Database Security and Auditing: Protecting Data Integrity ...
Database Security and Auditing: Chapter 5
of 45
-
Upload
kilbz-tingz -
Category
Documents
-
view
26 -
download
0
description
Protecting Data Integrity and Accessibility
Transcript of Database Security and Auditing: Chapter 5
-
Database Security and Auditing: Protecting Data Integrity and AccessibilityChapter 5 Database Application Security Models
Database Security & Auditing: Protecting Data Integrity & Accessibility
-
ObjectivesDescribe the different types of users in a database environment and the distinct purpose of eachIdentify and explain the concepts of five security modelsList the most commonly used application types
Database Security & Auditing: Protecting Data Integrity & Accessibility
-
Objectives (continued) Implement the most common application security modelsUnderstand the use of data encryption within database applications
Database Security & Auditing: Protecting Data Integrity & Accessibility
-
Types of UsersApplication:Solves a problemPerforms a specific business functionDatabase: collection of related data files used by an applicationApplication user: user within the application schema
Database Security & Auditing: Protecting Data Integrity & Accessibility
-
Types of Users (continued)Types:Application administratorApplication ownerApplication userDatabase administratorDatabase userProxy userSchema ownerVirtual user
Database Security & Auditing: Protecting Data Integrity & Accessibility
-
Security ModelsAccess Matrix Model:Represents two main entities: objects and subjects:Columns represent objectsRows represent subjectsObjects: tables, views, procedures, database objectsSubjects: users, roles, privileges, modulesAuthorization cell
Database Security & Auditing: Protecting Data Integrity & Accessibility
-
Security Models (continued)
Database Security & Auditing: Protecting Data Integrity & Accessibility
-
Security Models (continued)Access Modes Model:Based on the Take-Grant modelUses objects and subjectsSpecifies access modes: static and dynamic modesAccess levels: a subject has access to objects at its level and all levels below it
Database Security & Auditing: Protecting Data Integrity & Accessibility
-
Security Models (continued)
Database Security & Auditing: Protecting Data Integrity & Accessibility
-
Security Models (continued)
Database Security & Auditing: Protecting Data Integrity & Accessibility
-
Application TypesClient/Server applications:Management Information System (MIS) department:Thirty year ago centralized informationDeveloped mainframe projectsWas a bottleneckPersonal computer was introduced: developing need for client/server applicationsBased on the business model
Database Security & Auditing: Protecting Data Integrity & Accessibility
-
Client/Server Applications
Database Security & Auditing: Protecting Data Integrity & Accessibility
-
Client/Server Applications (continued)Provides a flexible and scalable structureComponents:User interfaceBusiness logicData accessComponents usually spread out over several tiers:Minimum twoNormally, four to five
Database Security & Auditing: Protecting Data Integrity & Accessibility
-
Client/Server Applications (continued)
Database Security & Auditing: Protecting Data Integrity & Accessibility
-
Client/Server Applications (continued)
Database Security & Auditing: Protecting Data Integrity & Accessibility
-
Web ApplicationsEvolved with the rise of dot-com and Web-based companiesUses the Web to connect and communicate to the serverA Web application uses HTML pages created using:ActiveXJava applets or beansASP (Active Server Pages)
Database Security & Auditing: Protecting Data Integrity & Accessibility
-
Web Applications (continued)
Database Security & Auditing: Protecting Data Integrity & Accessibility
-
Web Applications (continued)Components:Web browser layerWeb server layerApplication server layerBusiness logic layerDatabase server layer
Database Security & Auditing: Protecting Data Integrity & Accessibility
-
Web Applications (continued)
Database Security & Auditing: Protecting Data Integrity & Accessibility
-
Data Warehouse ApplicationsUsed in decision-support applicationsCollection of many types of data taken from a number of different databasesTypically composed of a database serverAccessed by software applications or reporting applications: online analytical processing (OLAP)
Database Security & Auditing: Protecting Data Integrity & Accessibility
-
Data Warehouse Applications (continued)
Database Security & Auditing: Protecting Data Integrity & Accessibility
-
Application Security ModelsModels:Database role basedApplication role basedApplication function basedApplication role and function basedApplication table based
Database Security & Auditing: Protecting Data Integrity & Accessibility
-
Security Model Based on Database RolesApplication authenticates application users: maintain all users in a tableEach user is assigned a role; roles have privileges assigned to themA proxy user is needed to activate assigned roles; all roles are assigned to the proxy userModel and privileges are database dependent
Database Security & Auditing: Protecting Data Integrity & Accessibility
-
Security Model Based on Database Roles (continued)
Database Security & Auditing: Protecting Data Integrity & Accessibility
-
Security Model Based on Database Roles (continued)Implementation in Oracle:Create usersAdd content to your tablesAdd a row for an application userLook for application users roleActivate the role for this specific session
Database Security & Auditing: Protecting Data Integrity & Accessibility
-
Security Model Based on Database Roles (continued)Implementation in SQL Server:Use application roles:Special roles you that are activated at the time of authorizationRequire a password and cannot contain membersConnect a user to the application role: overrules users privileges
Database Security & Auditing: Protecting Data Integrity & Accessibility
-
Security Model Based on Database Roles (continued)Implementation in SQL Server (continued):Create and drop application roles using the command line and the Enterprise Manager:SP_ADDAPPROLESP_DROPAPPROLEYou can activate application roles using SP_SETAPPROLE
Database Security & Auditing: Protecting Data Integrity & Accessibility
-
Security Model Based on Database Roles (continued)Implementation in SQL Server (continued):Connect to database as the proxy userValidate the user name and password Retrieve the application role nameActivate the application role
Database Security & Auditing: Protecting Data Integrity & Accessibility
-
Security Model Based on Database Roles (continued)
Database Security & Auditing: Protecting Data Integrity & Accessibility
-
Security Model Based on Application RolesApplication roles are mapped to real business rolesApplication authenticates usersEach user is assigned to an application role; application roles are provided with application privileges (read and write)
Database Security & Auditing: Protecting Data Integrity & Accessibility
-
Security Model Based on Application Roles (continued)
Database Security & Auditing: Protecting Data Integrity & Accessibility
-
Security Model Based on Application Roles (continued)Implementation in SQL ServerCreate a database userConnect the application to the database using this userCreate stored procedures to perform all database operations
Database Security & Auditing: Protecting Data Integrity & Accessibility
-
Security Model Based on Application FunctionsApplication authenticates usersApplication is divided into functionsConsiderations:Isolates application security from databasePasswords must be securely encryptedMust use a real database userGranular privileges require more effort during implementation
Database Security & Auditing: Protecting Data Integrity & Accessibility
-
Security Model Based on Application Functions (continued)
Database Security & Auditing: Protecting Data Integrity & Accessibility
-
Security Model Based on Application Roles and FunctionsCombination of modelsApplication authenticates usersApplication is divided into functions:Roles are assigned to functionsFunctions are assigned to usersHighly flexible model
Database Security & Auditing: Protecting Data Integrity & Accessibility
-
Security Model Based on Application Roles and Functions (continued)
Database Security & Auditing: Protecting Data Integrity & Accessibility
-
Security Model Based on Application TablesDepends on the application to authenticate usersApplication provides privileges to the user based on tables; not on a role or a functionUser is assigned access privilege to each table owned by the application owner
Database Security & Auditing: Protecting Data Integrity & Accessibility
-
Security Model Based on Application Tables (continued)
Database Security & Auditing: Protecting Data Integrity & Accessibility
-
Security Model Based on Application Tables (continued)Implementation in SQL Server:Grant authorization on application functions to the end userAlter authorization table from the security model based on database roles; incorporate the table and access columns required to support model
Database Security & Auditing: Protecting Data Integrity & Accessibility
-
Application Security Models
Database Security & Auditing: Protecting Data Integrity & Accessibility
-
Application Security Models (continued)
Database Security & Auditing: Protecting Data Integrity & Accessibility
-
Data EncryptionPasswords should be kept confidential and preferably encryptedPasswords should be compared encrypted:Never decrypt the dataHash the passwords and compare the hashes
Database Security & Auditing: Protecting Data Integrity & Accessibility
-
Data Encryption (continued)
Database Security & Auditing: Protecting Data Integrity & Accessibility
-
SummaryAn application user is simply a record created for a user within the application schema; usually does not have database privileges or roles assignedAccess matrix:Columns represent objectsRows represent subjectsAuthorization cellAccess mode
Database Security & Auditing: Protecting Data Integrity & Accessibility
-
Summary (continued)Application types: client/server, Web, and Data WarehouseApplication security modelsDatabase rolesApplication rolesApplication functionsRoles and functions in the applicationApplication tables
Database Security & Auditing: Protecting Data Integrity & Accessibility
