DATABASE ADMINISTRATION

COURSE CODE: ITEC4138

CREDIT HOUR: 4 (3 + 1)
TOPIC: MANAGING SCHEMA OBJECTS

MIRZA ARSLAN BAIG LECTURER COMPUTER SCIENCE

WhatsApp: 0308 6877143 E-Mail: [email protected]
UNIVERSITY OF EDUCATION LAHORE
FAISALABAD CAMPUS
IMPLEMENTING ORACLE
DATABASE SECURITY

DATABASE SECURITY AND

PRINCIPLE OF LEAST PRIVILEGE

WORK WITH STANDARD

DATABASE AUDITING
 DATABASE
SECURITY AND
PRINCIPLE OF
LEAST PRIVILEGE
DATABASE SECURITY AND THE PRINCIPLE OF LEAST PRIVILEGE

➢ Database security involves protecting a database against unauthorized access, malicious attacks, and

ensuring the confidentiality, integrity, and availability of the data.

➢ It encompasses a variety of practices, tools, and policies designed to safeguard sensitive data and

maintain compliance with legal and organizational standards.

➢ One foundational concept in database security is the Principle of Least Privilege (PoLP).

➢ This principle states that users and processes should have the minimum level of access—or

permissions—necessary to perform their duties.

➢ This minimizes the risk of accidental or deliberate misuse of the database.

PRINCIPLE OF LEAST PRIVILEGE (POLP)

Definition: The principle ensures that a user or process is granted only the permissions necessary to

complete their tasks, no more and no less.

Goal: To reduce the risk of data breaches, unauthorized changes, and potential damage from insider threats

or compromised accounts.

Key Aspects

➢ Granular permissions.

➢ Role-based access control (RBAC).

➢ Regular reviews and adjustments of privileges.

POLP
A DBA typically requires significant privileges to manage, maintain, and secure the database system.
However, applying PoLP to the DBA’s role involves limiting their access to only those permissions
required for specific tasks. Here’s how this can be implemented:
EXAMPLES OF APPLYING POLP
Separate Roles: Instead of assigning a single, all-encompassing "superuser" role to a DBA, create specific
roles for distinct responsibilities:
1.Backup and restoration.
2.Performance monitoring.
3.Schema design and updates.
Assign the DBA to these roles only when performing related tasks.
Segregation of Duties:
1. For high-security environments, separate critical tasks such as auditing and database administration.
2. For instance, the DBA should not have access to audit logs to ensure transparency in security
checks.
Time-Bound Privileges:
1. Use tools or mechanisms to grant elevated permissions temporarily.
2. Example: A DBA requires "ALTER SYSTEM" privileges for a planned maintenance. Grant the
privilege for a limited period, after which it is automatically revoked.
Environment-Based Access:
1. Limit DBA access to production databases unless absolutely necessary.
2. Example: A DBA primarily works on development and testing databases. Access to the production
environment is granted only for emergencies.
Privileged Task Automation:
1. Automate repetitive administrative tasks with scripts or tools that execute with the required
privileges. This removes the need for the DBA to have direct, ongoing access to sensitive data.
Review and Audit of Permissions:
1. Regularly audit DBA privileges to ensure they are aligned with current responsibilities.
2. Example: If a DBA transitions to a managerial role, revoke direct access privileges and assign
permissions related only to supervisory tasks.
PRACTICAL EXAMPLE
Scenario: A company employs a DBA responsible for maintaining a customer database containing
sensitive information (e.g., credit card numbers, personal data).
The DBA needs to back up the database.
➢ PoLP Implementation: Assign the DBA a role with BACKUP DATABASE privileges but restrict
access to sensitive data fields directly.
The DBA needs to troubleshoot a performance issue.
➢ PoLP Implementation: Provide VIEW PERFORMANCE and query execution monitoring
permissions without granting rights to modify the database schema.
Emergency database patching.
➢ PoLP Implementation: Temporarily grant the DBA elevated privileges (ALTER SYSTEM) to
apply the patch. Revoke these privileges post-maintenance.
WORK WITH
STANDARD
DATABASE
AUDITING
STANDARD DATABASE AUDITING
Database auditing refers to the process of tracking and logging database activities to monitor and ensure
the security, integrity, and compliance of database operations. For a Database Administrator (DBA),
auditing is an essential tool to detect unauthorized access, troubleshoot issues, and maintain accountability
within the database environment.
IMPORTANCE OF DATABASE AUDITING FOR A DBA
Security Monitoring: Helps identify suspicious activities, such as unauthorized access or privilege abuse.
Compliance: Ensures adherence to regulatory requirements like GDPR, HIPAA, or PCI-DSS.
Accountability: Tracks actions performed by users, including privileged accounts like DBAs, to prevent
misuse.
Troubleshooting: Provides logs to analyze errors or performance issues.
Change Management: Monitors schema changes and configuration updates.
FEATURES OF STANDARD DATABASE AUDITING
Activity Tracking: Records user logins, executed queries, and data modifications.
Granular Controls: Allows selective auditing based on tables, users, or operations.
Audit Policies: Customizable rules to define what activities are logged.
Automated Alerts: Notifications for critical events such as failed login attempts or unauthorized data
access.
Retention and Analysis: Logs stored for future reference and audit compliance.
HOW A DBA WORKS WITH STANDARD DATABASE AUDITING
A DBA's role involves configuring, managing, and interpreting database audit logs to ensure security and
compliance.
DBAS IN STANDARD AUDITING
Define Clear Audit Policies: Only audit necessary operations to avoid excessive log size and performance
issues.
Secure Audit Logs: Store logs in a secure, tamper-proof location with restricted access.
Regular Review: Analyze logs periodically for anomalies and compliance verification.
Use Automated Alerts: Set up triggers or scripts to notify the DBA of critical events, such as unauthorized
access.
Optimize Performance: Ensure auditing doesn’t degrade database performance by selectively enabling it.
Enhanced Security: Identifies and mitigates security threats.
Regulatory Compliance: Helps meet standards like PCI-DSS and SOX.
Operational Transparency: Provides a clear record of database activities.
Incident Response: Facilitates investigation and resolution of incidents.
TOOLS FOR DATABASE AUDITING
Oracle: Unified Audit Trail, Fine-Grained Auditing (FGA).
SQL Server: SQL Server Audit.
MySQL: General Query Log, Audit Plugin.
PostgreSQL: pgaudit extension.
MongoDB: Database Profiler.
THANK YOU