Download Database Security Overview

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

Document related concepts

Concurrency control wikipedia , lookup

Relational model wikipedia , lookup

Microsoft Jet Database Engine wikipedia , lookup

Database wikipedia , lookup

Database model wikipedia , lookup

Clusterpoint wikipedia , lookup

ContactPoint wikipedia , lookup

Oracle Database wikipedia , lookup

Transcript
Database Security Overview
Blake Middleton
CSE 7330 – Fall 2009
Protecting a Critical Resource
Banking/Financial Records
Medical Records
Inventory
Customer Information
Personnel Records
Student Records
Threats to Data
Copy
Destroy
Modify
“Securing the Database may be the single biggest
action an organization can take to protect its
assets.” – David Knox
Results of an “Incident”
Loss of reputation
Loss of $$$
Lawsuits (more loss of $)
TJX – 45M credit/debit cards,
$256M as of 8/2007
-Boston Globe Online
General Security Goals - CIAA
Confidentiality
Integrity
Availability
Authentication
Threat Sources
• External
• fame or gain
• Internal
• gain or revenge
Big Picture
•
•
•
•
•
Physical security
Network security
Operating System Security
Application Security
DBMS (yes, these have vulnerabilities too)
Access Control
Data Control Language – DCL
GRANT priv ON object TO user [WITH GRANT OPTION]
REVOKE priv ON object FROM user
Examples
Table Level Privileges:
GRANT INSERT, UPDATE ON Students TO fred
GRANT DELETE ON Students TO sam WITH GRANT OPTION
GRANT ALL ON Students TO barney
REVOKE INSERT ON Students FROM fred
Examples
Column Level: (Select and Update)
GRANT UPDATE ON Students (address) TO fred
Examples
Object privileges:
GRANT CREATE table TO fred
Oracle Virtual Private Database (VPD)
Provides row-level security
Presents partial view of tables based on policies
VPD - Examples
Restrict user to only see courses from CSE
User:
SELECT * FROM Courses;
Executed:
SELECT * FROM Courses
WHERE department = ‘CSE’;
source – Oracle Database 10g Top 20 DBA Features
VPD – Examples – Selective Columns
Restrict user to only see students with GPA above 3.0
ID
Name
GPA
100
Jones
3.1
101
Smith
2.6
102
Smart
4.0
SELECT * FROM Students;
--Will return rows 1 and 3
SELECT COUNT(*) FROM Students; --Will return 2
source – Oracle Database 10g Top 20 DBA Features
VPD – Examples – Column Masking
Restrict user to only see GPA values above 3.0
ID
Name
GPA
100
Jones
3.1
101
Smith
2.6
102
Smart
4.0
SELECT * FROM Students;
ID
Name
GPA
100
Jones
3.1
101
Smith
<null>
102
Smart
4.0
source – Oracle Database 10g Top 20 DBA Features
Oracle Label Security
Access based on:
data sensitivity labels
user label authorizations
Provides multi-level security capability
Oracle Label Security
Data Sensitivity Labels have 3 components
Level – required
Compartment – optional
Group - optional
A policy can have up to 999 levels and 9,999 groups and
compartments
-Source Oracle Label Security Best Practices White Paper
Oracle Label Security - Example
ID
SSN
DL_Num
Lname
Pol1_sec_lab
100
123-45-6789
09234554
Miller
Sensitive:PII:HR
101
234-56-6887
10854834
Arnold
Private:PII:HR
-Source Oracle Label Security Best Practices White Paper
Inference
Simple example (from Viega & McGraw)
SELECT AVG(income) FROM customers
WHERE state = “VA” OR
(city = “Reno” AND state = “NV” AND age = 72);
Followed by:
SELECT AVG(income) FROM customers
WHERE state = “VA”;
Good Practices
Use views
Use stored procedures
Keep up to date on patches
Limit privileges
Have a security policy and follow it
Encrypt sensitive data
Do audits/monitor employees
Regular security assessments
Enforce strong passwords
Future
• More data to protect
• More sophisticated attacks
• More emphasis on security education
(hopefully)
Bibliography
•
•
•
•
•
•
•
•
•
•
Alapati, S. R., & Kim, C. (2007). Oracle Database 11g: New Features for DBAs and Developers.
Apress.
Bauer, M. D. (2005). Linux Server Security (2nd ed.). O'Reilly Media, Inc.
Defense Information Systems Agency. (2007, Sep. 19). Security Technical Implementation
Guides. Retrieved Oct 26, 2009, from http://iase.disa.mil/stigs/stig/database-stig-v8r1.zip
Knox, D. (2004). Effective Oracle Database 10g Security by Design. McGraw-Hill.
Litchfield, D., Anley, C., Heasman, J., & Grindlay, B. (2005). The Database Hacker's Handbook:
Defending Database Servers. Wiley.
Mullins, C. S. (2002). Database Administration: The Complete Guide to Practices and
Procedures. Addison-Wesley Professional.
Needham, P. (2008). Oracle Label Security Best Practices. Oracle.
Oracle. (n.d.). Oracle Database 10g Top 20 DBA Features. Retrieved 10 26, 2009, from
http://www.oracle.com/technology/pub/articles/10gdba/week14_10gdba.html
Pfluger, C. P., & Lawrence, S. (2006). Security in Computing (4th ed.). Prentice Hall.
Viega, J., & McGraw, G. (2002). Building Secure Software. Addison-Wesley Professional.