1-Database Security Methodology.

Identification (investigation of resources reqd., policies to be adopted).

Assessment (analysis of vulnerabilities, threats and risks).
Design (blueprint of adopted security model).
Implementation (code developed; tools purchased).
Evaluation (testing system against attacks, failures, disasters).
Auditing.
2- Asset Types and Their Value in Database Security
Physical Assets (hardware, cars).
Logical Assets (purchased software, OS, DB).
Intangible Assets (business reputation, confidence).
Human Assets (human skills, knowledge).

3-Database Security Levels

 Database System: Since some users may modify data while some may only
query, it is the job of the system to enforce authorization rules.
 Operating System: No matter how secure the database system is, the operating
system may serve as another means of unauthorized access.
 Network: Since most databases allow remote access, hardware and software
security is crucial.
 Physical: Sites with computer systems must be physically secured against entry
by intruders or terrorists.
 Human: Users must be authorized carefully to reduce the chance of a user giving
access to an intruder.

4- Database & Data Integrity Violation Process.
Security gaps are points at which security is missing, and thus system is vulnerable.
Vulnerability is state in which an object can potentially be affected by a force or another
object or even a situation but not necessarily is or will be.
Threat is defined as security risk that has high possibility of becoming a system breach.
5- Database Security Enforcement.
Security enforcement is an enabler for databases to meet mandatory regulatory
compliance and privacy requirements. A well-rounded yet efficient security mechanism
would make a database product eligible for high profile government contracts and new
markets in the financial sector, and make it trustworthy among many third-party
applications that are likely to be built on top of it.
6- Database Security Access Point.
A security access point is place where database security must be protected and
applied. And also, data access point must be small.
People (secure data within the DB against violations caused by people).
Applications (when granting security privileges to applications, be cautious, permissions
shouldn’t too loose/too restrictive).
Network.
OS (gateway to data, security credentials must be verified).
DBMS.
Data Files (make use of encryption and permissions to protect data files belonging to
database).
Data

7- database security & Security Methods.

Database Security Database security entertain allowing or disallowing user actions on
the database and the objects within it. DMBS contains Discretionary access control
regulates all user access to named objects through privileges. A privilege is permission
to access a named object in a prescribed manner; for example, permission to query a
table. Privileges are granted to users at the discretion of other users.
A security policy must be able to prevent sensitive information from being modified or
retrieved by unauthorized users, but easy enough to administer.

Directory Server Enterprise Edition provides the following security methods:

People
 Security policies & procedures.
 Process of identification and authentication.
 Training courses on importance of security.
  Physical limits on access to hardware and documents.
Applications
 Authentication of users who access.
 Business rules.
 Single sign on (signing on once for different applications).
Network
 Firewalls
 VPN
 Authentication
OS
 Authentication.
 Intrusion Detection.
 Password Policy.
 User Accounts.
DBMS
 Authentication.
 Audit Mechanisms.
 Database resource limits.
 Password Police.
Data Files
 File Permissions
 Access Monitoring
Data
 Validation
 Data access
 Encryption
 Data constraints

8- Designing and Implementing Password Policies in Database Security.

When you create a user account, a default password policy is assigned to that user
account. The default password policy for a newly installed database includes these
directives:
  The password for the user account expires automatically in 180 days.
 The user account is locked 7 days after password expiration.
 The user account is locked for 1 day after 10 failed login attempts.

Password Complexity
Password complexity policies are designed to deter brute force attacks by increasing
the number of possible passwords. When password complexity policy is enforced, new
passwords must meet the following guidelines:
 The password does not contain the account name of the user.
 The password is at least eight characters long.
 The password contains characters from three of the following four categories:
 Latin uppercase letters (A through Z)
 Latin lowercase letters (a through z)
 Base 10 digits (0 through 9)
 Non-alphanumeric characters such as: exclamation point (!), dollar sign ($),
number sign (#), or percent (%).
Passwords can be up to 128 characters long. Use passwords that are as long and
complex as possible.

Password Expiration
Password expiration policies are used to manage the lifespan of a password. When
SQL Server enforces password expiration policy, users are reminded to change old
passwords, and accounts that have expired passwords are disabled.

9- Granting and Revoking User Privileges in database Security

DCL commands are used to enforce database security in a multiple user database
environment. Two types of DCL commands are GRANT and REVOKE. Only Database
Administrator's or owner's of the database object can provide/remove privileges on
a database object through Grant and Revoke in RDMS.

SQL GRANT Command

SQL GRANT is a command used to provide access or privileges on the database
objects to the users.
The Syntax for the GRANT command is:

GRANT privilege_name
ON object_name
 TO {user_name |PUBLIC |role_name}
[WITH GRANT OPTION];

privilege_name: is the access right or privilege granted to the user.

object_name: is the name of the database object like table, view etc.
user_name: is the name of the user to whom an access right is being granted.
Public is used to grant rights to all the users.
With Grant option: allows users to grant access rights to other users.

SQL REVOKE Command:

The REVOKE command removes user access rights or privileges to the database
objects.
The Syntax for the REVOKE command is:
REVOKE privilege_name ON object_name
FROM {user_name |PUBLIC |role_name}
For Example: GRANT SELECT ON employee TO user1;
This command grants a SELECT permission on employee table to user1.
REVOKE SELECT ON employee FROM user1;
This command will revoke a SELECT privilege on employee table from user1.

10-Application Security models

We examine five different application security models that are commonly used by the industry to
provide data security and access protection at the table level:

1-Security Model Based on Database Roles:

This model depends on the application to authentication the application users by maintain all end
users in a table with their encryption password. In this model, each end user is assigned a database
role, which has specific database privilege for accessing application table. The user can access
whatever privileges are assigned to the role.

2-Security Model Based on Application Roles:

The concept of an application role security model is similar to the concept of database role security
model in that they are both methods for organizing and administrating privileges. Application roles
are typically mapped specifically to real business roles.

3- Security Model based on Application Functions:

The security model that is based on application function depends on the application to authenticate
the application user by maintaining all end user in a table with their encrypted password.

4-Security Model based on Application Roles and Functions:

This security model is a combination of both the role and function security models. The application
roles and functions security model depend on the application to authenticate the application users.

5- Security model based on Application Table:

This application security model depends on the application to authenticate users by maintaining all
end users in a table with their encrypted passwords. The application provides privileges to the user
based on tables, not on a role or a function.