Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Mobile business intelligence wikipedia , lookup
Information privacy law wikipedia , lookup
Information security wikipedia , lookup
Operational transformation wikipedia , lookup
Concurrency control wikipedia , lookup
Data vault modeling wikipedia , lookup
Microsoft Access wikipedia , lookup
Business intelligence wikipedia , lookup
FBI–Apple encryption dispute wikipedia , lookup
Clusterpoint wikipedia , lookup
Outline • Example of Security Gone Wrong • Overview of Database Security • Database Authorization o Access Control o Auditing o Authentication o Encryption Introduction • More databases being used now than ever • More attacks on these databases • Attacks jeopardize reputations, financial standings, and customer trust Security Breach Example • NASA • Chinese citizen arrested • Worked for National Institute of Aerospace • Intellectual property theft • NASA closed down its technical reports database and imposed tighter restrictions on remote access Who is in charge? • Database administrator (DBA) is the central authority • DBA account = SUPERUSER • Responsibilities o Account Creation o Privilege granting o Privilege revocation o Security Level assignment What is Database Security? • System, Processes, and Procedures that protect a database from unintended activity What is Unintended Activity? • 3 M's o Misuse o Malicious o Mistakes Database Security Isn't Simple • Issues: o Legal o Ethical o Policy o System-related Database Threats • Loss of Integrity • Loss of Availability • Loss of Confidentiality Traditional Security Measures • Firewall o Network routers • Network intrusion prevention systems (NIPS) o Detect hackers • Host-based intrusion detection systems (HIDS) o Inspect behaviors logged by applications o Malicious queries generate no detectable behaviors That sounds safe enough... • But it's not! • PROBLEM: o Many database attacks involve a legitimate user! o Don't need special tools! o Can't be detected by detection systems/firewalls! So how do we Threats? Database Authorization Common Control Measures Access controls Auditing Authentication Data encryption • • • • Access Control • What is Access Control • Rapidly Growing Market • Types o Manual o Analogous o Software o Access control Models Discretionary Mandatory Role-based Attribute-based Manual Access Controls Analogous Access Controls Keypads and access control systems Software Access Controls • Firewall on PC • Antivirus • Popup Blocker Access control Models Access control models are sometimes categorized as either discretionary or nondiscretionary. The three most widely recognized models are: Discretionary Access Control Mandatory Access Control Role Based Access Control • • • Discretionary Access Control • Determined by the owner of the object • Two Important concepts: o File and data ownership o Access rights and permissions Mandatory Access Controls (MAC) Allowing access to a resource if and only if rules exist that allow a given user to access the resource difficult to manage used for highly sensitive information rules or sensitivity labels make it mandatory. • • • o Sensitivity Labels o Data import and export MAC cont' Two methods that are commonly used for applying Mandatory Access Controls: 1. Rule-Based (or Label-based) Access Control 2. Lattice-Based Access Control Role-Based Access Control (RBAC) • Access policy determined by the system. not the owner. • Used in commercial applications and also • military systems, where multi-level security requirements may also exist. Access is controlled at the system level RBAC cont Three primary rules are defined for RBAC: 1. Role Assignment 2. Role Authorization 3. Transaction Authorization Next Generation Access Control Model Attribute-Based Access Control Building blocks in a structured language Labels or Properties • • XACML The XACML policy language is as expressive as a natural language. For example, consider the following sentence: "A user wants to do something with an information asset in a given context". A sentence like this includes four grammatical building blocks: a subject an action a resource the environment • • • • SAP Access Control Reduce Access Risk and Prevent Fraud http://www54.sap.com/solutions/tech/applica tion-foundation-security/software/accesscontrol/index.html Auditing • Manual • Systematic What is Authentication? Authentication • Computer security authentication means • verifying the identity of the user logging onto a network. Passwords, digital certificates, smart cards and biometrics can be used to prove the identity of the user to the network. Authentication cont Forms of authentication: Computer Security Authentication Human Authentication Challenge-Response Authentication Two-Factor Authentication • • • • Mobile Agents Security Issues with Mobile Agents processes which can autonomously migrate to new hosts Process of a mobile agents distributed system • • Encryption "crypt" Encryption History Examples: Julius Ceasar -"Shift 3" Rule Thomas Jefferson -Wheel Cipher Professor Ron Rivest -RC5 Seldom used by the public, however, with online shopping, banking, and other services, data encryption became basic for businesses and even home users. Encryption Implementation The quality of encryption technology and the algorithm that is implemented in the encryption process should be a part of the security. Reliability of Data Encryption • • • 64-bit 128-bit 256-bits The objective of encryption is to make data extremely incomprehensible to unauthorized users and extremely difficult to decipher for the intruder or attacker. 3 General Categories 1. Symmetric key encryption 2. Asymmetric key encryption 3. Hash encryption Symmetric Key Encryption • "Private-key encryption" • Copy of single key • Fast to transfer, but not safe Disadvantage • The more people who have the key, the weaker the system becomes Algorithms used: AES DES • • Asymmetric Key Encryption • "Public-key encryption" • Two keys • Longer to transfer • More secure Algorithms used: • • DSA RSA These algorithms are considerably slower than symmetric key algorithms which makes them not suitable for database encryption. Hash Encryption • No key • Not reversible • Should be identical • Provide one-way transformation of the data which then may be used to securely store the data or to verify its integrity So why hash? Confidentiality of original data Oracle Advanced Security • Provides data encryption and strong authentication services • Safeguard sensitive data against unauthorized access • Protects against theft, loss, and improper decommissioning of storage media and database backups Transparent Data Encryption (TDE) • Encrypts data before it is written to storage • Decrypts data when reading it from storage • No changes to existing applications Transparent Data Encryption Cont'd Supports 2 modes: 1. Tablespace encryption i. efficient solution for encrypting entire applications table 2. Column encryption i. efficient solution of encryption individual data elements Accessed data blocks are cached in memory the same way as traditional non-encrypted data blocks. Oracle Advanced Security cont'd • Built in two-tier management architecture o Consists of: Master encryption key and one or more data encryption keys TDE master encryption key is used to encrypt and protect the data encryption key • Provides a standard-based network encryption o Protects communication to and from the Oracle Database o Connections can be rejected from clients that have encryption turned off • Strong protection for database backups o Remains encrypted RMAN Where should businesses use encryption? • Hard drives • Individual files • Laptops • File transfers • E-mail • IM Data Encryption Pros • Data remains separate from the device security where it is stored • No data breaching • Data is secure regardless of how it is transmitted • Confidentiality Data Encryption Cons • Encryption keys are difficult to maintain • Expensive to maintain • Compatibility with existing programs can be tricky Encryption Limitations • NO perfect software • Forgotten passwords • Reliability • Support DBMS Implementation • Businesses today use a combination of all tools o Firewalls o Intrusion detection systems o Access control o Auditing o Authorization o Encryption Conclusion • No one tool by itself can do it all. • You need LAYERS of security! • Any Questions?