Download MIS409_DB_Security_Auth_Encrypt

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
page
38
page
39
page
40
page
41
page
42
page
43
page
44
page
45
page
46
page
47
page
48
Document related concepts

Mobile business intelligence wikipedia , lookup

Information privacy law wikipedia , lookup

Information security wikipedia , lookup

Database wikipedia , lookup

Operational transformation wikipedia , lookup

Concurrency control wikipedia , lookup

Data vault modeling wikipedia , lookup

Microsoft Access wikipedia , lookup

Business intelligence wikipedia , lookup

FBI–Apple encryption dispute wikipedia , lookup

Clusterpoint wikipedia , lookup

Computer security wikipedia , lookup

Database model wikipedia , lookup

Transcript 
Outline
• Example of Security Gone Wrong
• Overview of Database Security
• Database Authorization
o Access Control
o Auditing
o Authentication
o Encryption
Introduction
• More databases being used now than
ever
• More attacks on these databases
• Attacks jeopardize reputations, financial
standings, and customer trust
Security Breach Example
• NASA
• Chinese citizen arrested
• Worked for National Institute of
Aerospace
• Intellectual property theft
• NASA closed down its technical reports
database and imposed tighter restrictions
on remote access
Who is in charge?
• Database administrator (DBA) is the
central authority
• DBA account = SUPERUSER
• Responsibilities
o Account Creation
o Privilege granting
o Privilege revocation
o Security Level assignment
What is Database
Security?
• System, Processes,
and Procedures that
protect a database
from unintended
activity
What is Unintended
Activity?
• 3 M's
o Misuse
o Malicious
o Mistakes
Database Security Isn't Simple
• Issues:
o Legal
o Ethical
o Policy
o System-related
Database Threats
• Loss of Integrity
• Loss of Availability
• Loss of
Confidentiality
Traditional Security Measures
• Firewall
o Network routers
• Network intrusion prevention systems
(NIPS)
o Detect hackers
• Host-based intrusion detection systems
(HIDS)
o Inspect behaviors logged by applications
o Malicious queries generate no detectable
behaviors
That sounds safe enough...
• But it's not!
• PROBLEM:
o Many database attacks involve a legitimate
user!
o Don't need special tools!
o Can't be detected by detection
systems/firewalls!
So how do we
Threats?
Database Authorization
Common Control Measures
Access controls
Auditing
Authentication
Data encryption
•
•
•
•
Access Control
• What is Access Control
• Rapidly Growing Market
• Types
o Manual
o Analogous
o Software
o Access control Models
 Discretionary
 Mandatory
 Role-based
 Attribute-based
Manual Access Controls
Analogous Access Controls
Keypads
and
access control systems
Software
Access Controls
• Firewall on PC
• Antivirus
• Popup Blocker
Access control Models
Access control models are sometimes
categorized as either discretionary or nondiscretionary. The three most widely
recognized models are:
Discretionary Access Control
Mandatory Access Control
Role Based Access Control
•
•
•
Discretionary Access Control
• Determined by the owner of the object
• Two Important concepts:
o File and data ownership
o Access rights and permissions
Mandatory Access Controls (MAC)
Allowing access to a resource if and only if
rules exist that allow a given user to
access the resource
difficult to manage
used for highly sensitive information
rules or sensitivity labels make it
mandatory.
•
•
•
o Sensitivity Labels
o Data import and export
MAC cont'
Two methods that are commonly used for
applying Mandatory Access Controls:
1. Rule-Based (or Label-based) Access
Control
2. Lattice-Based Access Control
Role-Based Access Control (RBAC)
• Access policy determined by the system.
not the owner.
• Used in commercial applications and also
•
military systems, where multi-level
security requirements may also exist.
Access is controlled at the system level
RBAC cont
Three primary rules are defined for RBAC:
1. Role Assignment
2. Role Authorization
3. Transaction Authorization
Next Generation Access Control
Model
Attribute-Based Access Control
Building blocks in a structured language
Labels or Properties
•
•
XACML
The XACML policy language is as
expressive as a natural language. For
example, consider the following sentence:
"A user wants to do something with an
information asset in a given context". A
sentence like this includes four
grammatical building blocks:
a subject
an action
a resource
the environment
•
•
•
•
SAP Access Control
Reduce Access Risk and Prevent Fraud
http://www54.sap.com/solutions/tech/applica
tion-foundation-security/software/accesscontrol/index.html
Auditing
• Manual
• Systematic
What is Authentication?
Authentication
• Computer security authentication means
•
verifying the identity of the user logging
onto a network.
Passwords, digital certificates, smart
cards and biometrics can be used to
prove the identity of the user to the
network.
Authentication cont
Forms of authentication:
Computer Security Authentication
Human Authentication
Challenge-Response Authentication
Two-Factor Authentication
•
•
•
•
Mobile Agents
Security Issues with Mobile Agents
processes which can autonomously
migrate to new hosts
Process of a mobile agents distributed
system
•
•
Encryption
"crypt"
Encryption History
Examples:
Julius Ceasar
-"Shift 3" Rule
Thomas Jefferson
-Wheel Cipher
Professor Ron Rivest
-RC5
Seldom used by the public, however, with online
shopping, banking, and other services, data
encryption became basic for businesses and even
home users.
Encryption Implementation
The quality of encryption technology and the
algorithm that is implemented in the
encryption process should be a part of the
security.
Reliability of Data Encryption
•
•
•
64-bit
128-bit
256-bits
The objective of encryption is to make data
extremely incomprehensible to
unauthorized users and extremely difficult
to decipher for the intruder or attacker.
3 General Categories
1. Symmetric key encryption
2. Asymmetric key encryption
3. Hash encryption
Symmetric Key Encryption
• "Private-key encryption"
• Copy of single key
• Fast to transfer, but not safe
Disadvantage
•
The more people who have the
key, the weaker the system
becomes
Algorithms used:
AES
DES
•
•
Asymmetric Key Encryption
• "Public-key encryption"
• Two keys
• Longer to transfer
• More secure
Algorithms used:
•
•
DSA
RSA
These algorithms are considerably
slower than symmetric key algorithms
which makes them not suitable for
database encryption.
Hash Encryption
• No key
• Not reversible
• Should be identical
• Provide one-way
transformation of the data
which then may be used to
securely store the data or to
verify its integrity
So why hash?
Confidentiality of original data
Oracle Advanced Security
• Provides data encryption and strong
authentication services
• Safeguard sensitive data against
unauthorized access
• Protects against theft, loss, and improper
decommissioning of storage media and
database backups
Transparent Data Encryption (TDE)
• Encrypts data before it is written to storage
• Decrypts data when reading it from storage
• No changes to existing applications
Transparent Data Encryption Cont'd
Supports 2 modes:
1. Tablespace encryption
i. efficient solution for encrypting entire
applications table
2. Column encryption
i. efficient solution of encryption individual data
elements
Accessed data blocks are cached in memory
the same way as traditional non-encrypted data
blocks.
Oracle Advanced Security cont'd
• Built in two-tier management architecture
o Consists of:
 Master encryption key and one or more data
encryption keys
 TDE master encryption key is used to encrypt and
protect the data encryption key
• Provides a standard-based network encryption
o Protects communication to and from the Oracle
Database
o Connections can be rejected from clients that have
encryption turned off
• Strong protection for database backups
o Remains encrypted
 RMAN
Where should businesses
use encryption?
• Hard drives
• Individual files
• Laptops
• File transfers
• E-mail
• IM
Data Encryption Pros
• Data remains separate from the device
security where it is stored
• No data breaching
• Data is secure regardless of how it is
transmitted
• Confidentiality
Data Encryption Cons
• Encryption keys are difficult to maintain
• Expensive to maintain
• Compatibility with existing programs can
be tricky
Encryption Limitations
• NO perfect software
• Forgotten passwords
• Reliability
• Support
DBMS Implementation
• Businesses today use a combination of all
tools
o Firewalls
o Intrusion detection systems
o Access control
o Auditing
o Authorization
o Encryption
Conclusion
• No one tool by itself can do it all.
• You need LAYERS of security!
• Any Questions?
Related documents
Database Security
Database Security
Chapter 12 - Key Terms
Chapter 12 - Key Terms
All Definitions for
All Definitions for
a common digital Europe
a common digital Europe
Shouting from the Rooftops: Improving Email
Shouting from the Rooftops: Improving Email
Network Security: It`s Time to Take It Seriously
Network Security: It`s Time to Take It Seriously
Pr sentation PowerPoint
Pr sentation PowerPoint
Database Confidentiality
Database Confidentiality
CSCI 3140 Module 3 – Logical Database
CSCI 3140 Module 3 – Logical Database
Remote Access - York Technical College
Remote Access - York Technical College