Database Security file:///Users/jrg/115-2023-AUTUMN/SLIDES/19dbsecurity/19dbsecurity.

html#1

CSIT115 Data Management and Security

Database Security
Dr Janusz R. Getta

School of Computing and Information Technology -

University of Wollongong

1 of 19 18/5/23, 9:59 pm
Database Security file:///Users/jrg/115-2023-AUTUMN/SLIDES/19dbsecurity/19dbsecurity.html#1

Database Security
Outline

What is Database Security ?

Threats
Countermeasures
Authorization and authentication
Access Control
Encryption

TOP Created by Janusz R. Getta, CSIT115 Data Management and Security, Autumn 2023 2/19

2 of 19 18/5/23, 9:59 pm
Database Security file:///Users/jrg/115-2023-AUTUMN/SLIDES/19dbsecurity/19dbsecurity.html#1

What is Database Security

Database security means protection of a database against unauthorized
access, either intentional or unintentional
Database security requires the mechanisms, that protect a database
against the intentional or accidental threats
Such mechanisms affect the hardware, software, people, and data
components of a database management system
Database security protects against:
- Theft and fraud,
- Loss of confidentiality
- Loss of privacy
- Loss of integrity
- Loss of availability

In HTML view press 'p' to see the lecture notes

TOP Created by Janusz R. Getta, CSIT115 Data Management and Security, Autumn 2023 3/19

3 of 19 18/5/23, 9:59 pm
Database Security file:///Users/jrg/115-2023-AUTUMN/SLIDES/19dbsecurity/19dbsecurity.html#1

Database Security
Outline

What is Database Security ?

Threats
Countermeasures
Authorization and authentication
Access Control
Encryption

TOP Created by Janusz R. Getta, CSIT115 Data Management and Security, Autumn 2023 4/19

4 of 19 18/5/23, 9:59 pm
Database Security file:///Users/jrg/115-2023-AUTUMN/SLIDES/19dbsecurity/19dbsecurity.html#1

Threats
A threat is any situation or event, whether intentional or accidental, that
may adversely affect a system
Sample threats:
- Unauthorized amendment or copying of data
- Using another person's means of access
- Program alteration
- Wire tapping
- Illegal entry by hacker
- Blackmail
- Theft
- Failure of security mechanisms
- And the others …

In HTML view press 'p' to see the lecture notes

TOP Created by Janusz R. Getta, CSIT115 Data Management and Security, Autumn 2023 5/19

5 of 19 18/5/23, 9:59 pm
Database Security file:///Users/jrg/115-2023-AUTUMN/SLIDES/19dbsecurity/19dbsecurity.html#1

Database Security
Outline

What is Database Security ?

Threats
Countermeasures
Authorization and authentication
Access Control
Encryption

TOP Created by Janusz R. Getta, CSIT115 Data Management and Security, Autumn 2023 6/19

6 of 19 18/5/23, 9:59 pm
Database Security file:///Users/jrg/115-2023-AUTUMN/SLIDES/19dbsecurity/19dbsecurity.html#1

Countermeasures
Countermeasures range from the physical controls to the administrative
controls
Security of Database Management System (DBMS) is as good as security
of an operating system running DBMS
We consider the following computer-based security controls in a
multiuser environment
- Authorization and authentication
- Encryption
- Views
- Backup and recovery
- Integrity

In HTML view press 'p' to see the lecture notes

TOP Created by Janusz R. Getta, CSIT115 Data Management and Security, Autumn 2023 7/19

7 of 19 18/5/23, 9:59 pm
Database Security file:///Users/jrg/115-2023-AUTUMN/SLIDES/19dbsecurity/19dbsecurity.html#1

Database Security
Outline

What is Database Security ?

Threats
Countermeasures
Authorization and authentication
Access Control
Encryption

TOP Created by Janusz R. Getta, CSIT115 Data Management and Security, Autumn 2023 8/19

8 of 19 18/5/23, 9:59 pm
Database Security file:///Users/jrg/115-2023-AUTUMN/SLIDES/19dbsecurity/19dbsecurity.html#1

Authorization and authentication

Authorization means granting a right or a privilege to have a legitimate
access to a system or the resources operated by a system
Authorization is usually built into the software and it determines what
system or object a user can access and what a user is allowed to do with
it
In a process of authorization a subject representing a user or a program
requests and obtains access to an object, that represent relational table,
relational view, etc
A process of authorization requires authentication of a subject

In HTML view press 'p' to see the lecture notes

TOP Created by Janusz R. Getta, CSIT115 Data Management and Security, Autumn 2023 9/19

9 of 19 18/5/23, 9:59 pm
Database Security file:///Users/jrg/115-2023-AUTUMN/SLIDES/19dbsecurity/19dbsecurity.html#1

Authorization and authentication

Authentication is a mechanism, that determines whether a user is who
he or she claims to be
A system administrator is responsible for allowing the users to have
access to a computer system by creating the individual user accounts
When an account is created a user is given a unique identifier and a user
picks a password associated with the identifier
To reduce the total number of user names and passwords it is possible
to authenticate user's access to a database system through earlier
authentication of access to an operating system
Such solution is not as safe as two separate passwords and it is
consistent with a principle saying, that simplification of data access
always reduces data security

In HTML view press 'p' to see the lecture notes

TOP Created by Janusz R. Getta, CSIT115 Data Management and Security, Autumn 2023 10/19

10 of 19 18/5/23, 9:59 pm
Database Security file:///Users/jrg/115-2023-AUTUMN/SLIDES/19dbsecurity/19dbsecurity.html#1

Database Security
Outline

What is Database Security ?

Threats
Countermeasures
Authorization and authentication
Access Control
Encryption

TOP Created by Janusz R. Getta, CSIT115 Data Management and Security, Autumn 2023 11/19

11 of 19 18/5/23, 9:59 pm
Database Security file:///Users/jrg/115-2023-AUTUMN/SLIDES/19dbsecurity/19dbsecurity.html#1

Access Control
A typical way to control access to a database system is based on
granting and revoking privileges
A privilege allows a user to create, to drop, or to access in read or write
mode some database objects like relational tables, relational views,
index, etc or to perform certain operations
The privileges are granted to a user to accomplish their task
The excessive privileges can compromise security
A user who creates a database object becomes an owner of the object
and he/she automatically gets all privileges on the object
DBMS keeps track of all granted privileges to ensure that only selected
user can access and can perform operations on the database objects

In HTML view press 'p' to see the lecture notes

TOP Created by Janusz R. Getta, CSIT115 Data Management and Security, Autumn 2023 12/19

12 of 19 18/5/23, 9:59 pm
Database Security file:///Users/jrg/115-2023-AUTUMN/SLIDES/19dbsecurity/19dbsecurity.html#1

Access Control
There are two different strategies of access control:
- Discretionary Access Control (DAC)
- Mandatory Access Control (MAC)
In Discretionary Access Control each user is given the access rights
(privileges) on the specific database objects
A user obtains the privileges in a moment when he/she creates an object
and the access of other users to the object is at a discretion of an owner
It is an effective system with some weaknesses, for example:
- a user Alice creates a new relational table R and grants write access to such
table to a user Bob
- a user Bob owns a relational table S, which is not accessible to a user Alice
- a user Alice modifies a software used by a user Bob, such that it copies the
contents of a table S to a table R
- user Alice returns a software used by user Bob to its original state

In HTML view press 'p' to see the lecture notes

TOP Created by Janusz R. Getta, CSIT115 Data Management and Security, Autumn 2023 13/19

13 of 19 18/5/23, 9:59 pm
Database Security file:///Users/jrg/115-2023-AUTUMN/SLIDES/19dbsecurity/19dbsecurity.html#1

Access Control
There are two different strategies of access control:
- Discretionary Access Control (DAC)
- Mandatory Access Control (MAC)
Mandatory Access Control is based on system-wide policies that cannot
be changed by the individual users
Each database object is assigned a security class and each user is
assigned a clearance for a security class and the rules are imposed on
reading and writing the database objects by the users
DBMS determines whether a user can read or write a database object
based on certain rules, that involve a security level of the object and a
clearance of the user

In HTML view press 'p' to see the lecture notes

TOP Created by Janusz R. Getta, CSIT115 Data Management and Security, Autumn 2023 14/19

14 of 19 18/5/23, 9:59 pm
Database Security file:///Users/jrg/115-2023-AUTUMN/SLIDES/19dbsecurity/19dbsecurity.html#1

Access Control
A popular model for MAC is Bell-LaPadula model (Bell and LaPadula
1974)
The model uses the terms of objects (relations, views, indexes, etc),
subjects (users and programs), and security classes and clearances

In HTML view press 'p' to see the lecture notes

TOP Created by Janusz R. Getta, CSIT115 Data Management and Security, Autumn 2023 15/19

15 of 19 18/5/23, 9:59 pm
Database Security file:///Users/jrg/115-2023-AUTUMN/SLIDES/19dbsecurity/19dbsecurity.html#1

Access Control
The principles of Bell-LaPadula model are the following:
- Each database object is assigned a security class
- Each subject is assigned a clearance class
- The security classes are ordered, with the most secure class and the least
secure class, e.g. top secret (TS), secret (S), confidential (C), and unclassified (U)
- TS > S > C > U
- Simple Security Property: A subject S is allowed to read an object O only if class
of subject S > class of O
- * Property: A subject S is allowed to write an object O only if class of S ≤ class of
O

In HTML view press 'p' to see the lecture notes

TOP Created by Janusz R. Getta, CSIT115 Data Management and Security, Autumn 2023 16/19

16 of 19 18/5/23, 9:59 pm
Database Security file:///Users/jrg/115-2023-AUTUMN/SLIDES/19dbsecurity/19dbsecurity.html#1

Database Security
Outline

What is Database Security ?

Threats
Countermeasures
Authorization and authentication
Access Control
Encryption

TOP Created by Janusz R. Getta, CSIT115 Data Management and Security, Autumn 2023 17/19

17 of 19 18/5/23, 9:59 pm
Database Security file:///Users/jrg/115-2023-AUTUMN/SLIDES/19dbsecurity/19dbsecurity.html#1

Encryption
Encryption of data means encoding of data by a special algorithm, that
renders the data unreadable by any program without the decryption key
Sensitive data can be encoded to protect it against external threats or
access
Some DBMS provide special facilities to encrypt data and to access
encrypted data after decoding it
Usually there is a degradation in performance because of time needed
to decode data
A typical cryptosystem includes:
- An encryption key to encrypt data (plaintext)
- An encryption algorithm that with the encryption key transfroms plaintext into
ciphertext
- A decryption key to decrypt the ciphertext
- A decryption algorithm to use decryption key with cipher text and to create the
original plaintext
In HTML view press 'p' to see the lecture notes
TOP Created by Janusz R. Getta, CSIT115 Data Management and Security, Autumn 2023 18/19

18 of 19 18/5/23, 9:59 pm
Database Security file:///Users/jrg/115-2023-AUTUMN/SLIDES/19dbsecurity/19dbsecurity.html#1

References
C. Coronel, S. Morris, A. Basta, M. Zgola, Data Management and Security,
Chapters 7 and 8, Cengage Compose eBook, 2018, eBook: Data
Management and Security, 1st Edition
T. Connoly, C. Begg, Database Systems, A Practical Approach to Design,
Implementation, and Management, Chapters 20.1 Database Security,
20.2 Countermeasures - Computer-Based Controls (except 20.2.7),
Pearson Education Ltd, 2015

TOP Created by Janusz R. Getta, CSIT115 Data Management and Security, Autumn 2023 19/19

19 of 19 18/5/23, 9:59 pm