Download chap16

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
Document related concepts

Extensible Storage Engine wikipedia , lookup

Concurrency control wikipedia , lookup

Functional Database Model wikipedia , lookup

Database wikipedia , lookup

Microsoft Jet Database Engine wikipedia , lookup

Relational model wikipedia , lookup

Clusterpoint wikipedia , lookup

Database model wikipedia , lookup

ContactPoint wikipedia , lookup

Transcript 
Chapter 16
Security
Chapter 16 - Objectives
 The
scope of database security.
 Why database security is a serious concern
for an organization.
 The type of threats that can affect a database
system.
 How to protect a computer system using
computer-based controls.
 How to protect a computer system using
non-computer-based controls.
 The purpose and main stages of risk
analysis.
 The purpose of data protection and privacy
laws.
2
Database Security
 Data
is a valuable resource that must be
strictly controlled and managed, as with any
corporate resource.
 Part or all of the corporate data may have
strategic importance and therefore needs to
be kept secure and confidential.
 Protection of the database against
intentional or unintentional threats using
computer-based or non-computer-based
controls.
 Security considerations do not only apply to
the data held in a database. Breaches of
security may affect other parts of the
system, which may in turn affect the
database.
4
Database Security
Involves measures to avoid:
 Theft and fraud
 Loss of confidentiality (secrecy)
 Loss of privacy
 Loss of integrity
 Loss of availability
 Threat
–
Any situation or event, whether
intentional or unintentional, that
will adversely affect a system and
consequently an organization.
6
Examples of Threats
8
Summary of Threats to Computer
Systems
9
Typical Multi-user Computer
Environment
10
Countermeasures – Computer-Based
Controls
 Authorization
 Views
 Backup
and recovery
 Integrity
 Encryption
 Associated procedures
11
Countermeasures – Computer-Based
Controls



Authorization
– The granting of a right or privilege, which
enables a subject to legitimately have access to a
system or a system’s object.
Authentication
– A mechanism that determines whether a user is,
who he or she claims to be.
View
– Is the dynamic result of one or more relational
operations operating on the base relations to
produce another relation.
A view is a virtual relation that does not actually
exist in the database, but is produced upon
request by a particular user, at the time of
request.
12
Countermeasures – Computer-Based
Controls
 Backup
–
Process of periodically taking a copy of the
database and log file (and possibly programs)
to offline storage media.
 Journaling
–
Process of keeping and maintaining a log file
(or journal) of all changes made to database to
enable effective recovery in event of failure.
 Checkpointing
–
Point of synchronization between the database
and the transaction log file. All buffers are
force-written to secondary storage.
 Integrity
–
Prevents data from becoming invalid, hence
giving misleading or incorrect results.
14
Countermeasures – Computer-Based
Controls
 Encryption
–
The encoding of the data by a special
algorithm that renders the data
unreadable by any program without the
decryption key.
 Associated
Procedures
 Authorization and Authentication
 Backup
 Recovery
 Audit
 Installation of new application software
 Installation/upgrading of system software
16
Countermeasures – Non-ComputerBased Controls
 Concerned
with matters such as policies,
agreements, and other administrative
controls and includes:
– Security policy and contingency plan
– Personnel controls
– Secure positioning of equipment
– Escrow agreements
– Maintenance agreements
– Physical access controls
18
Authentication - User and Group Identifiers
Authentication – Access Control Matrix
19
Security Policy Coverage
 The
area of the business it covers.
 Responsibilities
and obligations of
employees.
 The
disciplinary action that will result
from breaches of the policy.
 Procedures
that must be followed.
21
Contingency Plan Coverage
 Key
personnel and how to contact.
 Who
decides contingency exists.
 Technical
requirements of transferring
operations to other site(s).
 Operational
requirements of transferring
operations to other site(s).
 Any
important external contacts.
 Whether
insurance exists to cover
situation.
22
Escrow Agreement
 Legal
contract concerning software,
made between developers and clients,
whereby a third party holds the source
code for the client’s applications.
 Client
can acquire source code if
developer goes out of business, and
ensures that the client is not left with
non-maintainable systems.
 Often
overlooked and under-managed.
23
Escrow Agreement Issues
 Type
of contents deposited.
 Update
process and the timing.
 Details
of any third party software used.
 Whether
verification of the deposit is
required.
 Conditions
governing the release of the
deposit.
 Details
of the release process.
24
PC Security
 Moved
easily and normally located on
employees’ desks - often no access
controls other than those that apply to
the building or area.
 Security
–
–
–
–
includes
Use of keyboard lock.
Use of user identifier and/or password.
Procedures to control access to floppy
discs.
Procedures to reduce risk of virus
infection.
25
Database and Web Security Measures
 Proxy
servers
 Firewalls
 Digital
signatures
 Message
digest algorithms and digital
signatures
 Digital
certificates
 Kerberos
 Secure
sockets layer (SSL) and Secure
HTTP (SHTTP)
26
Security in Statistical Databases
 Typically
used to generate statistical
information on various populations of
data.
 Details
of individual records should
remain confidential and not be accessible.
 Main
problem is how to assess whether
answers to legal queries can be used to
infer the answer to illegal queries.
27
Security Strategies in Statistical
Databases
 Preventing
queries on only few entries.
 Randomly
adding entries to query result
set to produce an error but approximates
to the true response.
 Using
only a random sample to answer
query.
 Maintaining
query profile and rejecting
queries that use a high number of records
identical to those used in previous
queries.
28
Stages of Risk Analysis
 Establish
a security team.
 Define
scope of analysis and obtain
system details.
 Identify
all existing countermeasures.
 Identify
and evaluate all assets.
 Identify
and assess all threats and risks.
 Select
countermeasures, undertake a
cost/benefit analysis, compare with
existing countermeasures.
 Make
 Test
recommendations.
security system.
29
Data Protection and Privacy Laws
 Concerns
personal data and rights of
individuals with respect to their personal
data.
 Legislation attempts to protect individuals
from abuse, and to enable organizations
(both public and private) to carry out their
lawful activities or duties.
 Privacy
– Right of an individual not to have
personal information collected, stored,
and disclosed either will fully or
indiscriminately.
 Data protection
– Protection of personal data from
unlawful acquisition, storage, and
disclosure, and provision of the
safeguards to avoid the destruction or
corruption of legitimate data
30
Related documents
jones, c - Computer Science
jones, c - Computer Science
Database Security (cont.)
Database Security (cont.)
Web server software
Web server software
Avian Influenza
Avian Influenza
Chap 6: DB Security File - e
Chap 6: DB Security File - e
Why we need IT security - Department of Computer Science and
Why we need IT security - Department of Computer Science and
Introduction to Databases - Department of Software and Information
Introduction to Databases - Department of Software and Information
Slide 1
Slide 1
Forms
Forms
Customer markets
Customer markets
Slides
Slides
Security
Security