Introduction to DB Security

Outline
• Information Security Key Principles
• Scope and definitions/terms
• Location in the system architecture
• Threats and vulnerabilities
• Requirements and security controls in DB security
• Statistical DB security

2
 Information Security Principles

• Security Requirements:
– Risk Analysis
• Examine vulnerabilities
• Identify threats
– Understand security attacks
– Select security mechanism
– Security service
CIA triad
– Cost
• Security mechanism selection assets value
– Performance
• Deployed security solution overhead to the system
3
 Security Services (X.800)
• Authentication - assurance that the communicating entity
is the one who claimed to be
• Access Control - prevention of the unauthorized use of a
resource
• Data Confidentiality - protection of data from unauthorized
disclosure
• Data Integrity - assurance that data is received as it sent
by an authorized entity
• Non-Repudiation - protection against denial by one of the
parties in a communication
• Availability - assurance that the service is not denied to
authorized users (and the system performance is not
degraded)
4
 Security Services (cont.)
• Authenticity: The property of being genuine and being
able to be verified and trusted; confidence in the validity of
a transmission, a message, or message originator (i.e.,
verifying the users and each input arriving at the system)

• Accountability: Generates the requirement for actions of

an entity to be traced uniquely to that entity (e.g., users);
supports nonrepudiation, deterrence, legal action, etc.

Database Security - Degree to which data is fully protected

from unauthorized act, loss, access interruption.

5
 Security Attacks

Interruption:
Attack on availability

Interception:
Attack on
confidentiality

Modification:
Attack on integrity

Fabrication:
Attack on authenticity

6
b, c, and d  man-in-the-middle attack (MITM) (Ref. 4)
 Security Mechanism
• A mechanism that is designed to detect, prevent, or recover
from a security attack
• No single mechanism that will support all security functions
required.
• However, one particular method underlies many of the
security mechanisms in use:
cryptographic techniques
– It is not intuitive with databases

7
 Intro. to DB Security: Scope
• Database Importance:
– Played a major role in industry, commerce, education &
public services
– New advanced Technology (internet, business systems,
mobile applications, etc) rise DB importance and
consequentially DB security.

• DB Security:
– A set of measures, policies, and mechanisms to provide
confidentiality, integrity and availability of data and to deter
possible attacks on the DB system (threats) from insiders
and outsiders, both malicious and accidental.

8
Intro. to DB Security: Scope (cont.)
• DB Security:
– Similarly, database security may be defined as the
mechanisms that protect the database against intentional
or accidental threats
– Consequently, database security encompasses:
hardware, software, people, and data.

Hardware Software

Database Security

Data People

9
 Intro. to DB Security: Scope (cont.)
• Physical, logical and organizational DB security:
– Physical DB Sec.: Tools, devices, H/W or S/W techniques
to detect or prevent (unauthorized) physical access or H/W
failures.

– Logical DB Sec.: Logical database security consists of

controls, measures, models and techniques to detect or
prevent unauthorized logical (that is via software) access to
data.

– Organizational DB Sec.: concentrates on info.

management constraints, polices, operational procedures,
and supplementary controls established to provide database
protection.
10
 Intro. to DB Security: Scope (cont.)
• InfoSec in DB:
– includes 3 main aspects: secrecy, integrity, and availability
– Secrecy (confidentiality): preventing (and deterring) the
improper disclosure of data to unauthorized individuals or
systems entities.
• The protection of data in classified or critical environments
(e.g., military, e-commerce)

11
Confidentiality classification (Ref. 3)
Intro. to DB Security: Scope (cont.)
– Integrity: detecting the unauthorized modification of data
• protection of database from unauthorized access that could
modify the contents of data, as well as from errors, viruses,
sabotage or failures in the system that could damage stored
data.

– Availability: (availability of data and DB systems) detecting

and preventing denial of access attacks or accidental events to
services provided by the DB system to authorized users.
• Including measures to prevent the loss of data (e.g., database
backups and replication)

12
DB Location in System Architecture

2-tier and 3-tier system architectures (Ref. 3)

13
 DB Location in Computer Systems
By database management
system through user
accounts and passwords

Through file permission

Schema owners/security
administrator grant or
revoke privileges

Levels of DB security in computer systems (Ref. 3)

14