Database Security
o Data is a valuable resource, as with any corporate
resource.
o May have strategic importance => needs to be kept
secure and confidential.
Security
o Protection against intentional or unintentional
threats using computer-based or non-computerbased controls.
Security - 1
Security - 2
Database Security
Summary of
Threats to
Computer
Systems
Involves measures to avoid:
o Theft and fraud
o Loss of confidentiality (secrecy)
o Loss of privacy
o Loss of integrity
o Loss of availability
Security - 3
CS3462 Introduction to Database Systems
Helena Wong, 2001
Security - 4
Countermeasures – Computer-Based Controls
o Authorization
Typical
Multi-user
Computer
Environment
o Views
o Backup and recovery
o Integrity
o Encryption
o Associated procedures
Security - 5
Countermeasures – Computer-Based Controls
o Associated procedures
Security - 6
Countermeasures – Non-Computer-Based Controls
o Using policies, agreements, and other
administrative controls:
– Authorization and Authentication
– Security policy and contingency plan
– Backup
– Personnel controls
– Recovery
– Secure positioning of equipment
– Audit
– Escrow agreements
– Installation of new application software
– Maintenance agreements
– Installation/upgrading of system software
– Physical access controls
Security - 7
CS3462 Introduction to Database Systems
Helena Wong, 2001
Security - 8
Authorization - User and Group Identifiers
Authorization - Access Control Matrix
Security - 9
Security - 10
Security Policy Coverage
Contingency Plan Coverage
o The area of the business it covers.
o Key personnel and how to contact.
o Responsibilities and obligations of employees.
o Who decides contingency exists.
o The disciplinary action that will result from breaches
of the policy.
o Technical requirements of transferring operations to
other site(s).
o Procedures that must be followed.
o Operational requirements of transferring operations
to other site(s).
o Any important external contacts.
o Whether insurance exists to cover situation.
Security - 11
CS3462 Introduction to Database Systems
Helena Wong, 2001
Security - 12
Escrow Agreement
PC Security
o Legal contract concerning software, made between
developers and clients, whereby a third party holds
the source code for the client’s applications.
o Moved easily and normally located on employees’
desks - often no special access controls.
o Security includes
o Client can acquire source code if developer goes
out of business, and ensures that the client is not
left with non-maintainable systems.
– Use of keyboard lock.
– Use of user identifier and/or password.
– Procedures to control access to floppy discs.
o Often overlooked and under-managed.
– Procedures to reduce risk of virus infection.
Security - 13
Database and Web Security Measures
Examples:
o Proxy servers
o Firewalls
o Digital signatures
o Digital certificates
Security - 15
CS3462 Introduction to Database Systems
Helena Wong, 2001
Security - 14