Matakuliah : Web Database Tahun : 2008 Web Database Security Session 12 & 13 Last Session Review: •Overview Transaction •Incomplete or Abandoned Transaction •Problem in Transaction •Locking and Deadlock •Web Database Transaction 2 Agenda: •Overview Security •Database Security •Web Security •Client Security •Efficiency vs Security •Review of Session 8 - 13 3 Objectives: •Student understand about Security in Database, web and client •Student can choose which type of security that they want to implement in their web database application •Student can analyse the balance between Efficiency and Security 4 Overview Security • Why need Security? – Ensure the integrity of the database as a whole – Protect it so that it keeps working – Ensure the every who have no access to the data can not access the data • Type of Security in Web Database Application? – Database Security – Web Security – Client Security 5 Database Security • What is Database Security? – The mechanisms that protect the database against intentional or accidental threats • Database Security secure data from: – – – – – Theft and fraud Loss of confidentiality (secrecy) Loss of privacy Loss of integrity Loss of availability 6 Database Security (cont.) • What is Threats? – Any situation or event, whether intentional or accidental, that may adversely affect a system and consequently the organization • Source of threats? – – – – – Hardware DBMS and application software Communication Networks Internet People: • Users • Programmers/operators • Data/Database administrators 7 Database Security (cont.) • Techniques to Database Security? – – – – – – – Authentication and Authorization Access controls View Backup and recovery Integrity Encryption RAID technology 8 Database Security (cont.) • Case Study for Database Security Finance Department are really concern about their financial data. Just a few weeks ago there has been a security breach. The formeremployee has log in to the database server, steal and change the valuable financial data. Please explain how this situation can be prevent? And how to restore the previous data? 9 Web Security • What is Web Security? – The mechanisms that protect the all transaction using web • Web Security Challenges: – – – – – Ensuring it is inaccessible to anyone but the sender and receiver (privacy) Ensuring it has not been changed during transmission (integrity) Ensuring the receiver can be sure it come from the sender (authenticity) Ensuring the sender can be sure the receiver is genuine (non-fabrication) Ensuring the sender cannot deny he or she sent it (non-repudiation) • Three main areas in Web Security: – Identities of those involve – No one else can access the data – No one can tamper with the data 10 Web Security (cont.) • Techniques to do Web Security: – – – – – – – – – Proxy Servers Firewalls Message Digest Algorithms and Digital Signatures Digital Certificates Kerberos Secure Sockets Layer and Secure HTTP Secure Electronic Transaction and Secure Transaction Technology Java Security ActiveX Security 11 Web Security (cont.) • Case Study for Web Security A web database application allows users to enter the name of a product. This text is then appended to the following SQL, select * from products where productname=“” Explain the risk of the code. Describe precautions that could be taken to avoid these. 12 Client Security • Information transmitted to Client’s machine may have executable content that can perform: – – – – – Corrupt data or the execution state of programs Reformat complete disks Perform a total system shutdown Collect and download confidential data User identity and impersonate the user to attach other targets on the networks – Lock up resources – Cause non-fatal but unwelcome effects 13 Client Security (cont.) • Have to sure: – Browser operate in “Sandbox”, where it cannot reach or reveal anything about the system beyond – Not disrupt the client – Strictly limited opportunity for a Web system to write to the Client’s file system cookies 14 Efficiency VS Security • Increase security may decrease efficiency • Find the balance between security and efficiency – How much do you want efficiency – How much do you want to protect your data 15 Review of Session 8 - 13 • Web Database Implementation • Web Database Transaction • Web Database Security 16 Summary • Security is very important to Web Database Security • We should add security but keep our efficiency 17 End of Web Database Security Thank you 18