Database Security o Data is a valuable resource, as with any corporate resource. o May have strategic importance => needs to be kept secure and confidential. Security o Protection against intentional or unintentional threats using computer-based or non-computerbased controls. Security - 1 Security - 2 Database Security Summary of Threats to Computer Systems Involves measures to avoid: o Theft and fraud o Loss of confidentiality (secrecy) o Loss of privacy o Loss of integrity o Loss of availability Security - 3 CS3462 Introduction to Database Systems Helena Wong, 2001 Security - 4 Countermeasures – Computer-Based Controls o Authorization Typical Multi-user Computer Environment o Views o Backup and recovery o Integrity o Encryption o Associated procedures Security - 5 Countermeasures – Computer-Based Controls o Associated procedures Security - 6 Countermeasures – Non-Computer-Based Controls o Using policies, agreements, and other administrative controls: – Authorization and Authentication – Security policy and contingency plan – Backup – Personnel controls – Recovery – Secure positioning of equipment – Audit – Escrow agreements – Installation of new application software – Maintenance agreements – Installation/upgrading of system software – Physical access controls Security - 7 CS3462 Introduction to Database Systems Helena Wong, 2001 Security - 8 Authorization - User and Group Identifiers Authorization - Access Control Matrix Security - 9 Security - 10 Security Policy Coverage Contingency Plan Coverage o The area of the business it covers. o Key personnel and how to contact. o Responsibilities and obligations of employees. o Who decides contingency exists. o The disciplinary action that will result from breaches of the policy. o Technical requirements of transferring operations to other site(s). o Procedures that must be followed. o Operational requirements of transferring operations to other site(s). o Any important external contacts. o Whether insurance exists to cover situation. Security - 11 CS3462 Introduction to Database Systems Helena Wong, 2001 Security - 12 Escrow Agreement PC Security o Legal contract concerning software, made between developers and clients, whereby a third party holds the source code for the client’s applications. o Moved easily and normally located on employees’ desks - often no special access controls. o Security includes o Client can acquire source code if developer goes out of business, and ensures that the client is not left with non-maintainable systems. – Use of keyboard lock. – Use of user identifier and/or password. – Procedures to control access to floppy discs. o Often overlooked and under-managed. – Procedures to reduce risk of virus infection. Security - 13 Database and Web Security Measures Examples: o Proxy servers o Firewalls o Digital signatures o Digital certificates Security - 15 CS3462 Introduction to Database Systems Helena Wong, 2001 Security - 14