DATABASE ADMINISTRATION AND

SECURITY

© PEARSON EDUCATION LIMITED,

2004-2010
1
 OBJECTIVES
• The distinction between data administration
and database administration.
• The purpose and tasks associated with data
administration and database administration.
• The scope of database security.

2
© Pearson Education Limited, 2004
 OBJECTIVES
• Why database security is a serious concern
for an organization.
• The type of threats that can affect a database
system.
• How to protect a computer system using
computer-based controls.

3
© Pearson Education Limited, 2004
 DATA ADMINISTRATION AND DATABASE
ADMINISTRATION

• Data Administrator (DA) and Database

Administrator (DBA) are responsible for
managing and controlling activities
associated with corporate data and
corporate database, respectively.
• DA is more concerned with early stages of
lifecycle and DBA is more concerned with
later stages.

4
© Pearson Education Limited, 2004
 DATA ADMINISTRATION

• Management and control of corporate

data, including:
– database planning
– development and maintenance of standards,
policies, and procedures
– conceptual and logical database design

5
© Pearson Education Limited, 2004
DATA ADMINISTRATION TASKS

© Pearson Education Limited, 2004 6

 DATABASE ADMINISTRATION

• Management and control of physical

realization of a database system,
including:
– physical database design and implementation
– setting security and integrity controls
– monitoring system performance
– reorganizing the database

7
© Pearson Education Limited, 2004
DATABASE ADMINISTRATION TASKS

© Pearson Education Limited, 2004 8

COMPARISON OF DATA AND DATABASE
ADMINISTRATION

© Pearson Education Limited, 2004 9

 DATABASE SECURITY
• Mechanisms that protect the database against
intentional or accidental threats.
• Not only apply to the data held in a database.
Breaches of security may affect other parts of
the system, which may in turn affect the
database.

10
© Pearson Education Limited, 2004
 DATABASE SECURITY
• Includes hardware, software, people, and
data.
• Growing importance of security is the
increasing amounts of crucial corporate data
being stored on computer.

11
© Pearson Education Limited, 2004
 DATABASE SECURITY
• Outcomes to avoid:
– theft and fraud
– loss of confidentiality (secrecy)
– loss of privacy
– loss of integrity
– loss of availability

12
© Pearson Education Limited, 2004
 DATABASE SECURITY
• Threat
– Any situation or event, whether intentional or
unintentional, that may adversely affect a system
and consequently the organization.

13
© Pearson Education Limited, 2004
EXAMPLES OF THREATS AND POSSIBLE OUTCOMES

14
© Pearson Education Limited, 2004
SUMMARY OF THREATS TO COMPUTER SYSTEMS

15
© Pearson Education Limited, 2004
TYPICAL MULTI-USER COMPUTER ENVIRONMENT

16
© Pearson Education Limited, 2004
 COUNTERMEASURES – COMPUTER-
BASED CONTROLS

• Authorization
• Views
• Backup And Recovery
• Integrity
• Encryption
• Redundant array of independent disks
(RAID)

17
© Pearson Education Limited, 2004
 COUNTERMEASURES – COMPUTER-BASED
CONTROLS
• Authorization
– The granting of a right or privilege that enables a
subject to have legitimate access to a database
system or a database system’s object.
• Authentication
– A mechanism that determines whether a user is,
who he or she claims to be.

18
© Pearson Education Limited, 2004
 COUNTERMEASURES – COMPUTER-BASED
CONTROLS
• View
– A view is a virtual table that does not necessarily
exist in the database but can be produced upon
request by a particular user, at the time of
request.

19
© Pearson Education Limited, 2004
 COUNTERMEASURES – COMPUTER-BASED
CONTROLS

• Backup
– Process of periodically taking a copy of the
database and log file (and possibly programs) onto
offline storage media.
• Journaling
– Process of keeping and maintaining a log file (or
journal) of all changes made to database to enable
recovery to be undertaken effectively in the event
of failure.

20
© Pearson Education Limited, 2004
 COUNTERMEASURES – COMPUTER-
BASED CONTROLS
• Integrity
– Prevents data from becoming invalid, and hence
giving misleading or incorrect results.
• Encryption
– Encoding the data by a special algorithm that
renders the data unreadable by any program
without the decryption key.

21
© Pearson Education Limited, 2004
 REDUNDANT ARRAY OF INDEPENDENT DISKS
(RAID)
• Hardware that the DBMS runs on must be
fault-tolerant, meaning that the DBMS should
continue to operate even if one of the
hardware components fails.
• Suggests having redundant components that
can be seamlessly integrated into the working
system whenever there are failures.

22
© Pearson Education Limited, 2004
 REDUNDANT ARRAY OF INDEPENDENT DISKS
(RAID)
• The main hardware components that should be fault-
tolerant include disk drives, disk controllers, CPU,
power supplies, and cooling fans.
• Disk drives are the most vulnerable components with
the shortest times between failure of any of the
hardware components.
• One solution is to provide a large disk array
comprising an arrangement of several independent
disks that are organized to improve reliability and at
the same time increase performance.

23
© Pearson Education Limited, 2004
 LINKS
• http://en.wikipedia.org/wiki/Database_security
• http://www.dbta.com/Categories/Database-
Security_332.aspx
• http://www.craigsmullins.com/dbta_035.htm &
http://www.craigsmullins.com/dbta_056.htm
• http://iase.disa.mil/stigs/checklist/index.html

© Pearson Education Limited, 2004 24

SQL-INJEKTIOT JA NIIDEN EHKÄISY
JOUNI HUOTARI & JUHA PELTOMÄKI
© Pearson Education Limited, 2004 25
 SUOJAUTUMINEN SQL-INJEKTIOILTA
• Virheilmoitusten kustomointi
– Ei liikaa tietoa käyttäjälle
• Syötteiden tarkastus / suodatus
– Vaaralliset käskyt / merkit
– Käytetään valmisfunktioita
• Parametroitu SQL
– Monissa ohjelmointikielissä kuten Javassa Prepared
Statement: paikkamerkit kyselyn parametreille
– Parametrit heittomerkkien väliin
 ESIMERKKEJÄ

Lähde: http://xkcd.com/327/

Jos sovelluksessa on esim. merkkijono

String sql = ”SELECT fieldlist FROM table WHERE
(name = '” + param_nimi +”');”
ja siihen sijoitetaan em. pojan nimi, lopputulos on
SELECT * FROM table WHERE (name =
'Robert');DROP TABLE Students;--';
© Pearson Education Limited, 2004 27
 ESIMERKKEJÄ
• Peltomäen Juhan opetusmateriaali:
http://homes.jamk.fi/~huojo/opetus/IIO30200/PHP-tietoturva.html
• Testaus:
http://student.labranet.jamk.fi/~pelju/php/6db/query_form.php

© Pearson Education Limited, 2004 28