Database Security CHAPTER 8 SQL Data Control Language ◦ SQL has an authorization sublanguage, Data Control Language, that includes statements to grant privileges to and revoke privileges from users. ◦ A privilege is an action, such as creating, executing, reading, updating, or deleting, that a user is permitted to perform on database objects. ◦ The UPDATE privilege can be made more restrictive by specifying a column list in parentheses after the word UPDATE, restricting the user to updating only certain columns, as in: GRANT UPDATE ON Student(major) TO U101 ◦ The optional WITH GRANT OPTION clause gives the newly authorized user(s) permission to pass the same privileges to others. For example, we could write: GRANT SELECT, INSERT, UPDATE ON Student TO U101, U102, U103 WITH GRANT OPTION; Users U101, U102, and U103 would then be permitted to write SQL SELECT, INSERT, and UPDATE statements for the Student table, and to pass that permission on to other users. Revoke For example, for U101, to whom we previously granted SELECT, INSERT, and UPDATE on Student with the grant option, we could remove some privileges by writing this: REVOKE INSERT ON Student FROM U101; This revokes U101’s ability both to insert Student records and to authorize others to insert Student records. We can revoke just the grant option, without revoking the insert, by writing this: REVOKE GRANT OPTION FOR INSERT ON Student FROM U101; Security in Oracle Security Features Security features include facilities for all the following activities: ◦ Management of user accounts. User accounts can be created, user rights defined, and password and profile policies set up in several ways. Strong passwords can be enforced. User views, user privileges, and roles can be used to limit user access to data. ◦ Authentication of users can be performed for the database from the operating system level and from a network. ◦ Application security policies can be set for all applications that access the database. ◦ Privilege analysis allows the DBA to identify privileges that are being used, track the source of the privileges, and identify privileges that are not being used. This information can be used to tighten security. ◦ User session information for applications. Information such as the user name and location can be gathered automatically and used to control the user’s access through an application o Virtual Private Database (VPD) is an additional level of security that can be used to control access on the row and column level. o Data redaction is a method of masking data at run time, when queries are executed. Some or all of the characters are hidden or replaced in the results set. For example, only the last four digits of a Social Security number or a credit card number may be displayed. Redaction is often done to comply with regulations such as PCI DSS or SOX. o Transparent sensitive data protection can be used as a method of identifying and protecting all columns that hold sensitive data, even across several databases. Once identified, the columns may be protected using VPD or data redaction. o Network data encryption can be performed automatically or manually using the DBMS_CRYPTO PL/SQL package. Oracle Net Services can be configured to provide data encryption and integrity on servers and clients. Thin Java Database Connectivity (JDBC) clients can be configured for secure connections to databases. o Strong authentication. Available industry-standard authentication methods include centralized authentication and single sign-on, Secure Sockets Layer (SSL), Remote Authentication Dial-In User Service (RADIUS), and Kerberos Security Tools Oracle Database Configuration Assistant has options to create, configure, or delete databases and other operations, including setting an audit policy. Oracle Enterprise Manager is a Web-based facility that offers options for granting and revoking privileges. The DBA has to log in initially using a privileged account such as SYSTEM to the Oracle Database home page to access the Enterprise Manager. To create user accounts from there, the DBA can choose the Administration icon, then Users, then Create. The DBA fills in the new user name and password, enters a temporary password, and can choose to have the password expire immediately Database Security and the Internet A proxy server is a computer or program that acts as an intermediary between a client and another server, handling messages in both directions. ◦ When the client requests a service such as a connection or Web page, the proxy evaluates it and determines whether it can fulfill the request itself. ◦ If not, it filters the request, perhaps altering it, and requests the service from the server or other resource. Database Security and the Internet A firewall is a hardware and/or software barrier that is used to protect an organization’s internal network (intranet) from unauthorized access. Various techniques are used to ensure that messages entering or leaving the intranet comply with the organization’s standards. ◦ For example, a proxy server can be used to hide the actual network address. ◦ Another technique is a packet filter, which examines each packet of information before it enters or leaves the intranet, making sure it complies with a set of rules. ◦ Various gateway techniques can apply security mechanisms to applications or connections Database Security and the Internet Digital signatures use a double form of public-key encryption to create secure two-way communications that cannot be repudiated. ◦ A digital signature allows a user to verify the authenticity of the person they are communicating with, and provides a means to prove that a message must have come from that person and that it has not been tampered with in transmission