1 / 53

Advanced Database Systems

Sekolah Tinggi Ilmu Statistik (STIS). Advanced Database Systems. Database Security. Lecture 2. Today’s Lecture. Database Security: Threats Countermeasures: Computer-based Controls DBMSs and Web Security. Database Security: Threats. First Topic. Why Database Security?.

temira
Download Presentation

Advanced Database Systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Sekolah Tinggi Ilmu Statistik (STIS) Advanced Database Systems Dr. Said Mirza Pahlevi, M.Eng.

  2. Database Security Lecture 2 Dr. Said Mirza Pahlevi, M.Eng.

  3. Today’s Lecture Database Security: Threats Countermeasures: Computer-based Controls DBMSs and Web Security Dr. Said Mirza Pahlevi, M.Eng.

  4. Database Security: Threats First Topic Dr. Said Mirza Pahlevi, M.Eng.

  5. Why Database Security? Data is a valuable resource that must be strictly controlled and managed, as with any corporate resource. Part or all of the corporate data may have strategic importance and therefore needs to be kept secure and confidential. Dr. Said Mirza Pahlevi, M.Eng.

  6. What is Database Security ? Mechanisms that protect the database against intentional or accidental threats Security considerations do not only apply to the data held in a database. Breaches of security may affect other parts of the system, which may in turn affect the database. Dr. Said Mirza Pahlevi, M.Eng.

  7. Database Security Threats Any situation or event, whether intentional or unintentional, that will adversely affect a system and consequently an organization. Dr. Said Mirza Pahlevi, M.Eng.

  8. Threats in Database Security • Theft and fraud • Not necessarily alter data; result in either loss of confidentiality or loss of privacy • Loss of confidentiality (secrecy) • Confidentiality is data critical to the organization • Loss of privacy • Privacy is data about individuals • Loss of integrity • Result in invalid or corrupted data which may seriously affect the operation of organization • Loss of availability • Seriously affect an organization’s financial performance • Should available 24/7 Dr. Said Mirza Pahlevi, M.Eng.

  9. Computer Systems Threats Dr. Said Mirza Pahlevi, M.Eng.

  10. Dr. Said Mirza Pahlevi, M.Eng.

  11. Countermeasures: Computer-based Controls Second Topic Dr. Said Mirza Pahlevi, M.Eng.

  12. Typical Multi-user Computer Environment Dr. Said Mirza Pahlevi, M.Eng.

  13. Computer-Based Controls • Concerned with physical controls to administrative procedures and includes: • Authorization • Access controls • Views • Backup and recovery • Integrity • Encryption • RAID technology Dr. Said Mirza Pahlevi, M.Eng.

  14. 1. Authorization Authorization is granting of a right or privilege, which enables a subject to legitimately have access to a system or a system’s object. Authentication is a mechanism that determines whether a user is, who he or she claims to be. Dr. Said Mirza Pahlevi, M.Eng.

  15. 2. Access Control • Typical way: based on the granting and revoking of privileges. • A privilege allows a user to create or access (that is read, write, or modify) some database object (such as a relation, view, and index) or to run certain DBMS utilities. • Privileges are granted to users to accomplish the tasks required for their jobs. • Types • Discretionary Access Control (DAC) • Mandatory Access Control (MAC) Dr. Said Mirza Pahlevi, M.Eng.

  16. Discretionary Access Control (DAC) • Most DBMS provide an approach called Discretionary Access Control (DAC). • SQL standard supports DAC through the GRANT and REVOKE commands. • The GRANT command gives privileges to users, and the REVOKE command takes away privileges. • GRANT ALL PRIVILEGES ON Staff TO Manager; • REVOKE ALL PRIVILEGES ON Staff FROM Manager; Dr. Said Mirza Pahlevi, M.Eng.

  17. Discretionary Access Control (DAC) • DAC while effective has certain weaknesses. • Assistant can create a relation to capture new client details and give access priviliges to a manager without their knowledge. • The assistant can then alter some application programs that the manager uses to include some hidden instruction to copy sensitive data from the Client relation that only the manager has access to, into the new relation created by the assistant • An additional approach is required called Mandatory Access Control (MAC). Dr. Said Mirza Pahlevi, M.Eng.

  18. Mandatory Access Control (MAC) • Also referred to as Multilevel Security • SQL standard does not include support for MAC; • DBMSs that satisfy multilevel security properties are called multilevel secure database management systems (MLS/DBMSs) • Many of the MLS/DBMSs have been designed based on the Bell and LaPadula (BLP) model Dr. Said Mirza Pahlevi, M.Eng.

  19. MLS/DBMS Commercial Products Oracle (Trusted ORACLE7 and beyond) Sybase (Secure SQL Server) ARC Professional Services Group (TRUDATA/SQLSentry) Informix (Informix-On-LineSecure) Digital Equipment Corporation (SERdb) (this group is now part of Oracle Corp) InfoSystems Technology Inc. (Trusted RUBIX) Teradata (DBC/1012) Ingres (Ingres Intelligent Database) Dr. Said Mirza Pahlevi, M.Eng.

  20. Mandatory Access Control (MAC) • MAC based on system-wide policies that cannot be changed by individual users. • MAC determines whether a user can read or write an object based on rules that involve the security level of the object and the clearance of the user • These rules ensure that sensitive data can never be passed on to another user without the necessary clearance (izin). Dr. Said Mirza Pahlevi, M.Eng.

  21. BLP Model • BLP Model • Objects, e.g., relations, views, tuples and attributes • Subjects, e.g., users and programs/processes • Security Classes, e.g., top secret (TS), secret (S), confidential (C), and unclassified (U), where TS > S > C > U • Each databaseobject is assigned a security class and each user is assigned a clearance for a security class, and rules are imposed on reading and writing of database objects by users. Dr. Said Mirza Pahlevi, M.Eng.

  22. BLP Model • Imposes two restrictions on all reads and writes of database objects: • Simple Security Property: Subject S is allowed to read object O only if class(S) >= class(O) • *_Property: Subject S is allowed to write object O only if class(S) <= class(O) (blind write) Dr. Said Mirza Pahlevi, M.Eng.

  23. BLP in Action 1 Bob read & write Relation Client1 secret secret read but cannot write write but cannot read Jane read & write Relation Client2 confidential confidential Dr. Said Mirza Pahlevi, M.Eng.

  24. BLP in Action 2 Assume each tuple is assigned a security class Multilevel relation: a relation that reveals different tuples to users with different security clearances Dr. Said Mirza Pahlevi, M.Eng.

  25. BLP in Action 2 User with S and TS clearance will see all tuples in the Client relation User with C clearance will only see the first two tuples and that with U will see no tuples Assume that user with C wishes to enter a tuple(CR74, David, Sinclaire) into Client relation, where PK is clientNo This is not allowed and informed CR74 exist! Solution: including the security classification attribute as part of the primary key for a relation User with S/TS will see two tuple with the same clientNo Polyinstantiation Dr. Said Mirza Pahlevi, M.Eng.

  26. BLP in Action 2 Client ModifiedClient Dr. Said Mirza Pahlevi, M.Eng.

  27. 3. View Is the dynamic result of one or more relational operations operating on base relations to produce another relation. A view is a virtual relation that does not actually exist in the database, but is produced upon request by a particular user, at the time of request. View provides a powerful and flexible security mechanism by hiding parts of database from certain users. View can be defined over several relations with a user being granted the appropriate priviledge to use it, but not to use the base relations. Dr. Said Mirza Pahlevi, M.Eng.

  28. 4. Backup and Recovery • Backup • Process of periodically taking a copy of the database and log file (and possibly programs) to offline storage media. • Make sure the copies are in a secure location. • Journaling • Process of keeping and maintaining a log file (or journal) of all changes made to database to enable effective recovery in event of failure. • Database recovery • Use latest backup + log file • If there are no log files, then what will happen? Dr. Said Mirza Pahlevi, M.Eng.

  29. 5. Integrity • Integrity • Prevents data from becoming invalid, and hence giving misleading or incorrect results. • Integrity constraints contribute to maintaining a secure database system by preventing data from becoming invalid, and hence giving misleading or incorrect results Dr. Said Mirza Pahlevi, M.Eng.

  30. 6. Encryption • Encryption • The encoding of the data by a special algorithm that renders the data unreadable by any program without the decryption key. • If DBMS holds particularly sensitive data, it may be necessary to encode it • The DBMS can access the data after decoding it; there is a degradation in performance • Encryption also protect data transmitted over communication lines Dr. Said Mirza Pahlevi, M.Eng.

  31. 7. RAID (Redundant Array of Independent Disks) Technology • Hardware that the DBMS is running on must be fault-tolerant. • Meaning that the DBMS should continue to operate even if one of the hardware components fails. • Suggests having redundant components that can be seamlessly integrated into the working system whenever there is one or more component failures. Dr. Said Mirza Pahlevi, M.Eng.

  32. RAID Technology The main hardware components that should be fault-tolerant include disk drives, disk controllers, CPU, power supplies, and cooling fans. Disk drives are the most vulnerable components with the shortest times between failure of any of the hardware components. One solution is to provide a large disk array comprising an arrangement of several independent disks that are organized to improve reliability and at the same time increase performance. Dr. Said Mirza Pahlevi, M.Eng.

  33. RAID Technology • Performance is increased through data striping: • Data is segmented into equal-size partitions (striping unit), which are transparently distributed across multiple disks. • Reliability is improved through storing redundant information across the disks using: • Parity scheme: each byte may have a parity bit associated with it that records whenever the number of bits in the byte that are set to 1 is even or odd. • Error-correcting scheme: store two or more additional bits and can reconstruct the original data if a single bit becomes corrupt. Dr. Said Mirza Pahlevi, M.Eng.

  34. RAID Levels • RAID 0Nonredundant • RAID 1 Mirrored • RAID 0+1 Nonredundant and Mirrored (combine stripping and mirror) • RAID 2 Memory-Style Error-Correcting Codes • RAID 3 Bit-Interleaved Parity • RAID 4 Block-Interleaved Parity • RAID 5 Block-Interleaved Distributed Parity • RAID 6 P+Q Redundancy; similar to RAID 5 but with redundant data Dr. Said Mirza Pahlevi, M.Eng.

  35. RAID 0 • Striped set without parity • Provides improved performance and additional storage but no fault tolerance. • A single disk failure destroys the entire array because when data is written to a RAID 0 drive, the data is broken into fragments. • The fragments (blocks) are written to their respective disks simultaneously on the same sector. • This allows smaller sections of the entire chunk of data to be read off the drive in parallel, giving this type of arrangement huge bandwidth. • Designed for non critical storage of data such as Photoshop image retouching station. Dr. Said Mirza Pahlevi, M.Eng.

  36. RAID 1 • Mirrored set without parity • Two copies of the data are held on two physical disks, and the data is always identical. • If one of the disks fails, data is copied to the replacement disk. • RAID1 has a performance advantage, as reads can come from either disk, and is simple to implement. • However, it is expensive, as twice as many disks are needed to store the data. • Ideally suited for mission critical storage and small servers. Dr. Said Mirza Pahlevi, M.Eng.

  37. RAID 3 • A block of data is striped over an array of disks, then parity data is written to a dedicated parity disk. • The single parity disk is a bottle-neck for writing since every write requires updating the parity data. • One minor benefit is the dedicated parity disk allows the parity drive to fail and operation will continue without parity or performance penalty. • RAID3 is very effective for large sequential data, such as satellite imagery and video. Dr. Said Mirza Pahlevi, M.Eng.

  38. RAID 4 • Data is written in blocks onto the data disks (i.e. not striped), then parity is generated and written to a dedicated parity disk. Dr. Said Mirza Pahlevi, M.Eng.

  39. RAID 5 • Data is written in blocks onto data disks, and parity is generated and rotated around the data disks. • Good general performance, and reasonably cheap to implement. • Used extensively for general data. Dr. Said Mirza Pahlevi, M.Eng.

  40. RAID 4 and RAID 5 Dr. Said Mirza Pahlevi, M.Eng.

  41. DBMSs and Web Security Third Topic Dr. Said Mirza Pahlevi, M.Eng.

  42. DBMSs and Web Security • Internet communication relies on TCP/IP as the underlying protocol. • However, TCP/IP and HTTP were not designed with security in mind. • Without special software, all Internet traffic travels ‘in the clear’ and anyone who monitors traffic can read it. • Packet sniffing Dr. Said Mirza Pahlevi, M.Eng.

  43. DBMSs and Web Security • Must ensure while transmitting information over the Internet that: • Inaccessible to anyone but sender and receiver (privacy); • Not changed during transmission (integrity); • Receiver can be sure it came from sender (authenticity); • Sender can be sure receiver is genuine (non-fabrication); • Sender cannot deny he or she sent it (non-repudiation). Dr. Said Mirza Pahlevi, M.Eng.

  44. DBMSs and Web Security Proxy servers Firewalls Message digest algorithms and digital signatures Digital certificates Kerberos Secure sockets layer (SSL) and Secure HTTP (S-HTTP) Secure Electronic Transactions (SET) and Secure Transaction Technology (SST) Java security ActiveX security Dr. Said Mirza Pahlevi, M.Eng.

  45. Proxy Servers Server that acts as a go-between for requests from clients seeking resources from other servers. A client connects to the proxy server, requesting some service, such as a file, web page, available from a different server. Proxy server evaluates the request according to its filtering rules. If the request is validated by the filter, the proxy provides the resource by connecting to the relevant server and requesting the service on behalf of the client. Dr. Said Mirza Pahlevi, M.Eng.

  46. Proxy Servers: Main Purposes • Improve performance • Proxy server saves the results of all requests for a certain amount of time. • If the same request comes, it returns the cached pages • Filter requests • E.g., prevent access to a specific set of web sites Dr. Said Mirza Pahlevi, M.Eng.

  47. Firewalls Firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets All messages entering or leaving the intranets pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria. Dr. Said Mirza Pahlevi, M.Eng.

  48. Firewalls Techniques Packet filter: packets are filtered by type, source address, destination address, and port information (susceptible to IP spoofing) Application gateway: applies security mechanisms to specific applications, such as FTP and Telnet servers. Circuit-level gateway: applies security mechanism when TCP/UDP connection is established. Proxy server:intercept all messages entering and leaving the network. Dr. Said Mirza Pahlevi, M.Eng.

  49. Message Digest & Digital Signature Message Digest: takes an arbitraly sized message and generate a fixed-length string (the digest) Digital Signature: authenticates the identity of a message sender and to ensure that the original content of the message has arrived unchanged Dr. Said Mirza Pahlevi, M.Eng.

  50. Digital Certificates • To verify that a user sending a message is who he or she claims to be, and to provide the receiver with the means to encode a reply. • An individual wishing to send an encrypted message applies for a digital certificate from a Certificate Authority (CA). • The CA issues an encrypted digital certificate containing the applicant's public key and a variety of other identification information. • The CA makes its own public key readily available through print publicity or perhaps on the Internet. • The recipient of an encrypted message uses the CA's public key to decode the digital certificate attached to the message, verifies it as issued by the CA and then obtains the sender's public key and identification information held within the certificate. • With this information, the recipient can send an encrypted reply. • The most widely used standard for digital certificates is X.509. Dr. Said Mirza Pahlevi, M.Eng.

More Related