Lecture 10 - Database Administration and Security PDF

Topic 10
Database Systems
Unit 10 :
Database
Administration &
Security
IT1768 Database Systems
Unit 10 :
Database Administration and Security
Topic 10
Objective :
At the end of this unit, you should be able to:
Describe the distinction between data administration
and database administration.
Describe the purpose and tasks associated with database
administration.
Define the scope of database security.
Identify the type of threats that can affect a database
system.
Describe how to protect a computer system using
computer-based security controls.
Implement database security using SQL statements.
Topic 10
Content
Roles of data administrator (DA) and
database administrator (DBA)
Database administration and security
Computer-based security controls
Database security control with SQL
Topic 10
Data and Database Administration

Data Administrator (DA) and
Database Administrator (DBA)
are responsible for managing
and controlling activities
associated with corporate data
and corporate database,
respectively.
DA is more concerned with
early stages of lifecycle and DBA
is more concerned with later
stages.
( DA)
( DBA)
DA can be a distinct role, but is

mostly combined with DBA.
Topic 10
Data Administration (DA)
Management of data resource, which includes :

database planning,
development and maintenance of standards, policies and
procedures and
conceptual and logical database design.
For example:
All the databases must be
protected with passwords.
Policy
Each password must have at least 8 chars and at

least 1 special character
Standard
User must request for password thru DBA

with user request form
Procedure
Topic 10
Database Administration
Management of physical realization of a
database application, which includes :
physical database
design and
implementation,
setting security and
integrity controls,
monitoring system
performance, and
reorganizing the
database.
Database Administration
Topic 10
Topic 10
Database Administration Tasks

1) Evaluating and selecting DBMS products (e.g. Oracle)
2) Implementing a physical database design using a target
DBMS. (i.e. Physical design phase Implementation)
3) Defining security and integrity constraints. (e.g. Using SQL)
4) Responding to changing requirements by liaising with
application developers. (Fine tuning)
5) Developing test strategies. (Emulating actual operating conditions)
6) Performing backups routinely. (Important routines)
7) Ensuring recovery mechanisms and procedures are in
place, and perform database recovery following a failure.
8) Monitoring system performance and tuning the database.
(e.g. Speed of record retrieval)
9) Training users.
Topic 10
Computer Security
Main Scope of coverage:
FireWalls : A protection shield to computer system
Data protection against malicious virus attack,
hacking into the computer system.
Authorization : Access control , System
administrator grants access authority to the
computer system.
Authentication : Validate users before allowing

access to the computer system.
Topic 10
Database Security
A quoted notice on Security Warning.

Our security agent has recently informed us that
there are malicious software infections found
within the organizational network. These infections
may allow the attacker(s) to gain unauthorised
access to sensitive information, for example the
use of keylogging capabilities to capture keystrokes,
stealing authentication credentials such as
usernames, passwords, pins, etc.
10
Topic 10
Computer Security
Is your confidential data stored in the computer safe ?

11
Topic 10
Computer Security
Cross site scripting
Tools
stealth /
advanced scanning
Staged
techniques
packet spoofingdenial of service
attack
distributed
sniffers
attack tools
sweepers
www attacks
automated probes/scans
GUI
High
back doors
disabling audits
network mgmt. diagnostics

hijacking
burglaries sessions
exploiting known vulnerabilities
password cracking
self-replicating code
password guessing
Low
1980
1985
1990
Attackers
1995
2000
Source: Carnegie Mellon Software Engineering Institute
More attackers to computer systems over years

12
Topic 10
Database Security
Database security is a specialty within the broader discipline

of computer security.
Database security is the system, processes, and procedures

that protect a database from intentional threats or
unintended activity. Unintended activity can be categorized
as authenticated misuse, malicious attacks or accidental
mistakes made by authorized individuals or processes.
Data is a valuable resource that must be strictly controlled

and managed, as with any corporate resource.
Part or all of the corporate data may have strategic

importance and therefore needs to be kept secure and
confidential.
13
Topic 10
Typical Multi-User Environment
Network
Security
Internal
Environment
External
Connection
via Internet
14
Topic 10
Database Security
Security Layer from external environment
Traditionally databases have been protected from

external connections by firewalls or routers on the
network perimeter with the database environment.
For network security, the network security devices that

detect and alert on malicious database protocol traffic
include network intrusion detection systems along with
host-based intrusion detection systems.
15
Topic 10
Database Security
MalWare
Malware is the Malicious software. It infiltrates or damage a

computer system without the owner's informed consent.
Malware includes computer viruses (Trojans, worms, Dialers,
Rootkits), spywares.
Some spywares exist as cookies or key loggers. Cookies are
simple pieces of data that affect the operation of a web
server, they allow users to be tracked when they visit various
sites. Key loggers are programs that record every keystroke
made on the spys file.
Most modern browsers allow users to decide whether to
accept cookies, but rejection makes some websites unusable.
It can use Anti-Malware programs to remove malwares.
16
Topic 10
Database Security
System Administrator assigns role of access use

(Access control or Authorization)
17
Topic 10
Database Security
( Authentication Login )
18
Topic 10
Computer-Based Security Control

Database security entails allowing or disallowing user
actions on the database (e.g. Access control) and the
objects within it.
It concerned with physical controls to administrative
procedures
Includes:
1.
2.
3.
4.
5.
6.
7.
Authorization & Authentication

Views
Backup and recovery
Integrity constraints
Encryption
RAID technology
SQL statements
19
Topic 10

Authentication and Authorization mechanisms are effective
means of providing abstraction from the database layer
1. Authorization
(Administrator
grants
Specific users access right)
The granting of a right or privilege, which enables a user

or a program to legitimately have access to a system or a
systems object (table, view, etc).
In other words, authorization permits only certain users
to access, process or alter data.
Authorisation is also referred to as access controls. It is
the ability to permit or deny the use of a particular
resource by a particular entity.
20
Topic 10
Authentication
(e.g. Password, Fingerprint)
Authentication means verifying the identity of someone

(a user, device, or other entity) who wants to use data,
resources, or applications.
It is a process of obtaining identification credential (e.g.
Password, Fingerprint, PIN number, Retina scan) from a user and
validating those credentials against some authority and
establishes a trust relationship for further interactions.
Four types (modes) of Authentication
Windows Authentication
Form Authentication
Passport Authentication
Anonymous Access.
21
Topic 10

Windows Authentication
(Windows login)
This system is used within an organization. It uses the security

features of Windows clients and servers. With it, the user name and
password (credentials) are hashed before being sent across the
network. The user accounts are stored within the local user
database of the Web server or Active Directory.
Config File Code
Form Authentication
UserID :
Password :
Form-based authentication presents the user with an HTML-based

Web page that prompts the user for credentials.
Passport Authentication
To authenticate users using a service from Microsoft called Passport.
It is centralized directory of user information that Web sites can use.
Anonymous Access
The application is used by anonymous users.
22
Topic 10

When set to Windows Authentication mode, IIS will
use Windows authentication to check the identity
of the user. It uses the security system built into
the Windows platform.
To configure
<configuration>
<system.web>
<authentication mode=Windows/>
</system.web>
</configuration>
23
Topic 10
(The Web.Config Page in ASP.NET)
24
Topic 10

(Forms authentication :Web.Config Page in ASP.NET)
25
Topic 10

This is a mode of authentication provided by
Microsoft for commercial services. It authenticates
users across web sites.
To configure
<configuration>
<system.web>
<authentication mode=Passport/>
<passport redirectUrl=internal/url >
</system.web>
</configuration>
26
Topic 10

Anonymous is a default setting of Windows
Authentication mode.
To configure
<configuration>
<system.web>
<authentication mode=None/>
</system.web>
</configuration>
27
Topic 10
2. View
A view is a database object that looks and
functions exactly like a table, except that it can
contain data from multiple base tables .
It is the dynamic result of one or more
relational operations (Join, , etc) operating on the
base relations to produce another relation.
e.g. View created for on-line registration. It is virtually
of multiple pieces and with sensitive information
being hidden.
28
Topic 10
2. View
A view is a virtual relation that does not
actually exist in the database, but is produced
upon request by a particular user, at the time
of request.
29
Topic 10
Implement Database Security using SQL
Views can be used for security purposes.

The view mechanism allows the database to be
conceptually divided up into pieces (in various
ways) so that sensitive information can be
hidden from unauthorized users.
Example
CREATE VIEW
AS
REGISTRATION_FORM
SELECT SNO, SNAME, SEX, MODULECODE

FROM ENROLNMENT
WHERE YEARS = 2009 AND SEM=S1;
30
Topic 10
3. Backup and Recovery

Process of periodically taking a copy of the database
and log file (and possibly programs) to offline storage
media.
It is not just necessary to backup the data files, it needs
to back up the transaction logs of the database too.
Without the transaction logs the data files are useless
in a recovery event.
Journaling is a process of keeping and maintaining a log
file (or journal) of all changes made to database to
enable effective recovery in event of failure.
Backup database using

Transact-SQL
31
Topic 10
4. Integrity constraints
Integrity constraints provide a way of ensuring that
changes made to the database by authorized users do
not result in a loss of data consistency.
It prevents data from becoming invalid, and hence
giving misleading or incorrect results.
5. Encryption
The encoding of the data by a special algorithm
(encryption key) that renders the data scrambled by any
program and hence becomes unreadable.
e.g. 2Dnkn6Pwrd is an encrypted text for password
It requires decryption key to make the encrypted

information readable again.
32
Topic 10
6. RAID Technology
- RAID stands for Redundant Array of Independent Disks.
It is a technology that employs the simultaneous use of
two or more hard disk drives to achieve greater levels of
performance, reliability.
- The large disk array comprising an arrangement of
several independent disks are to enhance the Faulttolerant of disk drives.
- Redundancy is a way that extra data is written across
the array, which are organized so that the failure of one
(sometimes more) disks in the array will not result in
loss of data.
33
Topic 10
7. SQL Statements for Security Control

Two SQL statements can be used to specify operations that
authorized users may execute on a particular relation or
database object.
GRANT statement
(Authorization)
To give access right to a user or a group of users, to

access database objects.
REVOKE statement
To cancel any access rights given to a user or a group of
users, to access database objects.
34
Topic 10
Examples of GRANT Statement

GRANT
ON
TO
SELECT
SUPPLIER
USER1;
GRANT
ON
TO
SELECT, UPDATE (STATUS, CITY)

SUPPLIER
USER2, USER3, USER4;
GRANT
ON
TO
SELECT
PART
PUBLIC;
GRANT
ON
TO
ALL PRIVILEGES
SUPPLIER
USER5;
(This is to give permissions to USER1 to perform

Select action on database objects SUPPLIER)
(This is to give permissions to all users to perform

Select action on database objects PART)
35
Topic 10
Examples of REVOKE Statement

REVOKE
ON
FROM
SELECT
SUPPLIER
USER1;
REVOKE
ON
FROM
UPDATE
SUPPLIER
USER2;
REVOKE
ON
FROM
ALL PRIVILEGES
SUPPLIER
USER3, USER4;
REVOKE
ON
FROM
ALL PRIVILEGES
SUPPLIER
USER5;
36
Topic 10
Summary
The management of data resource, it includes
database planning,
development and maintenance of standards, policies
and procedures, and
Data is a valuable resource that must be strictly controlled
and managed, as with any corporate resource.
Database security is the mechanisms that protect the
database against intentional or accidental threats.
Computer-based security control includes:
Authorization, Views, Backup & Recovery, Integrity constraints

Encryption, RAID technology and using SQL Statements
37
Topic 10
Review Questions 1
Name 3 tasks for data management
Name 4 tasks for database management
Define database security
38
Topic 10
Review Questions 2
Name Six (6) Computer-Based Security Controls.
Why are VIEWS used for security controls?
How can integrity be achieved?
How does the database implements

authorization?
39
Topic 10
Review Questions 1
(Solution)
Name 3 tasks for data management

database planning,
development and maintenance of standards, policies and
procedures, and
Name 4 tasks for database management
physical database design and implementation,
setting security and integrity controls,
monitoring system performance, and
reorganizing the database.
Define database security
Database security is the mechanisms that protect the database
against intentional or accidental threats.
40
Topic 10
Review Questions 2
(Solution)
Name Six(6) Computer-Based Security Controls.

Authorization
Views
Backup and recovery
Integrity constraints
Encryption
RAID technology
Why are VIEWS used for security controls?
VIEWS allows sensitive information to be hidden from unauthorized
users.
How can integrity be achieved?

Using database constraints
E.g. Entity constraint and Referential constraint
How does the database implement authorization?
It uses GRANT and REVOKE statement
GRANT gives the user privileges
REVOKE removes the privileges from the user
41

Lecture 10 - Database Administration and Security PDF

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Lecture 10 - Database Administration and Security PDF

Uploaded by

Copyright:

Available Formats

Topic 10

IT1768 Database Systems

IT1768 Database Systems

Data and Database Administration

DA can be a distinct role, but is

Data Administration (DA)

Management of data resource, which includes :

Each password must have at least 8 chars and at

User must request for password thru DBA

IT1768 Database Systems

IT1768 Database Systems

Database Administration Tasks

Authentication : Validate users before allowing

A quoted notice on Security Warning.

IT1768 Database Systems

Is your confidential data stored in the computer safe ?

network mgmt. diagnostics

Source: Carnegie Mellon Software Engineering Institute

More attackers to computer systems over years

Database security is a specialty within the broader discipline

Database security is the system, processes, and procedures

Data is a valuable resource that must be strictly controlled

Part or all of the corporate data may have strategic

IT1768 Database Systems

Typical Multi-User Environment

IT1768 Database Systems

Security Layer from external environment

Traditionally databases have been protected from

For network security, the network security devices that

IT1768 Database Systems

Malware is the Malicious software. It infiltrates or damage a

IT1768 Database Systems

System Administrator assigns role of access use

Computer-Based Security Control

IT1768 Database Systems

Authorization & Authentication

Computer-Based Security Control

Specific users access right)

The granting of a right or privilege, which enables a user

IT1768 Database Systems

Computer-Based Security Control

(e.g. Password, Fingerprint)

Authentication means verifying the identity of someone

Four types (modes) of Authentication

IT1768 Database Systems

Computer-Based Security Control

This system is used within an organization. It uses the security

Form-based authentication presents the user with an HTML-based

Computer-Based Security Control

IT1768 Database Systems

Computer-Based Security Control

(The Web.Config Page in ASP.NET)

IT1768 Database Systems

Computer-Based Security Control

IT1768 Database Systems

Computer-Based Security Control

Computer-Based Security Control

IT1768 Database Systems

Computer-Based Security Control

Computer-Based Security Control

IT1768 Database Systems

Implement Database Security using SQL