Information Security

Lecture # 28

Dr. Shafiq Hussain

Associate Professor & Chairperson
Department of Computer Science

1
 Objectives
• Introduction to Database Security.

2
 Database Security (Cont..)
Database Security Mechanism:
Strong User Authentication
• Authentication is a crucial aspect of any database as it
prevents unauthorized access, but choosing the
relevant and strong type of authentication is an
important decision to make.

3
 Database Security (Cont..)
Database Security Mechanism:
Strong User Authentication
• There are multiple types of authentication that are
implemented by the backend developers, such as:

4
 Database Security (Cont..)
Database Security Mechanism:
Strong User Authentication
• Single-factor authentication (SFA), the most basic
type, is regarded as unsafe because it does not
provide any additional layer of security.

5
 Database Security (Cont..)
Database Security Mechanism:
Strong User Authentication
• Two-factor authentication (2FA) is a better
alternative to SFA, as it provides an additional
security layer and is used on many social media
platforms.

6
 Database Security (Cont..)
Database Security Mechanism:
Strong User Authentication
• Multi-factor authentication (MFA), which could
also be used by developers.

7
 Database Security (Cont..)
Database Security Mechanism:
Data Encryption Protocols
• Whether it is moving data or storing sensitive user
information, encryption is essential.

• It defends against any ransomware attacks as well as

helping to stay compliant with GDPR guidelines.

8
 Database Security (Cont..)
Database Security Mechanism:
Data Encryption Protocols
• The General Data Protection Regulation (GDPR) is a
law made by the European Union (EU) that governs
how personally identifiable information is collected,
processed, and eventually deleted from a computer
system.

9
 Database Security (Cont..)
Database Security Mechanism:
Data Encryption Protocols
• All data should be encrypted with the best methods,
so even if cybercriminals get hold of the data, that
information would still be safe.

10
 Database Security (Cont..)
Database Security Mechanism:
Data Encryption Protocols
• All database connections should be encrypted using
Transport Layer Security (TLS), which will protect
the data in transit.

11
 Database Security (Cont..)
Database Security Mechanism:
Data Encryption Protocols
• The column-level encryption could also be used to
protect the most sensitive data fields.

• Lastly, backend developers should also encrypt disks

that contain data stores.

12
 Database Security (Cont..)
Database Security Mechanism:
Regular Backups
• Just like how website data is backed up, the
developers should also create backups of the
database.

13
 Database Security (Cont..)
Database Security Mechanism:
Regular Backups
• This is essential, as regular backups could mitigate
the risk of losing sensitive information due to any
circumstances, such as data corruption or a system
failure.

14
 Database Security (Cont..)
Database Security Mechanism:
Regular Backups
• Best practice recommends the 3-2-1 backup rule:

– Store three copies of the data

– Use two types of storage
– Store one in an offsite location

15
 Database Security (Cont..)
Database Security Mechanism:
Regular Backups
• The backups should also be tested periodically to
ensure they perform as expected.

• The data should be able to be restored from the

backup without any issues.

16
 Database Security (Cont..)
Database Security Mechanism:
Regular Backups
• This way, the developers would be able to confirm
that the backup works.

17
 Database Security (Cont..)
Database Security Mechanism:
Regular Database Audit
• Database monitoring should be enabled and
performed regularly.

• All the logins to the database server should be

recorded and sent to a secure place.

18
 Database Security (Cont..)
Database Security Mechanism:
Regular Database Audit
• Any operation performed on the sensitive data should
also be logged.

• Activities could include user logins, data

modifications, and query executions.

19
 Database Security (Cont..)
Database Security Mechanism:
Regular Database Audit
• Auditing requires proper documentation of all the
above activities.

• Moreover, on any unauthorized access attempt or

suspicious act, immediate alerts should be sent to the
database administrators.

20
 Database Security (Cont..)
Database Security Mechanism:
Update Applications
• A verified database management software should be
used and updated to the latest version.

• The latest patches should be installed too.

21
 Database Security (Cont..)
Database Security Mechanism:
Update Applications
• It is a safe choice to not use any plugins, and third-
party applications that do not receive regular updates.

22
 Database Security (Cont..)
Database Security Mechanism:
Update Applications
• Outdated applications or plugins pose a major
security threat as they have low security, which the
attackers could easily overcome and affect the
database.

23
 Database Security (Cont..)
Database Security Mechanism:
Use Firewalls
• Firewalls seem like a good choice to add a layer of
security to the database.

• A firewall does not allow access to any traffic, but it

also needs to prevent the database from initiating any
outbound connections unless absolutely necessary.

24
 Database Security (Cont..)
Database Security Mechanism:
Use Firewalls
• Along with a database firewall, a web application
firewall should also be deployed.

• This is done to prevent attacks such as SQL injection

directed at the web application.

25
 Database Security (Cont..)
Database Security Mechanism:
Use Firewalls
• Just like the application updates, the firewall should
be updated to the latest version.

26
 Database Security (Cont..)
Database Security Mechanism:
Separate Database Servers
• Storing data on the same server as the website could
expose the data to attackers if they manage to hack
the admin account on the web server.

27
 Database Security (Cont..)
Database Security Mechanism:
Separate Database Servers
• To prevent this, the web server and the database
server should be separated.

• This way, the attackers could not access the database

even if the admin account was compromised.

28
 Database Security (Cont..)
Database Security Mechanism:
Separate Tests from Production
• Test environments should be separated from
production environments because attackers could get
hold of any sensitive data in the testing environment,
which might be less secure than the production
environment.

29
 Database Security (Cont..)
Database Security Mechanism:
Separate Tests from Production
• Ensuring that there is a testing environment with no
real production data and separate roles and
permissions from a production environment helps in
protecting the production database.

30
 Database Security (Cont..)
Database Security Mechanism:
Separate Tests from Production
• Even the developers should not get access to the
production database if it is not necessary. Moreover, a
standard procedure should be followed to move the
database from testing to production.

• Regardless, any bugs or security issues have to be

managed.

31
 Questions
Any Question Please?

You can contact me at: [email protected]

Your Query will be answered within one working day.

32
 Further Readings
• Chapter No. 1
Computer_Security_Principles_and_Practice_(3rd_E
dition)
By William Stallings and Lawrie Brown

33
Thanks

34