Database SecurityCT069-3-3-DBS (VE1.

0)

Topic 1
Security Problems
 Learning
Outcomes

At the end of this topic, you should be able to:

1. Define what is “Database Security” and “Sensitive

Data”
2. Identify database security vulnerabilities, threats

and risks
3. Suggest database security best practices to

address and mitigate the threats

Module Code & Module Title Slide Title

 Contents & Structure

Database Security Overview

Database Security Vulnerabilities, Threats &
Risks
Database Security Best Practices

Module Code & Module Title Slide Title

 Definition: Database Security

Database security is the set of measures,

policies, and practices employed to protect a
database from unauthorized access,
manipulation, or destruction.
Database security policies are designed to
prevent sensitive data exposure and ensure
the availability and integrity of records
stored within a database system.

Module Code & Module Title Slide Title

 Definition: Sensitive Data

Sensitive data is any kind of information

that is protected against unwarranted
disclosure.

It involves a wide range of categories,

including personal data, financial
information, proprietary details, health
records, or trade secrets.

Module Code & Module Title Slide Title

 Discussion

List down 10 data (facts) that you provided to

APU during registration
Among the 10 data, which ones do you
consider sensitive ?
List down other 5 data that are being stored
in/by APU ?
Among them, which ones do you consider
sensitive ?

Module Code & Module Title Slide Title

 Security
News

Module Code & Module Title Slide Title

 Information Systems (IS)

Information system - comprised

of components working together
to produce and generate
accurate information
Central to any Information
System is the database that
contains all the required data and
information that the
organization acquires, processes,
generates, stores and uses to run
its business

Module Code & Module Title Slide Title

 Data vs Database vs DBMS
Data
is one of an organization’s most valuable assets
critical for all individuals and organizations
(government, SME and corporations) to function
properly DBMS Advantages-
Better control on access and
Database
security such as encryption
An organized collection of structured data to make Better activity tracing and
it easily accessible, manageable and updatable auditing capabilities
DBMS Efficient backup and
Typically, a Database Management System or DBMS recovery management
such as MS-SQL , MySQL or Oracle is used to manage Reduced data redundancy
the databases and increased consistency.
Integrated system that can be used to store, manage
and secure structured data as well as develop
applications to create data structures and manipulate
data

Module Code & Module Title Slide Title

 Discussion

Differentiate between data and Information ?

Differentiate between structured and

unstructured data ?

Module Code & Module Title Slide Title

 Database Security Problems

Since data is very valuable, it is subject to misuse, damage, loss or being

stolen – by whom ?

Problems can come in many ways

Unauthorized access to steal valuable data – How can this
happen ?
Damage caused by unauthorized persons – How can this
happen ?
Damage caused by authorized persons or application – How
can this happen ?
Other damages caused by power interruptions, hardware, OS or
software failure etc

Module Code & Module Title Slide Title

 Definitions

Vulnerability
Weakness in the system that makes the data vulnerable to
unauthorized access
manipulation, or destruction by authorized/unauthorized

Threat
Security attack that can happen any time because of a security
vulnerabilities

Risk
Damage that can happen if the threat attack happens

Module Code & Module Title Slide Title

 DB Security Vulnerability Access Points

Module Code & Module Title Slide Title

 DB Security Vulnerabilities

Human
Insufficient training, careless , ill intention

Applications
Bugs in the application software typically unpatched
and developed using outdated technology or without
good security features
Default values and/or Misconfigurations can leave
loopholes in the systems

Module Code & Module Title Slide Title

 DB Security Vulnerabilities

Network & Hardware

Weaknesses within an organization’s access
infrastructure that allow cyber attackers to gain
access and cause harm.
Old or low-quality hardware

Operating system (OS)

Caused by exposures within an OS typically
unpatched and outdated OS

Module Code & Module Title Slide Title

 Database Security Vulnerabilities

DBMS Applications
Bugs in the DBMS software typically unpatched
Old versions being used
Default values and/or Misconfigurations can leave
loopholes in the systems

Data files and data

Data not properly classified and protected

Module Code & Module Title Slide Title

 DB Security Threats & Risks

Module Code & Module Title Slide Title

 DB Security Threats & Risks

Module Code & Module Title Slide Title

 Discussion

Identify the threats that can be avoided ? What

will you do address the threats ?

Identify the threats that cannot be avoided ?

What will you do to mitigate the risks ?

Module Code & Module Title Slide Title

 Securing database environment

Database Server – physical or virtual machine

hosting your database

Securing the host also refer to as “hardening”

– a process to stringent human physical
access, network access, including securing
the server’s OS.

Module Code & Module Title Slide Title

 Securing database environment

Databases are nearly always network-accessible,

any security threat to any component within or
portion of the network infrastructure is also a
threat to the database, and any attack impacting a
user’s device or workstation can threaten the
database

Database security must extend far beyond the

confines of the database alone.

Module Code & Module Title Slide Title

 Securing database environment

When evaluating database security in your environment to

decide on your team’s top priorities, consider each of the
following areas:
Physical security
Administrative and network access controls
End user account/device security
Encryption
Database software security
Application/web server security
Backup security
Auditing

Module Code & Module Title Slide Title

 Security Methods

People
Individuals who have been granted privileges and permissions to
access applications, networks, servers, databases, data files and
data.

How to Secure
Establishment of security policies/procedures
Physical limits on access to HW and documents
Identification and authentication
Training on the importance of security and how to protect
information assets

Module Code & Module Title Slide Title

 Security Methods
Applications
Application design and implementation, which includes
privileges and permissions granted to people.
Be cautious because too loose permission results in
violation of data access, and too strict permission
compromises availability.
How to Secure
Authentication and authorization of users who access applications
Good design - hide database implementation details, perform code
reviews, implements good error handling and not user facing
Business rules to limit access
Prevent SQL Injection
Patched to the latest version

Module Code & Module Title Slide Title

 Security Methods

Network
Is the most sensitive security access point.
Use best effort to protect the network.

How to Secure
Firewalls
VPN
Authentication

Module Code & Module Title Slide Title

 Security Methods

Operating system
The authentication to the system and the gateway to the
data.

How to Secure
User accounts/authentication/authorization
Intrusion detection
Password policy
Patched to the latest version

Module Code & Module Title Slide Title

 Security Methods

DBMS
Holds our data
Logical structure of the database, include memory, executables,
and other binaries.

How to Secure
Authentication & Authorization of People & Application
Database Encryption
Password Policy
Database Auditing
Backup Database
Replication / Redundancy

Module Code & Module Title Slide Title

 Security Methods

Data files
Physical files

How to Secure
File encryption, permission management and access monitoring

Data
Actual data as can been seen by the users

How to Secure
Validation, constraints, encryption, access

Module Code & Module Title Slide Title

 Database Security Best Practices
Permission Management / Access Control
Authentication
Authorization/Privileges
Role based access control (RBAC)
Data protection
Obfuscation - Anonymization, Masking, Hashing, Encryption
Backup
High Availability
User action validation to protect against accidental or intentional
data loss
Auditing – passive
Try to identify what could happen (potential risk) - future
Captured what happened – past
Monitoring - active
Keeping track of is happening (monitoring) – present

Module Code & Module Title Slide Title

 Discussion

What is Database Security?

Where or what can be the security weaknesses in
the system ?
Identify common security threats specifically for
database and its hosting environment.
List the database security scope of evaluation

Module Code & Module Title Slide Title

 Summary / Recap of Main Points

Definition of Database Security

Type of threats in context of database security
Database security scope of evaluation

Module Code & Module Title Slide Title

 What To Expect Next Week

In Class
Preparation for Class
OS and Security Principles. Do some research on
operating system (OS) security
principles

Module Code & Module Title Slide Title