1

DATABASE SECURITY
 Database Security
2

 Definition: Database security can be described as the level of control or

restriction on user actions on the database. This control includes access to
data, database server and its applications.

 It is the protection of data against unauthorized access, disclosure,

alteration or destruction.
 Security risks to database
3
systems
 This includes:
1. Unauthorised activity, e.g. a hacker.
2. Misuse by authorised users.
3. Malware infection which deletes, damages or makes sensitive
data available.
4. Overloads which can lead to inability of authorised users to use the
database.
5. Physical damage to servers, e.g. fire, flood, lightning, accidental
liquid spills, electrical surge, etc.
 6. Design flaws and programming bugs which create security
4 vulnerabilities.
7. Data corruption or loss caused by the entry of invalid data
or commands, mistakes in database or system
administration processes, sabotage or criminal damage.
 IMPORTANCE OF DATA SECURITY
5

There are three main objectives to consider while designing a secure

database application:
1. secrecy
2. integrity and
3. availability
6 1. SECRECY

a) Secrecy denotes the protection of information from unauthorized

disclosure either by direct retrieval or by indirect logical inference.
b) Secrecy must deal with the possibility that information may also be
disclosed by legitimate users by passing secret information to
unauthorized users intentionally or without knowledge of the authorized
user.
7 2. INTEGRITY

 Integrity constraints are rules that define the correct states of a database.
 Integrity entails data protection from malicious or accidental modification,
including the insertion of false data, contamination and the destruction of
data.

 Read up: SQL injection

 3. AVAILABILITY
8
 Availability is the characteristic that ensures data is accessible by
authorized users and database applications when they need them.
 Types of Database Security Control
9
 Many layers and types of information security control are
appropriate to databases, including:
 Access control
 Database Auditing
 Authentication
 Encryption
 Integrity controls
 Backups
 Application security
Assignment: What is
application security?
Implement on Edupage.

Deadline:
10 Access Control
 This is the selective restriction of access to a resource in the
database. It is a system of controlling data that is accessible to a
given user.

 Permission to access a resource is termed authorisation.

 Access control can be mandatory or discretionary

 DAC
11  Users have privileges to access or modify objects in the database. If
they have permission, users can grant their privileges to other users.
 Allows an individual complete control over any object they own.
 There are two important concepts in DAC:
1. File and data ownership- every object has an owner. The access
policy to this object is determined by its owner.
2. Access rights permissions:- This is the control that an owner can
assign to other objects for specific resources.
 E.g. Facebook share – You can specify who gains access to
resources you create.
12 Mandatory Access Control
 MAC: Allowing user to a resource if and only if rules exist that allow a
given user to access the resource.
 In MAC only the administrator manages the access controls.

Read more:
Understanding data
processing textbook.
 Database auditing
13
 Database auditing involves observing a database so as to be aware of the actions of
database users. Database administrators and consultants often set up auditing for
security purposes, for example, to ensure that those without the permission to access
information do not access it.
 Authentication
14  Database authentication is the process or act of confirming that
a user who is attempting to log in to a database is authorized to
do so, and is only accorded the rights to perform activities that
he or she has been authorized to do.
 It may be performed by
a. the database itself,
b. the operating system,
c. a network service
d. the secured socket layer (SSL)
 Database encryption
15
 Database encryption is a process that uses an algorithm to
transform data stored in a database into a form that is
incomprehensible without first being decrypted.
 A "meaningless" encrypted data is of little or no use for
hackers.
 There are multiple techniques and technologies available for
database encryption.
 Tutorial question
16

 If an individual steals a hard disk of an organisation, he will be able to

access the information stored and read it. Describe the method you
can use to prevent the hard disk content from being read, even if it
can be accessed.

 How will the authorised user be able to read the encrypted data?
17 Backups

 This refers to creating a copy or archiving of the data in the database.

 Such backup becomes useful to restore the database in case of data loss
or system crash.
 Backups can be automated to run at a particular time or done manually.

Tutorial Question:
• Outline situations where data backup will prove
useful.
 Database Administrator
18
He manages the database
1. He develops a security policy for the database
2. He creates new users
3. He assigns roles to each user of the database.
4. He handles database auditing.
5. He regularly carries out database backups.

 Tutorial Question: Write more duties of a database administrator.