Download Database Security Overview

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
Document related concepts

Concurrency control wikipedia , lookup

Relational model wikipedia , lookup

Microsoft Jet Database Engine wikipedia , lookup

Database wikipedia , lookup

Database model wikipedia , lookup

Clusterpoint wikipedia , lookup

ContactPoint wikipedia , lookup

Oracle Database wikipedia , lookup

Transcript 
Database Security Overview
Blake Middleton
CSE 7330 – Fall 2009
Protecting a Critical Resource
Banking/Financial Records
Medical Records
Inventory
Customer Information
Personnel Records
Student Records
Threats to Data
Copy
Destroy
Modify
“Securing the Database may be the single biggest
action an organization can take to protect its
assets.” – David Knox
Results of an “Incident”
Loss of reputation
Loss of $$$
Lawsuits (more loss of $)
TJX – 45M credit/debit cards,
$256M as of 8/2007
-Boston Globe Online
General Security Goals - CIAA
Confidentiality
Integrity
Availability
Authentication
Threat Sources
• External
• fame or gain
• Internal
• gain or revenge
Big Picture
•
•
•
•
•
Physical security
Network security
Operating System Security
Application Security
DBMS (yes, these have vulnerabilities too)
Access Control
Data Control Language – DCL
GRANT priv ON object TO user [WITH GRANT OPTION]
REVOKE priv ON object FROM user
Examples
Table Level Privileges:
GRANT INSERT, UPDATE ON Students TO fred
GRANT DELETE ON Students TO sam WITH GRANT OPTION
GRANT ALL ON Students TO barney
REVOKE INSERT ON Students FROM fred
Examples
Column Level: (Select and Update)
GRANT UPDATE ON Students (address) TO fred
Examples
Object privileges:
GRANT CREATE table TO fred
Oracle Virtual Private Database (VPD)
Provides row-level security
Presents partial view of tables based on policies
VPD - Examples
Restrict user to only see courses from CSE
User:
SELECT * FROM Courses;
Executed:
SELECT * FROM Courses
WHERE department = ‘CSE’;
source – Oracle Database 10g Top 20 DBA Features
VPD – Examples – Selective Columns
Restrict user to only see students with GPA above 3.0
ID
Name
GPA
100
Jones
3.1
101
Smith
2.6
102
Smart
4.0
SELECT * FROM Students;
--Will return rows 1 and 3
SELECT COUNT(*) FROM Students; --Will return 2
source – Oracle Database 10g Top 20 DBA Features
VPD – Examples – Column Masking
Restrict user to only see GPA values above 3.0
ID
Name
GPA
100
Jones
3.1
101
Smith
2.6
102
Smart
4.0
SELECT * FROM Students;
ID
Name
GPA
100
Jones
3.1
101
Smith
<null>
102
Smart
4.0
source – Oracle Database 10g Top 20 DBA Features
Oracle Label Security
Access based on:
data sensitivity labels
user label authorizations
Provides multi-level security capability
Oracle Label Security
Data Sensitivity Labels have 3 components
Level – required
Compartment – optional
Group - optional
A policy can have up to 999 levels and 9,999 groups and
compartments
-Source Oracle Label Security Best Practices White Paper
Oracle Label Security - Example
ID
SSN
DL_Num
Lname
Pol1_sec_lab
100
123-45-6789
09234554
Miller
Sensitive:PII:HR
101
234-56-6887
10854834
Arnold
Private:PII:HR
-Source Oracle Label Security Best Practices White Paper
Inference
Simple example (from Viega & McGraw)
SELECT AVG(income) FROM customers
WHERE state = “VA” OR
(city = “Reno” AND state = “NV” AND age = 72);
Followed by:
SELECT AVG(income) FROM customers
WHERE state = “VA”;
Good Practices
Use views
Use stored procedures
Keep up to date on patches
Limit privileges
Have a security policy and follow it
Encrypt sensitive data
Do audits/monitor employees
Regular security assessments
Enforce strong passwords
Future
• More data to protect
• More sophisticated attacks
• More emphasis on security education
(hopefully)
Bibliography
•
•
•
•
•
•
•
•
•
•
Alapati, S. R., & Kim, C. (2007). Oracle Database 11g: New Features for DBAs and Developers.
Apress.
Bauer, M. D. (2005). Linux Server Security (2nd ed.). O'Reilly Media, Inc.
Defense Information Systems Agency. (2007, Sep. 19). Security Technical Implementation
Guides. Retrieved Oct 26, 2009, from http://iase.disa.mil/stigs/stig/database-stig-v8r1.zip
Knox, D. (2004). Effective Oracle Database 10g Security by Design. McGraw-Hill.
Litchfield, D., Anley, C., Heasman, J., & Grindlay, B. (2005). The Database Hacker's Handbook:
Defending Database Servers. Wiley.
Mullins, C. S. (2002). Database Administration: The Complete Guide to Practices and
Procedures. Addison-Wesley Professional.
Needham, P. (2008). Oracle Label Security Best Practices. Oracle.
Oracle. (n.d.). Oracle Database 10g Top 20 DBA Features. Retrieved 10 26, 2009, from
http://www.oracle.com/technology/pub/articles/10gdba/week14_10gdba.html
Pfluger, C. P., & Lawrence, S. (2006). Security in Computing (4th ed.). Prentice Hall.
Viega, J., & McGraw, G. (2002). Building Secure Software. Addison-Wesley Professional.
Related documents
Big Data Gives Artificial Intelligence Something to Think About
Big Data Gives Artificial Intelligence Something to Think About
Slide 1
Slide 1
Oracle10g - International Oracle on z Systems SIG Conference 2015
Oracle10g - International Oracle on z Systems SIG Conference 2015
Lab PowerPoint - Personal Web Pages
Lab PowerPoint - Personal Web Pages
Database Modeling and Implementation
Database Modeling and Implementation
Database Administrator
Database Administrator
Jerry Held
Jerry Held
Info
Info
post conditional offer contingencies
post conditional offer contingencies
Oracle Application Express
Oracle Application Express
Oracle vs. SQL Server
Oracle vs. SQL Server
Database Administrator - Santa Barbara City College
Database Administrator - Santa Barbara City College