Gizachew T.

1
• Database security refers to the range of tools, controls,
and measures designed to establish and
preserve database confidentiality, integrity, and
availability.
• Database security must address and protect the
following:
• The data in the database
• The database management system (DBMS)
• Any associated applications
• The physical database server and/or the virtual database server and the underlying
hardware
• The computing and/or network infrastructure used to access the database
• Database Security means to keep sensitive information safe and prevent
the loss of data. Security of data base is controlled by Database
Administrator (DBA). 2
• Protecting the database against persons who are not authorized to
access either certain parts of a database or the whole database.
• Three main goals in Database Security are:
• Secrecy / Confidentiality
• It is protecting the database from unauthorized users.
• Ensures that users are allowed to do the things they are trying to do.
• Encryption is a technique or a process by which the data is encoded in such a
way that only that authorized users are able to read the data.
• Integrity
• Protecting the database from authorized users.
• Ensures that what users are trying to do is correct.
• For examples, An employee should be able to modify his or her own
information.
• Availability : Database must have not unplanned downtime.
• To ensure this ,following steps should be taken
• Restrict the amount of the storage space given to each user in the database.
• Limit the number of concurrent sessions made available to each database
user.
• Back up the data at periodic intervals to ensure data recovery in case of
application users.
3
The DBA is responsible for the overall security of
the database system.
The role of DBA include :
• Controlling access to the database
• Providing support services to the end users
• managing procedures for backup and recovery of
the data
• Ensuring data integrity
• Controlling data security and setting data privacy
• Account creation
• Privilege granting
• Privilege revocation
• Security level assignment

4
•Data protection due to DBMS implements a
function of store data.
•Multiuser access to data, resolve conflicts, data
integrity.
•High requirements to DBMS availability as a part
of whole information system.
•Flexible management of access to data.

5
The following are the main control
measures are used to provide security of
data in databases:
• Authentication
• Access control
• Inference control
• Flow control
• Auditing
• Encryption
• Backups

6
1. Data storage function
• Data protection from leak and unauthorized access
• Cryptographic data protection
• Hardware failure protection
• Backup and recovery
• Replication and fault tolerant storage
2. Data processing function
• Access control system
• Firewall on SQL level
• Transactions
• Integrity constraints
• Operations audit
3. Data transfer function
• Encryption of data transfer channels
• Authentication
• Protection from DBMS interface attacks 7
• The term ‘access control’ refers to “the control of access to
system resources after a user’s account credentials and
identity have been authenticated and access to the system
has been granted.”
• Access control is used to identify a subject (user/human) and
to authorize the subject to access an object (data/resource)
based on the required task.
• Three main types of access control systems are:
• Role Based Access Control (RBAC)
• Mandatory Access Control (MAC)
• Rule Based Access Control(RuleBAC)
• Discretionary Access Control (DAC)

8
• RBAC system works by assigning permissions to a
specific job title. It cuts down on the time required to
set up or change user access.
• Role – named set of access permissions.
• There are standard set of roles
• The mechanism of simplify right management
• With user can be mapped one or several roles.
• For example, if you have 20 salespeople, two managers, and three
accountants, you wouldn’t have to create 25 individual security profiles
in the system. You’d only have to create three: one for each separate job
title. When employees gets promoted, just give them credentials that fit
the new role and they’re good to go.

9
•MAC system works by classifying all the users
and grants them access to areas based on the
system’s programming.
• For example, If you have 150 employees, you’re going to
need 150 user permissions set up in the system.
•Mandatory access control systems are the
strictest and most secure type of access
control.
• MAC systems are primarily used by companies and
agencies that require the utmost levels of security.

10
•Rule-based access control can change the
permissions based on a specific set of
rules created by the administrator.
•Permitting access for an account or group to a
network connection at certain hours of the day
or days of the week.
• Example: With rule-based access control, you can set a rule
to deny access to everyone from 5 p.m. to 9 a.m. the next
morning.
•Rules can be created for just about any
occasion.
11
• Discretionary access control (DAC) is an identity-
based access control model that provides users a
certain amount of control over their data.
• Data owners (or any users authorized to control data)
can define access permissions for specific users or
groups of users.
• DAC is a good choice for small businesses with limited
IT staff and cybersecurity budgets.
• This popular model is utilized by some of the most
popular operating systems, like Microsoft Windows
file systems.
12
Access permissions can be applied to:
–tables;
–Columns of table;
–views;
–domains;
–character set;
–translations;
–triggers;
–procedures;
–User defined types.
13
14
•Subschema usage
•Creation views
•Creation triggers
•Row level security of database

15
•The list of requirement for database security
• Physical database integrity: is a primary concern
of the database administrator.
•immunity to physical catastrophe, physical
securing hardware, regular backups
Example: Power failure, system programmers, internal auditors,
applications programmers, and data processing managers cannot
use programs effectively.
• Logical database integrity: The structure of the
database is preserved.
• That is modification of one field does not affect
other field. Reconstruction ability, maintain a log of
transactions , replay log to restore the systems to a
stable point 16
• Element Integrity: The data contained in each
element must be accurate.
• integrity of specific database elements is their
correctness or accuracy
• field checks
–allow only acceptable values
• access controls
–allow only authorized users to update
elements
• change log
–used to undo changes made in error
• referential Integrity (key integrity concerns)
• two phase locking process
17
•Auditability – It is possible to track who or what
has accessed or modified the elements in the
database. Log read/write database
•Access control – A user is allowed to access only
authorized data
•User authentication – User has to positively
identify for authorized data access
•Availability – User can access all the data for
which he has access.

18
•Reliability and Integrity: database guards against
loss or damage.
•Database concerns about reliability and integrity
can be viewed from three dimensions:
• Database integrity: whole database is protected
against damage (e.g. disk failure, corruption of data)
• Element integrity: specific data value is changed by
authorized users.
• Element accuracy: only correct values are written
into the elements of database.
19
•SQL/NoSQL injection attacks
• A database-specific threat, these involve the insertion of
arbitrary SQL or non-SQL attack strings into database queries
served by web applications or HTTP headers.
•Denial of service (DoS/DDoS) attacks
• The attacker deluges the target server in this case the database
serve with so many requests that the server can no longer
fulfill legitimate requests from actual users, and, in many cases,
the server becomes unstable or crashes.
•Attacks on backups
• Organizations that fail to protect backup data with the same
stringent controls used to protect the database itself can be
vulnerable to attacks on backups.
20
•Inference control in database security is a discipline
that seeks to protect data so they can be published
without revealing confidential information that can be
linked to specific individuals among those to which the
data correspond.
• It must ensure information about individuals can not be
accessed.
• It is countermeasures to statistical database security
problem.
• It is used to prevent the user from completing any
inference channel.
• It protect the sensitive information from indirect
disclosure. 21
•Databases that contain objects with
different levels of confidentiality and
register subjects with different abilities.
•Multilevel database provides granular
security for data depending on the
sensitivity of the data field and clearance
of the user for both writing and reading
data.

22
•Multilevel security is a security policy that
allows you to classify objects and users
based on a system of hierarchical
security levels and a system of non-
hierarchical security categories.
• It provides the capability to prevent unauthorized
users from accessing information at a higher
classification than their authorization, and prevents
users from declassifying information

23
 Multilevel security offers the following
advantages:
• Multilevel security enforcement is mandatory and
automatic
• It can use methods that are difficult to express through
traditional SQL views or queries.
• It does not rely on special views or database variables to
provide row-level security control.
• It controls are consistent and integrated across the
system, so that you can avoid defining users and
authorizations more than once.
• It does not allow users to declassify information.

24
25
Quiz/5%/

1. What are the goal of database

security?
2. List at least four control
methods of database security?
3. List types of access control
system?
4. Define Database security?
26