Database Security

Overview
Definition
Reasons for security
Issues
Types of security
Effective security
System Requirements
Database Security
Questions to ask when considering security
Database-independent measures
Database-dependent measures
Security in SQL

Database Security
Definition
Security protects data from intentional or accidental
misuse or destruction, by controlling access to the data.
Stamper & Price
Database security is concerned with the ability of the
system to enforce a security policy governing the
disclosure, modification or destruction of information.
Pangalos

Reasons for Security

Moral/Ethical
Legal requirements
Commercial security
Fraud/Sabotage
Mistakes

 Moral/Ethical
There may be moral reasons for controlling
who has access to information. For example,
medical records are confidential because of
peoples right to privacy.

 Legal Requirements
The Data Protection Act requires companies
to register personal data with the data
protection registrar. The act imposes
constraints on how information may be used
and who may have access to it. Information
about individuals must be correct, up-to-date
and available for inspection by the individuals
concerned.

 Commercial Security

Information held by companies is a

valuable resource which may be useful
to competitors. For example, a list of
customers who have bought insurance
policies may be valuable to other
insurance companies.

 Fraud/Sabotage

Information may be misused, for

example, insider dealing, or used to
mislead.

 Mistakes

Many problems are not malicious but

are caused by users accidentally
changing the data.

Issues
Confidentiality
information is only disclosed to authorized users
Integrity
information is only modified by authorized users
Availability
information is accessible by authorized users

Types of Security
Authorization Policies
Disclosure and modification of data
Data Consistency Policies
Consistency and correctness of data

Types of Security
Availability Policies
Availability of information to users
Identification/Authentication/Audit Policies
Authorizing users to access data

Effective Security Assumptions

Correct User Identification
It should not be possible to fool the DBMS
e.g. usernames, passwords, etc.
Unanticipated Observers
It should not be possible to gain access to
DBMS through components (disks, tapes,
network, etc.), e.g. encryption

Effective Security Assumptions

User/Privilege information protected
It should not be possible to access user
information, e.g. passwords

System Requirements
S/W and H/W around the database
All aspects of the system must be considered
Data Integrity
All data must be correct and consistent
User must trust database content

System Requirements
Data Availability
Fault tolerance, redundancy, etc.
Auditing
Useful but not excessive

Constraints
Security constraints
Authorization controls
Stored in the data dictionary
DBMS monitors constraints
Integrity constraints
Consistent controls
Stored in the data dictionary
DBMS monitors integrity

 Security constraints in a database are

concerned with controlling and authorizing
access to the data. For example,
(a) Who may insert data into a table?
(b) Who may create a table?

 Integrity constraints are concerned with

maintaining the database in a consistent/correct
state.
For example,
(a) Employees salaries may not increase by
more than 5% per year,
(b) All employees must work on a project.

 Security and integrity are related concepts. Both

are:
(a) Stored in the data dictionary,
(b) Enforced by the DBMS.

 How valuable is the data?

Which data must be secured?
What will illegal access to the data cost?
What are the implications of
changed/destroyed data?
Will security measures affect the proper
functioning of the database?
How can unauthorized access occur?

Security Questions
How valuable is the data?
Different types of data need different levels of
security. Publicly available data, for example,
stock prices, do not require the same level of
security as private data, for example, employee
salaries.

 What will illegal access to the data cost?

If a piece of data has a high value, for
example, information about the performance
of a company, then illegal access may be very
costly. The cost of losing the data
determines how much security is required.

 What are implications of changed/destroyed

data?
If losing a piece of data has disastrous
consequences then the security must be
higher. For example, if a sales person builds
up a customer list over many years then
losing the list to a competitor could be very
costly

 Will security measures affect the proper

functioning of the database?
If security stops legitimate individuals from
accessing the data, then it may not be
suitable.

Database-Independent
Security Mechanisms
Usernames and passwords
Physically secure hardware
Data encryption
Hardware/User profiles
e.g. login times, CPU usage
Program security
Audit Trails

 Database-independent security mechanisms

can be applied to any database system:
1. Operating systems use usernames and
passwords to control access. A DBMS also uses
usernames and passwords to restrict access to
the data. This is an unreliable method of
controlling systems.

 2. Hardware can be physically secured (to avoid

damage to the machine) by placing it in a secure
room. A machine which is attached to a network
may be insecure because access can be gained
across the network.

 3. Data encryption is often used when

information is transmitted across a network. A
DBMS can also encode the data so that it is
unreadable without accessing it through a query
language. This stops users accessing the data
by reading the data files and, therefore, bypassing the DBMS security measures.

 4. Profiles describe different categories of user

who have the same privileges. For example, all
project leaders may have access to project data
during working hours

 5. In a client/server environment it is not

sufficient to secure the client without securing
the database. The clients can provide a first
level of security but should not be the only
means of securing the system

 6. Audit trails provide a complete history of all

interactions with the database including who
accessed the system, what was accessed, when
it was accessed, etc.

Database-Dependent
Security Mechanisms
Controlling access
Users and roles
Username/password
Groups
Schemas
Set of tables, etc. owned by a user
Controlling behavior
Privileges
Rights to access the DBMS
Controlling integrity
Integrity constraints

 Database-dependent security mechanisms refer

to security features provided by specific
database management systems. There are
three parts to database specific security
measures:

 1. Controlling access to the database

Most database systems provide a method of
setting up users.

By allocating to each person who accesses the

system a username the database administrator can
monitor who is accessing the system.

 Schemas are sets of tables which belong to particular

users.
Each user can only see their own schema, or set of
tables. A user may give permission to another user to
view or change their schema.

 2. Controlling behavior while connected to the

database
The behavior of each user who is connected to
the database can be controlled by allocating or
removing the privileges owned by a user.

 3. Controlling integrity of data in the database

Integrity constraints impose limits on the type
of data which may be entered into the DBMS.
For example, by declaring a primary key a user
requires that a set of data has a unique identifier

Controlling Access
Discretionary Access Control
Users
A name that can connect and access objects in
the database
Users log in using a name (and password)

Controlling Access
Schema
A collection of objects associated with a user
e.g. tables, views, indexes, procedures, etc.
Access to a schema is granted at the discretion
of the user

 Many databases, including Oracle, use

discretionary access control to manage the
security of the database. Users of the database
can grant permission to use database objects to
other users. Each user has the discretionary to
allow other users to use their data.

 The two main methods of implementing

discretionary access control in the database are:
Users

Users are names that the database recognizes as

being allowed to access the database. A user logs
into the database by giving the DBMS a valid
username. Users are often required to also provide a
password. Once the DBMS knows the name of the
user they can then allow that user to access the data.

Schema
The schema is a set of database objects
that have been created in the database.
Each user can have one or more schemas.

Controlling Behavior
Privileges
the right to execute a particular SQL statement or to
access another users object
Oracle Concepts Manual
Types
Connecting to the DBMS
Creating objects
Tables, views, etc.
Accessing/changing data
Executing procedures

 We can give users the right to access data in

the database by allocating privileges to the user.
There are many different types of privileges that
can be given to a user. For example, most users
must be given the privilege to connect to the
database and to create tables in the database.