HARAMAYA UNIVERSITY

COLLEGE OF COMPUTING AND INFORMATICS

DEPARTMENT OF SOFTWARE ENGINEERING

ADVANCED DATABASE SYSTEMS (SENG 3072)

CHAPTER FOUR: DATABASE SECURITY

2 CONTENTS

 Introduction

 Security Goals

 Database Security Issues

 Database Security Threats

 Impact of Database Security Threats

 Database Security Controls

 Best Practice of Database Security

 3
INTRODUCTION … (1)

 Data is a critical asset for any organization.

 Companies collect vast amounts of data daily from operations and customer interactions.

 Databases store this data and support business automation and decision-making.

 Protecting data is essential for overall business protection.

 Database Management Systems (DBMS) must prioritize data security.

 Because databases store vital information, security cannot be overlooked.

 4
INTRODUCTION … (2)

 Database security involves protecting confidential and sensitive information stored in

databases.

 It defends against both intentional and accidental threats.

 Effective database security encompasses hardware, software, human resources, and the data

itself.

 Security requires tailored controls aligned with specific system objectives.

 It ensures confidentiality, integrity, and availability of data through a range of tools and

measures.
 5
INTRODUCTION … (3)

 Database protection begins with physical security.

 Servers should be located in secure, climate-controlled environments.

 Only authorized personnel should have access, and all access must be logged.

 Cloud-hosted databases rely on the provider for these protections.

 Physical security is the foundation, but databases also face numerous internal and external

threats.
 6
INTRODUCTION … (4)

 Database security must address and protect the following components:

 The data in the database

 The database management system (DBMS)

 Any associated applications

 The physical and/or the virtual database server and the underlying hardware

 The computing and/or network infrastructure used to access the database

7
INTRODUCTION … (5)

 Database security is a complex and challenging endeavor that involves all aspects of

information security technologies and practices.

 The more accessible and usable the database, the more vulnerable it is to security threats;

the more invulnerable the database is to threats, the more difficult it is to access and use.
8
SECURITY GOALS … (1)

 Security refers to activities and measures to ensure the confidentiality, integrity, and

availability of an information system and its main asset, data.

 It is important to understand that securing data requires a comprehensive, company-wide

approach.

 The three security goals are: (CIA)

 Confidentiality

 Integrity, and

 Availability
9
SECURITY GOALS … (2)

CONFIDENTIALITY

 Confidentiality deals with ensuring that data is protected against unauthorized access, and if

the data are accessed by an authorized user, the data are used only for an authorized

purpose.

 In other words, confidentiality entails safeguarding data against disclosure of any information

that would violate the privacy rights of a person or organization.

 Data must be evaluated and classified according to the level of confidentiality: highly

restricted (very few people have access), confidential (only certain groups have access), and

unrestricted (can be accessed by all users).

10
SECURITY GOALS … (3)

INTEGRITY

 Integrity, within the data security framework, is concerned with keeping data consistent, free

of errors, or anomalies. Integrity focuses on maintaining the data free of inconsistencies and

anomalies.

 The DBMS plays a pivotal role in ensuring the integrity of the data in the database.

 However, from the security point of view, integrity deals not only with the data in the

database but also with ensuring that organizational processes, users, and usage patterns

maintain such integrity.

11
SECURITY GOALS … (4)

AVAILABILITY

 Availability refers to the accessibility of data whenever required by authorized users and for

authorized purposes.

 To ensure data availability, the entire system (not only the data component) must be protected

from service degradation or interruption caused by any source (internal or external).

 Service interruptions could be very costly for companies and users alike.

 System availability is an important goal of security

12
DATABASE SECURITY ISSUES … (1)

Database security is a broad area that addresses many issues, including the following:

 Various legal and ethical issues regarding the right to access certain information for

example, some information may be deemed to be private and cannot be accessed legally by

unauthorized organizations or persons. In the United States, there are numerous laws

governing privacy of information.

 Policy issues at the governmental, institutional, or corporate level regarding what kinds of

information should not be made publicly available for example, credit ratings and personal

medical records.
13
DATABASE SECURITY ISSUES … (2)

 System-related issues such as the system levels at which various security functions should

be enforced for example, whether a security function should be handled at the physical

hardware level, the operating system level, or the DBMS level.

 The need in some organizations to identify multiple security levels and to categorize the

data and users based on these classifications for example, top secret, secret, confidential,

and unclassified. The security policy of the organization with respect to permitting access to

various classifications of data must be enforced.

14
DATABASE SECURITY THREATS … (1)

 Excessive Privileges: When users are granted database privileges beyond what is necessary for their role, they

may exploit these to access confidential or sensitive information. In addition to strong hiring and oversight practices,

the key solution is query-level access control. This approach enforces the principle of least privilege by restricting

users to only the specific operations and data they genuinely require, minimizing the risk of unauthorized access.

 Privilege Abuse: Users with legitimate access privileges may misuse them for unauthorized purposes. A strong

mitigation strategy is to implement fine-grained access control policies not just for what data is accessed, but also

how and under what conditions it is accessed. By enforcing policies based on factors like time of day, geographic

location, client application used, and volume of data retrieved, organizations can better detect and prevent misuse of

privileges.

 Unauthorized Privilege Elevation: Attackers may exploit vulnerabilities to escalate their low-level access

privileges to higher-level ones, gaining unauthorized control or access to sensitive data and functions.
15
DATABASE SECURITY THREATS … (2)

 Platform Vulnerabilities: The platform or OS may be vulnerable to leakage and corruption of data.

 SQL injection: SQL injection is a technique where an attacker manipulates user input to inject malicious SQL queries

into a database. This can trick the server into executing unintended commands, potentially exposing sensitive

information. In more severe cases, attackers can gain unauthorized access to the entire database, alter or delete data,

and even perform administrative operations such as creating new users or changing permissions.

 Denial of Service: This attack involves making the resource unavailable for the purpose it was designed. This means

that the access to data or the application is denied to the user.

 Backup Exposure: The backup storage media remains unprotected from any attacks. As a result there are several

attacks on the database backup disks and tapes.

16
IMPACT OF DATABASE SECURITY THREATS … (1)

Threats to databases can result in the loss or degradation of some or all of the following commonly accepted

security goals: integrity, availability, and confidentiality.

LOSS OF INTEGRITY.

 Database integrity refers to the requirement that information be protected from improper modification.

 Modification of data includes creating, inserting, and updating data; changing the status of data; and

deleting data.

 Integrity is lost if unauthorized changes are made to the data by either intentional or accidental acts.

 If the loss of system or data integrity is not corrected, continued use of the contaminated system or

corrupted data could result in inaccuracy, fraud, or erroneous decisions.

17
IMPACT OF DATABASE SECURITY THREATS … (2)

LOSS OF AVAILABILITY.

 Database availability refers to making objects available to a human user or a program who/which has a

legitimate right to those data objects. Loss of availability occurs when the user or program cannot access

these objects.

LOSS OF CONFIDENTIALITY.

 Database confidentiality refers to the protection of data from unauthorized disclosure.

 The impact of unauthorized disclosure of confidential information can range from violation of the Data

Privacy Act to the jeopardization of national security.

 Unauthorized, unanticipated, or unintentional disclosure could result in loss of public confidence,

embarrassment, or legal action against the organization.

18
DATABASE SECURITY CONTROLS … (1)

Database Security Controls are mechanisms and measures put in place to protect databases from

unauthorized access, misuse, corruption, or loss. These controls ensure the confidentiality, integrity, and

availability (CIA triad) of the data stored in a database system

1. ACCESS CONTROLS

Access control refers to mechanisms that regulate who can access the database and what actions they can

perform. The goal is to ensure that only authorized users can access data appropriate to their roles or

responsibilities.
18
DATABASE SECURITY CONTROLS … (1)

KEY COMPONENTS OF ACCESS CONTROLS

AUTHENTICATION

 Authentication is the process of confirmation that whether the user log in only according to the rights

provided to him to perform the activities of database.

 A particular user can login only up to his/her privilege but he/she can’t access the other sensitive data.

 The privilege of accessing sensitive data is restricted by using Authentication.

 Common Methods:

 Usernames and passwords

 Multi-factor authentication (MFA)

 Biometrics (retina and figure prints )

19
DATABASE SECURITY CONTROLS … (2)

AUTHORIZATION

 Authorization is the process of determining and enforcing what an authenticated user is allowed to do

within a database system.

 Once a user’s identity has been verified (via authentication), authorization defines their level of access

such as which data they can view, modify, or delete, and which database operations they are permitted to

perform.

 It controls access rights and permissions to database resources.

 Typically managed through roles, permissions, or access control lists

 Works hand-in-hand with authentication to enforce security policies.

20
DATABASE SECURITY CONTROLS … (3)

2. ENCRYPTION CONTROL

 This method is mainly used to protect sensitive data (such as credit card numbers, OTP numbers, password)

and other sensitive numbers.

 The data is encoded using some encoding algorithms. OTP=One time password

 An unauthorized user who tries to access this encoded data will face difficulty in decoding it, but authorized

users are given decoding keys to decode data.

 Data-at-Rest Encryption: Encrypts stored data to prevent unauthorized access if physical storage is

compromised.

 Data-in-Transit Encryption: Secures data being transmitted across networks using SSL/TLS.

 Column-level Encryption: Protects specific sensitive fields like credit card numbers or SSNs.
21
BEST PRACTICES OF DATABASE SECURITY … (1)

 Because databases are network-accessible, any security threat to any component within or

portion of the network infrastructure is also a threat to the database, and any attack

impacting a user’s device or workstation can threaten the database.

 Thus, database security must extend far beyond the confines of the database alone.

 When evaluating database security in your environment to decide on your team’s top

priorities, consider each of the following areas:

22
BEST PRACTICES OF DATABASE SECURITY … (2)

 Physical Security: Whether your database server is on-premises or in a cloud data center,

it must be located within a secure, climate-controlled environment. If your database server

is in a cloud data center, your cloud provider takes care of this for you.

 Administrative and network access controls: The practical minimum number of users

should have access to the database, and their permissions should be restricted to the

minimum levels necessary for them to do their jobs. Likewise, network access should be

limited to the minimum level of permissions necessary.

23
BEST PRACTICES OF DATABASE SECURITY … (3)

 User account and device security: Always be aware of who is accessing the database and

when and how the data is being used. Data monitoring solutions can alert you if data activities

are unusual or appear risky. All user devices connecting to the network housing the database

should be physically secure (in the hands of the right user only) and subject to security controls

at all times.

 Encryption: All data, including data in the database and credential data, should be protected

with best-in-class encryption while at rest and in transit. All encryption keys should be handled

in accordance with best practice guidelines.

24
BEST PRACTICES OF DATABASE SECURITY … (4)

Database software security: Always use the latest version of your database management software, and

apply all patches when they are issued.

Application and web server security: Any application or web server that interacts with the database

can be a channel for attack and should be subject to ongoing security testing and best practice

management.

Backup security: All backups, copies or images of the database must be subject to the same (or

equally stringent) security controls as the database itself.

Auditing: Record all logins to the database server and operating system, and log all operations that are

performed on sensitive data as well. Database security standard audits should be performed regularly.
TEACHING YOU IS GOOD LUCK