Database Security - La Salle University

advertisement
Database Security
Based on Chapter 18 in
Database Systems, Connolly
and Begg
CSC 240 (Blum)
1
Database As Asset



The collection, organization and
maintenance of data can be a difficult,
time-consuming task.
Thus, the information contained in a
company’s database should be viewed
as one of its assets.
Thus the database needs to be
protected as much as any other asset
(if not more than other assets).
CSC 240 (Blum)
2
Security Policy




Information must be seen as part of a
company’s assets and thus worth securing.
On the other hand, if the information is not
accessible to an appropriate set of
people, it is worthless.
Thus security and accessibility must be
balanced. There is no ideal blend that is
right for all companies.
An important step toward securing a
network is to develop a security policy.
CSC 240 (Blum)
3
Security policy



A security policy is a written document stating
how a company intends to protect its
information.
While written, it must be flexible so it can
adapt to changes in technology and so forth.
A security policy might include




A description of who has access to what information
and for what use.
A description of security measurements and penalties
for the violation thereof.
An evaluation procedure.
A policy for educating users.
CSC 240 (Blum)
4
Security Aspects

Some aspects of data security to address are
 Integrity: the data should be protected
from corruption (accidental or intentional).
 Availability: the data should be readily
accessible by designated users.
 Confidentiality: the company’s data should
not be accessible by undesignated users.
 Privacy: in some situations it is the user’s
data that requires protecting.
 Theft and Fraud: taking the information
itself may be seen as theft or altering the
data may be a mechanism for theft
CSC 240 (Blum)
5
Threat Assessment


One should examine the database and
the way it is used, looking for threats to
the databases.
Threats are problems that might occur.


Threats may be intentional, for example,
hackers.
Threats may be accidental, for example,
server going down.
CSC 240 (Blum)
6
Threat Examples










Using another person’s means of access
Unauthorized amendment or copying of data
Program alteration
Inadequate policies and procedures that allow
a mix of confidential and normal output
Wire tapping
Illegal entry by hacker
Blackmail
Creating ‘trapdoor’ into system
Theft of data, programs and equipment
Failure of security mechanisms, giving greater
access than normal
CSC 240 (Blum)
7
Threat Examples (Cont.)









Staff shortages or strikes
Inadequate staff training
Viewing and disclosing unauthorized data
Electronic interference and radiation
Data corruption owing to power loss or surge
Fire (electrical fault, lightning strike, arson),
flood, bomb
Physical damage to equipment
Breaking cables or disconnection of cables
Introduction of viruses
CSC 240 (Blum)
8
Threat Examples Diagram
CSC 240 (Blum)
9
Countermeasures


Countermeasures are actions taken
to prevent, oppose or retaliate for
some specific action.
Securing a database and the network
it is on involves implementing
countermeasures for the threats
posed.
CSC 240 (Blum)
10
Countermeasure Diagram
CSC 240 (Blum)
11
Authorization


Authorization: what a user (or
application) is allowed to do, i.e.
what privileges he has.
Database actions:




SELECT:
UPDATE:
INSERT:
DELETE:
CSC 240 (Blum)
can
can
can
can
query data
change data
add new data
eliminate data
12
Encoding Privileges

These privileges are assigned a bit in a
code





SELECT:
UPDATE:
INSERT:
DELETE:
0001
0010
0100
1000
The privileges can be assigned to a user
field by field.

E.g. a given user may be permitted to insert a
new employee record and update most of the
employee fields but may not be permitted to
update or even select (query) the salary field.
CSC 240 (Blum)
13
Authentication


Authorization is meaningless without
authentication.
Authentication: the attempt to
determine that a user is who he or she
claims to be so the correct privileges
can be granted.

Typically done using passwords, but may
also involve biometric devices or
possessed objects.
CSC 240 (Blum)
14
Views (Subschemas)

A view is a like a table in which only
the data a user is allowed to see has
been projected and/or selected out.


The chair can view some of the data fields
(projection) on members of her department
(selection)
Views are generated dynamically from
the tables involved.
CSC 240 (Blum)
15
Backups

A backup is a copy of a file or files, in
our case database files. It is to be used
if the original becomes damaged in some
way.


The database should be restored to a
“consistent state.”
A backup should be made on a separate
medium (disk or tape) and preferably
stored at a separate location.
CSC 240 (Blum)
16
Data vaulting



Data vaulting (a.k.a. remote backup service
RBS) is the sending of data off premises so that
it is protected from threats, such as hardware
failure, theft, etc.
There are companies that provide this service.
They compress, encrypt, and periodically
backup, move the customer's data and store it
at their location.
These companies should have good security and
reliable equipment.
CSC 240 (Blum)
17
Cloud Computing



Many companies are currently coming to grips with the
notion of “cloud computing”.
Certain services, including aspects of maintaining a
company’s database, can be handled by another
company with access to the data and/or computer power
provided over the network on an “as needed” basis.
One of the big issues is security. What does it mean for
someone else to have your company’s data? Perhaps
they are better at securing it than your company could
be. ??
CSC 240 (Blum)
18
Log Files



A log file is a record of the
transactions performed on a database.
There may have been transactions on
the database since it was last backed
up. The log file can be used to used to
update the backup database to a more
recent state.
The keeping of a log file is also known
as journaling.
CSC 240 (Blum)
19
Cryptography



One way to secure data, be it in storage
or in transit, is encryption.
Encryption coverts information in its
usual readable form (called plaintext)
to information in an encoded,
unreadable form (called cyphertext).
PGP (Pretty Good Privacy) program: a
good encrypter that works with most
email systems
CSC 240 (Blum)
20
Encryption



The data is stored or transmitted in
binary (numerical) form.
To encrypt data one applies some
mathematical operation to it.
The mathematical operation should have
an inverse so that one can recover the
original data (decrypt the message).


Reversible encoding
The mathematical operation often has a
parameter (known as a key in encryption)
which specifies the precise operation within
a family of operations.
CSC 240 (Blum)
21
Caesar Shift Example






The Caesar shift is an early form of
encryption.
The mathematical operation is addition.
The key (parameter) is the amount added,
e.g. 3
CAT  FDW (ASCII for C + 3 is ASCII for F)
The inverse operation is subtraction which
uses the same key.
FDW  CAT (ASCII for F - 3 is ASCII for C)
CSC 240 (Blum)
22
Symmetric vs Asymmetric
encryption


Caesar shift is an example of a
symmetric encryption, that is one is
which the encoding and decoding
operations are essentially the same,
and knowledge of the encoding key
implies knowledge of the decoding
key.
When this is not the case, the
encryption is said to be asymmetric.
CSC 240 (Blum)
23
Symmetric vs Asymmetric
encryption (Cont.)


Asymmetric schemes are more
secure but require more time for
coding and decoding.
Often secure communication uses a
combination of asymmetric and
symmetric.


The key to the symmetric encryption is
sent using asymmetric encryption.
Then the bulk of the communication uses
symmetric encryption.
CSC 240 (Blum)
24
Public Key Encryption



In asymmetric encryption, the parameters for
the mathematical operation and its inverse
are not the same. Then one is said to have
two keys.
For purposes of encryption, it is ideal if
knowledge of one of the parameters (keys)
does not lead to knowledge of the other.
Such a mathematical operation is the basis
for public key encryption.
CSC 240 (Blum)
25
Public Key/Private Key

A user is assigned two keys (a private key
and a public key).



The private key should be known only to the user.
The public key is published along with the user’s
name.
Someone can send the user a private
message by using the public key to encrypt,
then the user is the only person (presumably)
who can decrypt the message.
CSC 240 (Blum)
26
Digital signature




Use this process in reverse.
The user encrypts the message with the
private key.
Anyone with the users’ public key can decrypt
it.
BUT since the user’s public key decoded the
message, the message must have come from
the user.

This does not give privacy but authentication.
CSC 240 (Blum)
27
Double Key Encryption



To have a private and authenticated
transaction use two keys.
Mary encrypts a message with John’s public
key and then does a second encryption using
her private key.
The message must be decrypted using Mary’s
public key (we know it’s from Mary) and
further decrypted using John’s private key
(only John can do this).
CSC 240 (Blum)
28
Digital Certificate/Certificate
Authority

If the two parties don’t know each
other, a third party that both trust, the
certificate authority, acts as a
verifier. The verification is done using
a digital certificate.
CSC 240 (Blum)
29
RSA


RSA is an encryption/authentication
scheme developed in 1977 by Ron
Rivest, Adi Shamir, and Leonard
Adleman.
RSA is owned by RSA Security. The
company licenses the algorithm
technologies and also sells
development kits.
CSC 240 (Blum)
30
kerberos



An authentication system developed at the
Massachusetts Institute of Technology.
Kerberos allows two users to exchange
private messages across an open network.
It works by assigning a unique key, called a
ticket, to each user that logs on to the
network. The ticket is then embedded in
messages to identify the sender of the
message.
CSC 240 (Blum)
31
Firewalls


A firewall guards the perimeter of a network,
all traffic flows through and is examined by
the firewall.
The earliest firewalls performed a packet
filtering service.


If sending packets is analogous to sending mail
then a having a firewall is analogous to having the
mail censored.
Certain packets are not allowed in based on their
content or source; certain packets are not allowed
out based on their content or destination.
CSC 240 (Blum)
32
Firewall


A firewall can help centralize part of a
network’s security effort.
A firewall can prevent



outsiders from probing all computers in an
organization
flooding the network with unwanted traffic
attacking a computer by causing it to crash.
CSC 240 (Blum)
33
Packet filter
CSC 240 (Blum)
34
Firewall


The firewall working closely with the
router, it examines each packet to
determine whether or not to forward it.
The filtering may be based on any number
of criteria:




Source or destination IP address
 Allow only certain addresses or rule out certain
addresses
Direction
Service type (FTP, SMTP, telnet, etc., identified
by port number)
Time
CSC 240 (Blum)
35
Firewall




A firewall can also maintain an audit trail
(log file).
A firewall can be trained to look for virus
signatures.
The firewall can scan for tokens or tickets
which authenticate users.
A pair of firewalls can agree on an encryption
scheme, for instance if two private networks
are connected by a public line (a virtual
private network).
CSC 240 (Blum)
36
Tele-commuting


The importance of VPN’s is growing as more
companies support the ideas of employees
working from home or small satellite
locations.
In principle, VPN’s deliver the same network
accessibility and security that would be
available at the on-site location.
CSC 240 (Blum)
37
Proxy server




A proxy is somebody who is authorized
to stand in for somebody else.
A proxy server stands in for the client on a
private network in that when the client makes a
request of a server outside the network, the
request is made of the proxy server, the proxy
server then makes the request of the
destination — that is, it stands in for the client.
The reply is then passed from the proxy to
original client.
This way the destination does not learn the
address of the true client, only that of the
proxy.
CSC 240 (Blum)
38
Caching too


The proxy server hides the private
network’s addresses.
Another benefit of a proxy is that it can
cache results for the entire network.
Like any host client, it checks its cache
before requesting something. But the
proxy had made the requests for all of
the computers on the network.
CSC 240 (Blum)
39
Other References




http://www.webopedia.com
http://www.whatis.com
Computer Dictionary, Shnier
Database Systems, Rob and Coronel
CSC 240 (Blum)
40
Download