DATABASE SECURITY

THREATS OF DATABASE

Accidental loss

Theft & fraud

Loss of privacy or confidentiality

Loss of data integrity

Loss of availability

1. Accidental loss

Loss occurs due to human error. It is usually by chance loss of data.

These losses can be minimized.

By,

User authorization

Uniform software installation procedure

Hardware maintenance schedule

2. Theft & fraud

Theft “steal of data” by an unauthorized user.

Fraud “ intentially ” spoiling the data.

These two activities are performed usually electronic means.

Example,

Someone may being away the data on his flash.

This can be avoided by,

Maintaining physical security

Fire wall

3. Loss of privacy

Privacy means:

Protection relating to individual data.

Confidently means:

Protection of data of organization.

Failure to these protection causes.

Black mail

Bribery

Public embarrassment

State of federal laws govern by protection of data.

Otherwise this security may cause financial & reputation loss.

4. Loss of data integrity

“Integrity” means soundness of data and extent of validity of data.

If data is not secured then this can be hampered someone may. Alter the data due

to which it becomes invalid. So recovery and backup procedures should be used.

Invalid data may cause “wrong decisions”.

5. Loss of availability

Destructive hardware , networks, applications may cause the data to

become unavailable.

Virus may cause this problem.

ESTABLISHING DATA SECURITY

Server Security

Network security

Web security

Web privacy

1. Server security

Multiple users, including database servers, need to be protected.

Each should be located in a secure are, accessible only to authorized

administrator and supervisor. Logical access controls, including server and

administrator and passwords, provide layers of protection against

intrusion. Password management utilities should be included as part of the

network and operating systems.

Reliance on operating system authentication should not be encouraged.

2. Network security

Securing client/server systems includes securing the network

between client and server. The encryption of data so that attackers cannot

read a data packet being transmitted is obviously an important part of

network security. For example, authentication of the client workstation

that is attempting to access the server also helps to enforce network

security and application system.

3. Web security

If an organization wishes only to make static HTML pages

available, protection must be established for the HTML files stored on

web pages.

Sensitive files may be kept on another server accessible through an

organization s intranet. Security measures for dynamic web page

generation are different.

Web security include ways to restrict access to web servers.

Restrict the number of users on the web server as much as

possible.

Restrict access to the web server, keeping a minimum number of

ports open.

Remove any unneeded programs that load automatically when

setting up the server.

4. Web privacy

Protection of individual privacy when using the internet has become an

important issue. E-mail, E-commerce and marketing and other online resources

have created new computer mediated communication paths.

Application that return individualized responses require that information

be collected about the individual but at the same time proper respect for the

privacy and dignity of employee.

MEASURES

Subset of database that is presented to one or more users view is a virtual table.

A view is created by queering one or more of the base tables.

View present only that data which is required by user.

So, user cannot view other private, confidential data.

Example:

Worker of production dept. views data relating to material type, query

relating to material & access.

INTEGRITY CONTROLS

Integrity control protect data from unauthorized use and update.

These controls include,

Limit the value in field

Limit actions that can perform on date

Limit execution process

Domail “ domain is the way to user-define data”

Once a domain is defined any field can be assigned that domain as its data.

Authorization rules

Authorization rules are controlled incorporated in the data management

system. That restrict access to data and also restrict the actions that people

may take when they access data. For example, a person who can supply a

particular password may be authorized to read any record in a database but

cannot necessarily modify any of those records.

Authorization table for salespersons

Customer

record

Order

record

Read Y Y

Insert Y Y

Modify Y N

Delete N N

ENCRYPTION

Data encryption can be used to protect highly sensitive data such as

customer credit card numbers or account balances. Encryption in the

coding or scrambling of data so that humans cannot read them. Some

DBMS products include encryption routines that automatically encode

sensitive data when are stored or transmitted over communication

channels. For example, encryption is commonly used in electronic fund

transfer (EFT) systems. Other DBMS products provide exits that allow

users to code heir own encryption routines.

AUTHENTICATION SCHEMES

In an electronic environment, a user can provide his or her identity

by supplying one or more of the fallowing factors.

Something the user knows, usually a password or personal

identification number (PIN)

Something the user possesses, such as a smart card or token.

Some unique personal characteristic, such as fingerprint or retinal

scan

Authentication schemes are called one-factor, two-factor or three factor

authentication, depending on how many of these factors are employed.

Authentication becomes stronger in proportion to the number of factors that are

used.

SECURITY POLICY & PROCEDURES

Personal controls

Physical controls

Maintenance controls

Data privacy controls

USER-DEFINES PROCEDURES

Some DBMS products provide user exists (or interface ) that allow

system designers or users to create their own user-defined procedures for

security, in addition to the authorization rules we have just described. For

example, a user procedure might be designed to provide positive user

identification. In attempting to log on to the computer, the user might be

required to supply a procedure name are supplied, the systems then calls the

procedure, which ask the user a series of questions whose answers should be

known only to that password holder.