html

  19. maximise fairness: • • subject should be able to see records, correct errors, & (refuse to) authorise disclosure • • fairness implies integrity must be maintained establish obligations about using and disclosing personal data Laws passed in 1978-79 embody some of its recommendations. http://csiweb.ucd.ie/staff/acater/comp30150.html

  20. Europe Swedish Data Act (1973) was the first national privacy law anywhere. It requires record-keeping systems to be licensed by, and inspected by, a board which may issue directives for the system. Germany, Denmark, Norway, France followed with similar laws. France's law additionally requires purging of obsolete information. http://csiweb.ucd.ie/staff/acater/comp30150.html

  21. European 1981 Convention for the Protection of Individuals with regard to the automatic processing of personal data, led in time to Britain’s Data Protection Act (1984) Ireland's Data Protection Act (1988) These two similar laws protect "personal data" - data relating to living individuals; they apply only to computer-based records; they exempt those using records solely for accounting, pay, or pension purposes. They establish - a data protection registrar (commissioner) of personal data users & computer bureaux, who has powers to ensure that data is used according to the data protection principles. - appeals tribunal for data users - right of access for data subjects - right to compensation http://csiweb.ucd.ie/staff/acater/comp30150.html

  22. UK & Ireland: Obligations for data users • must register • • describing personal data to be used and its purpose • source of data • persons to whom it will be disclosed • places to which it will be transferred • addresses for requests from data subjects - after registration, must not process data except as specified - must not transfer out of the country (UK, Ireland) except as specified - must allow subjects access to data about them (maybe with a fee) - may not allow anyone access to data about anyone else who has not consented to this. Can even refuse a person access to his own data if this involves revealing someone else’s. http://csiweb.ucd.ie/staff/acater/comp30150.html

  23. Registrar (commissioner) may prosecute for breach, and may seize data (subject to various conditions) Appeal may be made to Data Protection Tribunal (Circuit Court). Various principles for data protection, not just for personal data. Eg: • data held only for clearly defined purpose • data should be minimum necessary for job • all data as accurate as possible • data held only as long as necessary • access restricted to authorised users http://csiweb.ucd.ie/staff/acater/comp30150.html

  24. Data Protection Acts lay down 8 principles for data users: • personal data information must be both obtained and processed fairly and lawfully • p. data should be held only for the specified lawful purposes • p. data shall not be used or disclosed for any purpose other than those specified • p. data should be adequate, relevant, and not excessive for its purpose to the system • p. data should be accurate and up-to-date where necessary • p. data should be kept no longer than necessary for required purpose • individual is entitled to a) without undue cost or delay, be informed if data is held, and be given access to it b) have it corrected or erased http://csiweb.ucd.ie/staff/acater/comp30150.html

  25. Eighth principle applies also to bureaux, not just data users, and was the most far-reaching from computer community viewpoint: 8. all who run computer systems dealing with p. data, whatever the size of the system, are to adopt security measures against • unauthorised access • unauthorised alteration/destruction • unauthorised disclosure • accidental loss/destruction The essence of the law: data must be true and must be fairly processed. http://csiweb.ucd.ie/staff/acater/comp30150.html

  26. Some privacy issues Electronic Funds Transfer (EFT) EFT systems automatically process deposits, withdrawals, and transfers of money: eg Pass, Paypath, Banklink, Direct Debits, Debit/Credit cards. Expansion of EFT allows more details to be recorded and to be easy to retrieve; could be used e.g. to trace an individual’s movements or e.g. to classify for direct advertising purposes. (Like Tesco, Dunnes …) Transborder Data Flow (TDF) Data can pass across international borders via networks: rogue permissive economies? http://csiweb.ucd.ie/staff/acater/comp30150.html

  27. Universal Identifiers Social Security number; Citizen Number? Great concern about the use of “universal identifier” to link personal records maintained in many different databases - making it easy for “Big Brother”; also dehumanising effect - eg if computer grades exams, sends results, and sends success/failure letters to job applicants. US Privacy Commission recommended that steps be taken to prevent “Universal Labels”. http://csiweb.ucd.ie/staff/acater/comp30150.html

  28. Security Threats & Defences Additional reference: Database Security, Castano, Fugini, Martella & Samarati Addison-Wesley, 1995 Threats, malicious or accidental: • Malicious attack: exploit system loopholes; abuse privileged position; use another’s password; etc... • Accident: hardware/software failure; natural disaster (fire, flood,...) http://csiweb.ucd.ie/staff/acater/comp30150.html

  29. http://csiweb.ucd.ie/staff/acater/comp30150.html

  30. Security Procedures & Mechanisms - 1 DBMS security - weakest link amongst human, software, and hardware measures. Wide range of protective measures must be adopted. • external: • security clearance of personnel • security policy formulation • measures to protect passwords • control over programming • auditing • data storage • backup copies • replication • encryption http://csiweb.ucd.ie/staff/acater/comp30150.html

  31. Security Procedures & Mechanisms - 2 • communication lines and physical environment • prevent electronic eavesdropping • secure areas for equipment & files • radiation shielding • software • user identification & authentication • access control • recording audit trail • hardware • memory protection • states of privilege http://csiweb.ucd.ie/staff/acater/comp30150.html

  32. Confinement problem: while program legitimately conveys information to lawful user, it might also be conveying it to an unauthorised person, using legitimate or covert channels. e.g. using a file intended to pass info - legitimate channel e.g. using a file not intended to pass out info, or some coding scheme - covert channel. http://csiweb.ucd.ie/staff/acater/comp30150.html

  33. Verification methods might be used to show that a program meets security requirements; but this may be too difficult. It would be nice to verify those parts of the security system that check accesses of untrusted programs: beats Trojan Horse attack where flaw is deliberately left in security system. Security Kernel approach Some limited portion of the software contains all the basic security mechanisms; only the kernel needs to be verified. http://csiweb.ucd.ie/staff/acater/comp30150.html

  34. Costs & Benefits of security • Software costs: • lower performance • greater complexity • loss of flexibility • Human costs: • must administer system • must maintain system • Hardware costs: • may need special hardware, eg badge readers • may need bigger & better computers to offset performance hit • Startup cost & Operational cost: • Finance • (privacy legislation has major cost implications for data users; this was a cause of much opposition to the legislation.). http://csiweb.ucd.ie/staff/acater/comp30150.html

  35. Costs & Benefits of security • Protection benefit: against security losses, e.g. • trade secret loss, • military loss, • privacy loss. • Reliability benefit • security may lead to more discipline and so maybe more reliability. http://csiweb.ucd.ie/staff/acater/comp30150.html

  36. Security Evaluation Guidelines • Completeness: depends on sensitivity of data • Confidence: will it do the job? No proof. • System flexibility: different policies possible - the law may change • Ease of administration • Flexibility for users: should not overburden users - user transparency • Tamperproofness: security system itself protected • Low processing overhead • Low operating costs: hardware, software, salaries These factors have to be balanced for a particular enterprise in its particular environment. http://csiweb.ucd.ie/staff/acater/comp30150.html

  37. Overview of DBMS security Authentication follows identification and is a way to verify the identity of a user at log-on time. Fundamental to good security. Use of passwords is very common, also badges & physical characteristics (retina scan; voiceprint; handprint; etc) Authorisation for each transaction is checked by system. Access rules control access to system objects {= data, programs}. DBMS checks authorisation, maintains integrity, synchronises concurrent transactions, looks after logging for security and recovery purposes. http://csiweb.ucd.ie/staff/acater/comp30150.html

  38. http://csiweb.ucd.ie/staff/acater/comp30150.html

  39. Policies for DBMS security “Security policy” = guidelines concerning security of information. Implemented by security mechanisms (hardware, software, administration) Different policies for different enterprises - may have legal aspects. • A given policy should not be built into a mechanism because as changes come about you may want to, or be obliged to, change policies. • Some general-purpose mechanisms do allow a number of policies to be used (e.g. access rules) • But special purpose mechanisms may be simpler to implement and may perform better because they can be tailored to a given system. • Trade-off situation: penny-wise pound-foolish. http://csiweb.ucd.ie/staff/acater/comp30150.html

  40. DBMS policy issues • centralised vs. decentralised authorisation? • will you have a single authoriser for the entire system, or different authorisers for different parts. (Not just an issue in distributed DB) • ownership vs. administration functions • is data owner (creator of data, if one exists) responsible for authorisation, or is there a separate administrator who defines & controls its use? • owner has full access to the data; • administrator merely controls access rights. • (As in O.S., administrator can give himself full access - this is a problem. Who guards the guardians?) http://csiweb.ucd.ie/staff/acater/comp30150.html

  41. Access Control Specification policies • “need to know” policy • restrict information to those who must have it. Also called “policy of least privilege” because users and programs operate with the minimal set of privileges necessary. • “maximised sharing” policy • make the most of the data in a database, as eg in a library. May still have restrictions. • Open systems - allow access to data unless explicitly forbidden, • Closed systems - allow access to data only if explicitly authorised Closed systems are more safe (eg if an access rule is forgotten or destroyed), and are thus a basic requirement for a need-to-know policy. http://csiweb.ucd.ie/staff/acater/comp30150.html

  42. “Name-dependent access control” • Demands ability to restrict access to finest granularity of DBMS, e.g. “salary” attribute of Person relation. An Access Rule names the attributes that can be accessed. • Also called “content-independent access control” because the access rules do not use data values in making access decisions. • “Content dependent access control” • Extends policy of least privilege further than name-dependent access control. Rules refer to data values in DBMS, eg manager may see the salary field of records of employees managed by himself. http://csiweb.ucd.ie/staff/acater/comp30150.html

  43. Access types Degree of control over data is increased by having possibly different rules governing different types of access: read, write, update, delete, insert, etc. In an office setting e.g., • Manager may have all rights over all fields of employee records; • Mail room has only read access, and only to “name” & “dept” fields. Generally, each user has the minimum access rights required. Implementation (use by authoriser) is simplified if access rights are partially ordered: e.g. update ---> read http://csiweb.ucd.ie/staff/acater/comp30150.html

  44. Contrast with Functional Access Rights For a statistical database, e.g. census data, one requires the ability to do “count” “average” and “sum” functions, but one wants to prohibit queries that allow inferences about individuals. So-called “tracker queries” masquerade as statistical enquires but actually find information about an individual. eg select sum (salary) where firstname like “A*” and lastname like “C*” and school = “CSI” • (virtually?) impossible in practice to prevent construction of sets of queries designed to reveal information about an individual. • So, add noise? • Or, place upper & lower bounds on number of items in an aggregate http://csiweb.ucd.ie/staff/acater/comp30150.html

  45. Context Dependent Control Access Rules refer to combinations of items that are impermissible May for example disallow queries that combine "name" and "salary", while permitting separate access to the two fields. But this is not really adequate to prevent extracting information about forbidden combinations of items, e.g. names & salaries, because it might be possible to draw inferences from the results of separate queries: e.g. q1: names and projects q2: projects and salaries Hence, goal of History Dependent Control • To take account of the context of past and current requests. http://csiweb.ucd.ie/staff/acater/comp30150.html

  46. Policies to control information flow Previously mentioned policies control access to data, but not the use of data once accessed; they assumed "Discretionary Access Control", where the authoriser grants access rights to users. In a "Compartmentalisation Policy" (also known as "non-discretionary access control"), data belonging to one user compartment cannot be accessed by users assigned to other compartments. This can be extended to Multi Level Control where, besides having compartments, information is classified according to sensitivity: Unclassified; Confidential; Secret; Top secret http://csiweb.ucd.ie/staff/acater/comp30150.html

  47. Users, and data, are assigned a security level. Security level is defined as a classification + a set of categories (Army, Navy, Air Force) A User access is allowed iff user security level >= data security level. Level A >= Level B iff classification(A) >= classification(B) and categories(B)  categories(A) (  meaning is subset of ) http://csiweb.ucd.ie/staff/acater/comp30150.html

  48. need to know nondiscretionary access control discretionary access control Relation of policies supporting least privilege: Enforcement of security policies embraces • Detection of breaches and attempted breaches (auditing of log) • Prevention of breaches statistical queries security compartments security levels name dependent context dependent content dependent multilevel control history dependent http://csiweb.ucd.ie/staff/acater/comp30150.html

  49. Security Models Basic model using access matrix, from O.S. work originally by Lampson, Graham, Denning. Model has 3 components: • set of objects • objects are entities known to system which must be protected: eg memory, files, processes • set of subjects • subjects are entities (e.g. processes) requesting access to objects • Subjects are objects too • set of rules defining types of access a subject has for an object • e.g. read, write, execute,confer privilege http://csiweb.ucd.ie/staff/acater/comp30150.html

  50. The set of all rules (conceptually) forms an Access Matrix [A], where • columns represent objects (O1..On), • rows represent subjects (S1..Sm), • an entry A[Si,Oj] contains a list of access types t1,t2,... specifying access privileges of subject Si to object Oj. The list of objects that a subject may access, together with the access types, is termed a “Capability List”. The list of subjects that may access an object, together with the access types, is termed an “Access Control List”. http://csiweb.ucd.ie/staff/acater/comp30150.html

More Related