Database Security and Privacy Overview

18CSE455T – DATABASE SECURITY AND PRIVACY
References :
1) Hassan A. Afyouni, “Database Security and Auditing”, Third Edition, Cengage

Learning, 2009
2) Charu C. Aggarwal, Philip S Yu, “Privacy Preserving Data Mining”: Models and
Algorithms, Kluwer Academic Publishers, 2008
3) Ron Ben Natan, ”Implementing Database Security and Auditing”, Elsevier Digital
Press, 2005.
M.Karthikeyan /AP/CSE/SRMIST
15CS338E – DATABASE SECURITY AND PRIVACY
UNIT I : SECURITY ARCHITECTURE & OPERATING SYSTEM SECURITY
FUNDAMENTALS
 Security Architecture:
 Introduction
 Information Systems
 Database Management Systems
 Information Security Architecture
 Database Security
 Asset Types and value
 Security Methods
 Operating System Security Fundamentals:
 Introduction
 Operating System Overview
 Security Environment
 Components
 Authentication Methods
 User Administration
 Password Policies
 Vulnerabilities
 E-mail Security
Security Architecture: Introduction
 Security is Avoiding unauthorised access ( with limited time

duration , not always)
 There is no 100% Security in all kind of software and hardware .
 Security violations and attacks are increased globally at an average rate of

20%.
 Statistics shows that virus alerts, email spamming, identity theft, data theft,
and types of security breaches on the rise.
 Database Security is the degree to which all the data is fully protected from
tampering or unauthorised acts.
 The great challenge is to develop a new database security policy to secure data
and prevent integrity data violations.
 Most of the DBMS did not have a security mechanism for authentication and
encryption until recently.
Information Systems
 In today’s global market , corporate companies all
over the world to gain a portion of market share.
 Wise decisions are not made without accurate and timely

information.
 At the same time integrity of information is more important.
 The integrity of the information depends on the integrity of its

data source and the reliable processing of the data.
 Data is processed and transformed by a collection of

components working together to produce and generate
accurate information. These components are known as
INFORMATION SYSTEM.
Information Systems …
 An information can be a back bone of the day-to-day operations of a company as
well as the beacon of long-term strategies and vision.
 Information systems are categorized based on usage.
 The following figure shows the typical use of system applications at various
management levels
 Information System mainly classified into three categories
1) Transaction Processing System (TPS)
2) Decision Support System (DSS)
3) Expert System (ES)
Characteristics of Information System categories
Category Characteristics Typical Application

System
 Also Known as ONLINE TRANSACTION  Order tracking
PROCESSING (OLTP)
 Customer service
 Used for operational tasks
 Payroll
Transaction
 Provides solutions for structured problems
Processing
 Accounting
System (TPS)
 Includes business transactions
 Student Registration
 Logical Components of TPS applications ( Derived
from business procedures , business rules and  Sales
policies)
 Deals with nanostructured problems and provide  Risk Management
recommendations or answer to solve these
Decision problems
Support  Is capable of “What-if?” analysis  Fraud Detection
System (DSS)  Contains collection of business models  Sales forecasting
 Is used for tactical management tasks  Case resolution
Characteristics of Information System categories …
Category Characteristics Typical Application
System
 Captures reasoning of human experts  Virtual University
Simulation
 Executive Expert Systems(EESs) are a type of
expert system used by top level management  Financial Enterprise
for strategic management goals
 Statistical Trading
 A branch of Artificial Intelligence within the
field of computer science studies  Loan Expert
Expert System
(ES)  Software consists of :  Market Analysis
Knowledge Base
Inference Engine
Rules
 People Consists of :
Domain Experts
Knowledge Engineers
Power Users
Components of Information System
 Data – The information stored in the Database for future

references or processing
 Procedures – Manual , Guidelines, Business rules and Policies
 Hardware – Computer System, Fax, Scanner, Printer, Disk
 Software – DBMS, OS, Programming Languages, Other

Utilities or Tools
 Network – Communication Infrastructure
 People – DBA, System Admin, Programmers, Users,

Business Analyst, System Analyst
• Components of Information System …
Database Management System
Database :
 A collection of meaningful Interelated Information System
 It is both Physical and Logical
 Representing the logical information in a physical device
 Mainly used for storing and retrieving the data for processing
 Using CLIENT / SERVER Architecture
 Request and Reply protocols are used to communicate client and

server
Database Management System …
DBMS
 Set of programs to access the database for data manipulation or processing
 DBMS contains information about a particular enterprise
 DBMS provides an environment that it both convenient and efficient to use
Purpose of DBMS
 Data redundancy and inconsistency
 Difficulty in accessing data
 Data isolation – multiple files and format
 Integrity problems
 Atomicity of updates
 Concurrent access by multiple users
 Security problems
Database Management System …
DBMS Architecture
Information Security Architecture
Information Security
 Information is one of the most valuable asset in an organization
 Many companies have Information Security Department
 Information Security consists of the procedures and measures taken to

protect each component of the information systems involved in
protecting information
 According to the National Security Telecommunications and

Information Systems Security Committee (NSTISSC) , the concept of
CIA Triangle , in Which “C” stands for “Confidentiality”, “I” stands for
“Integrity” and “A” stands for “Availability”
Information Security Architecture …
CIA Triangle
Confidentiality Integrity
Information is classified Information is accurate and
into different levels of protected from tampering by
confidentiality to ensure unauthorised persons
that only authorised users Information is consistent and
access the information validated
Availability
Information is available all the times only
for authorised and authenticated persons
System is protected from being shutdown
due to external or internal threats or
attacks
Confidentiality Integrity Availability

 Privacy Laws  Security Technology  Threats and Attacks
 Confidential Classification  Security Models  System Vulnerabilities
 Policies and Procedures  Cryptography Technology  Authorization methodology
 Access Rights  DBMS Technology  Authentication Technology
 Customer Concerns  Database and Data Design  Network Interface
 Social and Cultural issues  Application Technology  Disaster and Recovery Strategy
Information Security Architecture
Logical
and
Physical Assets
Components of Information Security Architecture
 Policies and Procedures
- Documented procedures and company policies that
elaborate on how security is to be carried out
 Security personnel and Administrators
- People who enforce and keep security in order
 Detection equipment
- Devices that authenticate employees and Detect equipment that is
prohibited by the company
 Security Programs
- Tools that protect computer systems’ server
 Monitoring Equipment
- Devices that monitor physical properties , employees and other
important assets
 Monitoring Applications
- Utilities and applications used to monitor network traffic and Internet
activities
 Auditing Procedures and Tools
- Checks and Controls put in place to ensure that security measures are
working
Database Security
 One of the functions of DBMS is to empower DBA to implement and
enforce security at all levels of security
 A security access point is a place where database security must be
protected and applied
 The Security access points illustrated in the below figure
Database Security Access Points
 People – Individuals who have been granted privileges and permissions to
access networks, workstations, servers, databases, data files and data
 Applications – Application design and implementation , which includes

privileges and permissions granted to people
 Network – One of the most sensitive security access points. Protect the
network and provide network access only to applications,
operating systems and databases.
 Operating Systems – This access point is defined as authentication to the

system, the gateway to the data
 DBMS – The logical structure of the database, which includes memory ,

executable and other binaries
 Data files – Another access point that influences database security

enforcement is access to data files where data resides.
 Data – The data access point deals with data design needed to enforce data
integrity
Database security enforcement
Data Integrity violation process
 Security gaps are points at which security is missing and the systems is vulnerable.
 Vulnerabilities are kinks in the system that must be watched because they can
become threats.
 In the world of information security , a threat is defined as a security risk that has
high possibility of becoming a system breach.
Database Security Levels
Menaces to Databases
 Security vulnerability
– A weakness in any of the information system components that can be
exploited to violate the integrity , confidentiality, or accessibility of the
system
 Security Threat
– A security violation or attack that can happen any time because of
a security vulnerability
 Security risk
– A known security gap that a company intentionally leaves open
Types of Vulnerabilities
 Vulnerability means “ Susceptible to Attacks” ( Source :www.dictionary.com)
 Intruders, Attackers and Assailers exploit vulnerabilities in Database environment to
prepare and start their attacks.
 Hackers usually explore the weak points of a system until they gain entry
 Once the intrusion point is identified , Hackers unleash their array of attacks
 Virus
 Malicious Code
 Worms
 Other Unlawful violations
 To protect the system the administrator should understand the types of
vulnerabilities
 The below figure shows the types of vulnerabilities
Types of Vulnerabilities …
Category Description Examples
Installation  Results from default  Incorrect application
and installation configuration
Configuration  Configuration that is known  Failure to change default
publicly passwords
 Does not enforce any  Failure to change default
security measures privileges
 Improper configuration or  Using default installation
Installation may result in which does not enforce high
security risks security measures
User Mistakes  Security vulnerabilities are  Lack of Auditing controls
tied to humans too  Untested recovery plan
 Carelessness in  Lack of activity monitoring
implementing procedures  Lack of protection against
 Failure to follow through malicious code
 Accidental errors  Lack of applying patches as
they are released
 Bad authentication or
implementation
 Social Engineering
 Lack of technical
information
 Susceptibility to scam
Types of Vulnerabilities …
Category Description Examples

Software  Vulnerabilities found in  Software patches that are not
commercial software for all types applied
of programs ( Applications, OS,  Software contains bugs
DBMS, etc.,)  System Administrators do not
keep track of patches
Design and  Related to improper software  System design errors

Implementation analysis and design as well as  Exceptions and errors are not
coding problems and deficiencies handled in development
 Input data is not validated
Types of threats
 Threat is defined as “ An indication of impending danger or harm”

 Vulnerabilities can escalate into threats
 DBA , IS Administrator should aware of vulnerabilities and threats
 Four types of threats contribute to security risks as shown in below figure
Types of threats , definitions and examples
Threat type Definition Examples
People People intentionally or  Employees
unintentionally inflict  Govt. Authorities or Person who
damage, violation or are in charge
destruction to all or any of the  Contractors
database components  Consultants
(People, Applications,  Visitors
Networks, OS, DBMS, Data  Hackers
files or data)  Organised Criminals
 Spies
 Terrorists
 Social Engineers
Malicious Software Code that in most  Viruses
Code cases is intentionally written  Boot Sector Viruses
to damage or violate one or  Worms
more database environment  Trojon Horses
components (People,  Spoofing Code
Applications, Networks, OS,  Denial-of-service flood
DBMS, Data files or data)  Rookits
 Bots
 Bugs
 E-Mail Spamming
 Back Door
Types of threats , definitions and examples
Threat type Definition Examples

Natural Calamities caused by Nature, which can  Hurricanes
Disasters destroy any or all of the Database  Tornados
Components (People, Applications,  Eartquakes
Networks, OS, DBMS, Data files or data)  Lightning
 Flood
 Fire
Technological Often caused by some sort of malfunction in  Power failure

Disasters equipment or hardware.  Media failure
Technological disasters can inflict damage to  Hardware failure
Networks, OS, DBMS, Data files or data  Network failure
Examples of Malicious Code
 Virus – Code that compromises the integrity and state of the system
 Boot Sector Virus – Code that compromises the segment in the hard disk that
contains the program used to start the computer
 Worm – Code that disrupts the operation of the system
 Trojan Horses – Malicious code that penetrates a computer system or network
by pretending to be legitimate coded
 Spoofing Code – Malicious code that looks like a legitimate code
 Denial-of-service-flood – The act of flooding a web site or network system with
many requests with the intent of overloading the system and forcing it to deny
service legitimate requests
 Rootkits and Bots – Malicious or Legitimate code that performs such functions
as automatically retrieving and collecting information from computer system
 Bugs - Code that is faulty due to bad design, logic or both
 E-Mail Spamming – E-Mail that is sent to may recipients without their
permission
 Back door – An intentional design element of software that allows developers of
the system to gain access to the application for maintenance or technical
problems
Types of Threats
 Risks are simply the a part of doing business
 Managers at all the levels are constantly working to assess and mitigate risks to
ensure the continuity of the department operations.
 Administrators should understand the weakness and threats related to the system
 Categories of database security risks are shown in the below figure

Definitions and examples of Risk types
Risk Type Definition Examples

People The loss of people who are  Loss of key persons ( Registration,
vital components of the Migration, Health problems)
database environments and  Key person downtime due to sickness
know critical information can personal or family problems, or
create risks burnout
Hardware A risk that mainly results in  Downtime due to hardware failure, mal
hardware unavailability or functions, or inflicted damages
interoperability  Failure due to unreliable or poor quality
equipment
Data Data loss or data integrity is a  Data loss
major concern of the  Data corruption
database administration and  Data Privacy loss
management
Confidence The loss of public confidence  Loss of procedural and policy
in the data produced by the documentation
company causes a loss of  DB performance degradation
public confidence in the  Fraud
company itself  Confusion and uncertainty about
Integration of security vulnerabilities, therats
and risks in a database
Asset Types and Their Values
 People always tend to protect assets regardless of what they are
 Corporations treat their assets in the same way
 Assets are the infrastructure of the company operation
 There are four main types of assets

 Physical assets – Also known as tangible assets, these include buildings, cars,
hardware and so on
 Logical assets – Logical aspects of an information system such as business

applications, in-house programs, purchased software, OS, DBs, Data
 Intangible assets – Business reputation, quality, and public confidence
 Human assets – Human skills, knowledge and expertise
Database Security Methods
Security methods used to protect database environment components
Database
Component Security Methods
Protected
People  Physical limits on access to hardware and documents
 Through the process of identification and authentication make
certain that the individual is who is claim s to be through the use of
devices, such as ID cards, eye scans, and passwords
 Training courses on the importance of security and how to guard
assets
 Establishment of security policies and procedures
Applications  Authentication of users who access applications
 Business rules
 Single sign-on ( A method for signing on once for different
applications and web sites)
Network  Firewalls to block network intruders
 Virtual Private Network (VPN)
 Authentication
Database Security Methods …
Database Component
Protected Security Methods
OS  Authentication
 Intrusion Detection
 Password Policies
 User accounts
DBMS  Authentication
 Audit Mechanism
 Database resource limits
 Password poilicy
Data files  File permission
 Access Monitoring
Data  Data Validation
 Data Constraints
 Data Encryption
 Data Access
Database Security Methodology
The below figure presents database security methodology side by side
with the software development life cycle (SDLC) methodology
Database Security Methodology…
The following list presents the definition of each phase of the
database security methodology
Identification – Entails the identification and investigation of resources

required and policies to be adopted
Assessment – This phase includes analysis of vulnerabilities, threats and
risks for both aspects of DB security
Physical – Data files
Logical – Memory and Code
Design – This phase results in a blueprint of the adopted security model
that is used to enforce the security
Implementation – Code is developed or tools are purchased to implement the
blueprint outlined in the previous phase
Evaluation – Evaluate the security implementation by testing the system
against attacks, hardware failure, natural disasters and human
errors
Auditing – After the system goes into production , security audits should
be performed periodically to ensure the security state of the
system
Database Security Definition Revisited
At the start of the chapter database security was defined as

“the degree to which all the data is fully protected from tampering and
unauthorised acts”.
After discussing a lot of database security , various information systems and

information security the definition of database security can be expanded as
follows:
Database security is a collection of security polices and procedures, data

constraints, security methods , security tools blended together to implement
all necessary measures to secure the integrity, accessibility and confidentiality
of every component of the database environment.
Operating System Security Fundamentals
An Operating System (OS) is a collection of programs that allows the to

operate the computer hardware.
 OS is also known as “ RESOURCE MANAGER”
 OS is one of the main access point in DBMS
 A computer system has three layers

 The inner layer represents the hardware
 The middle layer is OS
 The outer layer is all different software
Operating System Security Fundamentals …
An OS is having number of key functions and capabilities as outlined
in the following list
 Multitasking
 Multisharing
 Managing computer resources
 Controls the flow of activities
 Provides a user interface to operate the computer
 Administers user actions and accounts
 Runs software utilities and programs
 Provides functionalities to enforce the security measures
 Schedules the jobs and tasks to be run
 Provides tools to configure the OS and hardware

Operating System Security Fundamentals …
There are different vendors of OS
 Windows by Microsoft
 UNIX by companies such as Sun Microsystems, HP and IBM
 LINUX “flavours” from various vendors such as Red Hat
 Macintosh by Apple
The OS Security Environment
 A compromised OS can compromise a

Database Environment
 Physically protect the computer running

the OS( Padlocks, Chain locks, Guards,
Cameras)
 Model :
 Bank Building – OS
 Safe – DB
 Money - Data
The Components of an OS Security Environment
 The three components (layers) of

the OS are represented in the figure
 Memory component is the hardware
memory available on the system
 Files component consists of files
stored on the disk
 Service component compromise
such OS features and functions as
N/W services, File Management and
Web services
Services
 The main component of OS security environment is services.
 It consists of functionality that the OS offers as part of its core utilities.
 Users employ these utilities to gain access to OS and all the features
the users are authorised to use.
 If the services are not secured and configured properly , each service
becomes a vulnerability and access point and can lead to a security
threat.
Files
 Files are another one component of OS.
 It has more actions
 File Permission
 File Transfer
 File Sharing
Files …
File Permission
• Every OS has a method of implementing file permission to grant read, write or
execute privileges to different users.
• The following figure gives how the file permissions are assigned to a user in
windows
Files …
 In UNIX, file permissions work differently than windows.
 For each file there are three permission settings
 Each setting consists of rwx ( r – read, w – write and x – execute)
1. First rwx is Owner of the file
2. Second rwx is Group to which owner belongs
3. Third rwx is All other users
 The given images gives the details of UNIX file permission.
Files …
 File Transfer – moving the file from one location to another location in a
disk/web/cloud
 FTP is an Internet service that allows transferring files from one computer to
another
 FTP clients and servers transmit usernames and passwords in plaintext
format( Not Encrypted). This means any hacker can sniff network traffic and
be able to get the logon information easily.
 Files also transferred as plaintext format
 A root account cannot be used to transfer file using FTP
 Anonymous FTP is the ability to log on to the FTP server without being
authenticated.
 This method is usually used to provide access to files in the public domain.
Files …
 Here are some best practices for transferring files
 Never use the normal FTP Utility. Instead, use the secure FTP utility , if
possible.
 Make two FTP directories: one for file uploads with write permission
only and another one file is for file downloads with read permission.
 Use specific accounts for FTP that do not have access to any files or
directories outside the file UPLOAD and DOWNLOAD directories.
 Turn on logging , and scan the FTP logs for unusual activities on a
regular basis.
 Allow only authorized operators to have FTP privileges.
Files …
 Sharing files naturally leads to security risks and threats
 The peer-to-peer technology is on rise( very well developed now)
 Peer-to-Peer programs allow users to share the files over internet
 If you were conduct a survey of users that use Peer-to-Peer programs,
majority of the users’ machines are infected with some sort of virus,
spyware, or worm.
 Most companies prohibit the use of such programs.
 The main reason for blocking these programs are
 Malicious Code
 Adware and spyware
 Privacy and confidentiality
 Pornography
 Copy right issues
Memory
 You may wonder how memory is an access points to security violations
 There are many badly written programs and utilities that could change
the content of memory
 Although these programs do not perform deliberate destructions acts.
 On the other hand , programs that intentionally damage or scan data

in memory are the type that not only can harm the data integrity, but
may also exploit data for illegal use.
Authentication Methods
 Authentication is the fundamental service of the OS

 It is a process to very the user identity
 Most security administrators implement two types of
authentication methods
 Physical authentication method allows physical entrance to the
company properties
 Most companies use magnetic cards and card readers to control the entry to
a building office, laboratory or data center.
 The Digital authentication method is a process of verifying the identify

of the user by means of digital mechanism or software
Digital Authentication used by many OS
 Digital Certificate
 Widely used in e-commerce
 Is a passport that identifies and verifies the holder of the certificate
 Is an electronic file issued by a trusted party ( Known as certificate authority ) and cannot
be forged or tampered with.
 Digital Token (Security Token)

 Is a small electronic device that users keep with them to be used for authentication to a
computer or network system.
 This device displays a unique number to the token holder, which is used as a PIN
( Personal Identification Number) as the password
 Digital Card
 Also known as security card or smart card
 Similar to credit card in dimensions but instead of magnetic strip
 It has an electronic circuit that stores the user identification information
 Kerberos
 Developed by Massachusetts Institute of Technology (MIT) , USA
 It is to enable two parties to exchange information over an open network by assigning a
unique key. Called ticket , to each user.
 The ticket is used to encrypt communicated messages
Digital Authentication used by many OS …
 Lightweight Directory Access Protocol (LDAP)
 Developed by University of Michigan, USA
 Uses centralized directory database storing information about people,
offices and machines in a hierarchical manner
 LDAP directory can be easily distributed to many network servers.
 You can use LADP to store information about
• Users (User name and User id)
• Passwords
• Internal telephone directory
• Security keys
 Use LADP for these following reasons
• LDAP can be used across all platforms ( OS independent )
• Easy to maintain
• Can be employed for multiple purposes
 LDAP architecture is Client / Server based
 NTLM (Network LAN Manager)

 Was developed by Microsoft
 Employs challenge / response authentication protocol uses an encryption
and decryption mechanism to send and receive passwords over the network.
 This method is no longer used or supported by new versions of Windows OS
 Public Key Infrastructure (PKI)
 Also known as Public Key Encryption
 It is a method in which a user keeps a private key and the authentication
firm holds a public key .
 The private key usually kept as digital certificate on the users system.
 RADIUS ( Remote Authentication Dial-In User Services )
 It is a method commonly used by a network device to provide centralized
authentication mechanism.
 It is Client / Server based, uses a dial-up server, a Virtual Private Network
(VPN) , or a Wireless Access Point communicating to a RADIUS server
 SSL (Secure Sockets Layers)

 Was developed by Netscape Communications
 To provide secure communication between client and server.
 SSL is a method in which authentication information is transmit
over the network in encrypted form.
 Commonly used by websites to source client communications.
 SRP ( Secure Remote Password )

 Was developed by Stanford University, USA
 It is a protocol in which the password is not secure locally in an
encrypted or plain text form.
 Very easy to install.
 Does not require client or server configuration .
 This method is invulnerable to brute force or dictionary attacks.
Authorization
 Authentication is the process of providing that users really are who

they claim to be.
 Authorization is the process that decides whether users are permitted
to perform the functions to they request.
 Authorization is not performed until the user is authenticated.
 Authorization deals with privileges and rights that have been granted
to the user.
User Administration
 Administrators use this functionality to create user

accounts, set password policies and grant privileges to
user.
 Improper use of this feature can lead to security risks and

threats.
 Note : User Administration and Password policies will be

discussed in Next Unit (Chapter III and Chapter IV in Text
book)
Vulnerabilities of OS
 The top vulnerabilities to Windows  The top vulnerabilities to UNIX Systems
Systems
 BIND Domain Name System
 IIS (Internet Information Server)
 RPC (Remote Procedure Call)
 MSSQL (Microsoft SQL Server)
 Apache Web Server
 Windows Authentication
 General UNIX authentication accounts with
 IE (Internet Explorer) no / weak passwords
 Windows Remote Access Services  Clear text services
 MDAC (Microsoft Data Access  Sendmail

Components)  SNMP (Simple Network Management
 WSH ( windows Scripting Host) Protocol
 Microsoft Outlook and Outlook Express  Secure Shell
 Misconfiguration of Enterprise Services

 Windows Peer-to-Peer File Sharing (P2P)
NIS/ NFS
 SNMP (Simple Network Management
 Open SSL ( Secure Socket Layer)
Protocol
E-mail Security
 E-mail may be the tool most frequently used by hackers to exploit viruses, worms,
and other computer system invaders.
 E-mail is widely used by public and private organizations as a means of communication
 E-mail was the medium used in many of the most famous worm and virus attacks
 For example :
 Love Bug Worm
 I LOVE YOU worm
 Mydoom worm
 Melissa virus
 E-mail is not only to used to send viruses and worms, nut to send spam e-mail, private and
confidential data as well as offensive messages
 To prevent from these activities ,

 Do not configure e-mail server on a machine in which the sensitive data resides
 Do not disclose the e-mail server technical details
Prepared by
Dr. B. Muruganantham
Assistant Professor
Department of
Computer Science and Engineering
SRMIST, Chennai
References :
1) Hassan A. Afyouni, “Database Security and Auditing”, Third Edition, Cengage

Learning, 2009
2) Charu C. Aggarwal, Philip S Yu, “Privacy Preserving Data Mining”: Models and
Algorithms, Kluwer Academic Publishers, 2008
3) Ron Ben Natan, ”Implementing Database Security and Auditing”, Elsevier Digital
Press, 2005.
26-10-2021 Dr. B. Muruganantham 2

UNIT II : ADMINISTRATION OF USERS & PROFILES,
PASSWORD POLICIES,PRIVILEGES AND ROLES
 Administration of Users
 Introduction
 Authentication
 Creating Users
 SQL Server
 User Removing
 Modifying Users
 Default Users
 Remote Users
 Database Links
 Linked Servers
 Remote Servers
 Practices for administrators and Managers- Best Practices
 Profiles, Password Policies, Privileges and Roles
 Introduction
 Defining and Using Profiles
 Designing and Implementing Password Policies
 Granting and Revoking User Privileges
 Creating, Assigning and Revoking User Roles-Best Practices

Administration of Users
 Introduction
 Authentication and Authorization are essential services for every
OS
 Another service is Administration of Users
 Administrators use this functionality
• Creating users
• Set Password Policies
• Grant privileges

Documentation of User Administration
 At every type of organization, many security violations are caused by negligence
and ignorance and in particular by failing to consider documentation
 Documentation is a main part of administration process
 There top three excuses for failing to incorporate documentation

 Lack of Time
 Belief that the administration process is already in documented in the
system
 Reluctance to complicate a process that is simple
 Everything is documented for two reasons

 To provide a paper trail to retrace exactly what happened when breach of
security occurs
 To ensure administration consistency
Documentation of User Administration …
Documentation in Administration context includes the following
 Administration Policies
 Documentation includes all policies for handling new and terminated employees, managers,
system and database administrator, database managers, operation managers, and human
resources.
 A detailed document should describe guidelines for every task that is required for all common
administrative situations.
 Security Procedures
 This is an outline of a step-by-step process for performing administrative task according to
company policies.
 Procedures implementation scripts and programs

 This is documentation of any script or program used to perform an administrative task.
 This includes user’s manual and operational manual

Documentation in Administration context includes the following …
 Predefined roles description
 This provides the full description of all predefined roles, outlining all
tasks for which the role is responsible and the role’s relationship to
other roles
 Administration staff and management
 This is usually a detailed description of each administration staff and

management position.
 This document includes an organizational chart.

Many companies develop procedures and forms used to perform any security-related
process. The following figure presents a sample process of creating a database user
account that you can customize per your business requirements and company policies.
Document Completion DBA Completes all the paper work and documentation for new employees
DBA provides list of access operations that are necessary for employees to
Access Identification perform their jobs
Account application Completion DBA completes the database user account application form
Department Approval DBA obtains department Manger’s approval on the application
Operational Approval DBA obtains operational Manger’s approval on the application
Implement Access DBA or Operator creates the account
Test Access Account holder verifies access

Creating users
 Creating users is one of the main tasks you will perform as a

database operator or DBA
 In most organization , this process is standardized , well
documented, and surely managed
 The DBA had written a script to create a user for every developer
working on the project
 This script granted privileges to read and write data to the
database scheme
 Regardless of the database you use , creating the user is generally
an easy task once a policy is documented and followed

Creating users …
Creating an ORACLE 10g User

Creating users …
user
 Specify the name of the user to be created. This name can contain only characters from
your database character set and must follow the rules described in the section "Schema
Object Naming Rules". Oracle recommends that the user name contain at least one
single-byte character regardless of whether the database character set also contains
multibyte characters.
IDENTIFIED Clause
 The IDENTIFIED clause lets you indicate how Oracle Database authenticates the user.
BY password
 The BY password clause lets you creates a local user and indicates that the user must
specify password to log on to the database. Passwords are case sensitive. Any
subsequent CONNECT string used to connect this user to the database must specify the
password using the same case (upper, lower, or mixed) that is used in
this CREATE USER statement or a subsequent ALTER USER statement. Passwords can
contain any single-byte, multibyte, or special characters, or any combination of these,
from your database character set
EXTERNALLY Clause
 Specify EXTERNALLY to create an external user. Such a user must be authenticated by
an external service, such as an operating system or a third-party service. In this case,
Oracle Database relies on authentication by the operating system or third-party service to
ensure that a specific external user has access to a specific database user.
Creating users …
AS 'certificate_DN'
 This clause is required for and used for SSL-authenticated external users only.
The certificate_DN is the distinguished name in the user's PKI certificate in the
user's wallet.
GLOBALLY Clause
 The GLOBALLY clause lets you create a global user. Such a user must be
authorized by the enterprise directory service (Oracle Internet Directory).
DEFAULT TABLESPACE Clause
 Specify the default tablespace for objects that the user creates. If you omit this
clause, then the user's objects are stored in the database default tablespace. If no
default tablespace has been specified for the database, then the user's objects are
stored in the SYSTEM tablespace.
 Restriction on Default Tablespaces You cannot specify a locally managed

temporary tablespace, including an undo tablespace, or a dictionary-managed
temporary tablespace, as a user's default tablespace.

Creating users …
TEMPORARY TABLESPACE Clause
 Specify the tablespace or tablespace group for the user's temporary segments. If you omit this
clause, then the user's temporary segments are stored in the database default temporary
tablespace or, if none has been specified, in the SYSTEM tablespace.
 Specify tablespace to indicate the user's temporary tablespace.
 Specify tablespace_group_name to indicate that the user can save temporary segments in any
tablespace in the tablespace group specified by tablespace_group_name.
 Restrictions on Temporary Tablespace
 This clause is subject to the following restrictions:
 The tablespace must be a temporary tablespace and must have a standard block size.
 The tablespace cannot be an undo tablespace or a tablespace with automatic segment-
space management.

Creating users …
 QUOTA Clause
 Use the QUOTA clause to specify the maximum amount of space the user can
allocate in the tablespace.
 A CREATE USER statement can have multiple QUOTA clauses for multiple
tablespaces.
 UNLIMITED lets the user allocate space in the tablespace without bound.
 Restriction on the QUOTA Clause You cannot specify this clause for a
temporary tablespace.
 PASSWORD EXPIRE Clause
 Specify PASSWORD EXPIRE if you want the user's password to expire. This
setting forces the user or the DBA to change the password before the user can
log in to the database.
 ACCOUNT Clause
 Specify ACCOUNT LOCK to lock the user's account and disable access.
Specify ACCOUNT UNLOCK to unlock the user's account and enable access to
the account.
Creating users …
 The following create user statement implements the creation of

user called bmnantha
SQL> CREATE USER bmnantha IDENTIFIED BY bmnantha23
2 DEFAULT TABLESPACE users
3 TEMPORARY TABLESPACE temp
4 QUOTA 25M ON users
5 PROFILE default
6 PASSWORD EXPIRE
7 ACCOUNT UNLOCK
8 /
User created
 Once the user is created you can modify a user account with an
ALTER USER statement using clause listed in the previous
example

DBA_USERS View
 DBA_USERS describes all users of the database.
Column Datatype NULL Description

USER VARCHAR2(30) NOT NULL Name of the user
NAME
USER_ID NUMBER NOT NULL ID number of the user
PASSWORD VARCHAR2(30) This column is deprecated in favor of
the AUTHENTICATION_TYPE column
ACCOUNT_ VARCHAR2(32) NOT NULL Account status:
STATUS  OPEN
 EXPIRED
 EXPIRED(GRACE)
 LOCKED(TIMED)
 LOCKED
 EXPIRED & LOCKED(TIMED)
 EXPIRED(GRACE) & LOCKED(TIMED)
 EXPIRED & LOCKED
 EXPIRED(GRACE) & LOCKED

DBA_USERS View …

LOCK_DATE DATE Date the account was locked if account
status was LOCKED
EXPIRY_DATE DATE Date of expiration of the account
DEFAULT_ VARCHAR2(30) NOT NULL Default tablespace for data
TABLESPACE
TEMPORARY_ VARCHAR2(30) NOT NULL Name of the default tablespace for
TABLESPACE temporary tables or the name of a
tablespace group
CREATED DATE NOT NULL User creation date
PROFILE VARCHAR2(30) NOT NULL User resource profile name
INITIAL_RSRC VARCHAR2(30) Initial resource consumer group for the user
_CONSUMER_
GROUP

DBA_USERS View …

EXTERNAL_ VARCHAR2(4000) User external name
NAME
PASSWORD_ VARCHAR2(8) Database version in which the password was
VERSIONS created or changed
EDITIONS_ VARCHAR2(1) Indicates whether editions have been enabled
ENABLED for the corresponding user (Y) or not (N)
AUTHENTICATI VARCHAR2(8) Indicates the authentication mechanism for the

ON_TYPE user:
 EXTERNAL - CREATE
USER user1 IDENTIFIED EXTERNALLY;
 GLOBAL - CREATE
USER user2 IDENTIFIED GLOBALLY;
 PASSWORD - CREATE
USER user3 IDENTIFIED BY user3;

Creating a SQL Server User
 To create a login id in SQL server can be member of SYSTEMADMIN OR

SECURITYADMIN
 There are two types of login IDs:
 Windows Integrated (Trusted) Logins
 User can associate a Microsoft Windows account or group with
either the server in which SQL Server is installed or the domain in
which the server is a member
 SQL Server Login

Creating a SQL Server User …
Creating Windows integrated Logins

 From the command Line
To create a new login associated with a Window account (Windows Integrated) , in the
Query Analyser tool use the SP_GRANTLOGIN system Procedure .
 The syntax is as follows: sp_grantlogin [@login =] ‘login’

 The login syntax is the fully qualified name of the Windows user account
in the form of machine_name\user_name for local Windows users.
 domain\username for Windows domain accounts.
 Windows integrated login can also be associated can also be associated
with windows groups on either the local server or domain

Creating a SQL Server User …
For example,
 If you have a local windows account named ‘bmnantha’ on the SQL Server itself
where the server name is myserver, you enter the following
exec sp_grantlogin ‘myserver\bmnantha’

 For windows domain account named ‘manish’ in the mydomain, you are entering
the following
exec sp_grantlogin ‘mydomain\manish’

 To associate local windows group called SQL_DBA , you are entering
exec sp_grantlogin ‘myserver\sql_dba
 NOTE : A login must be between 1 to 128 characters in length and cannot contain
any spaces.

Creating a SQL Server User from Enterprise Manager
To create a new login associated with a Windows account (Windows Integrated) in Enterprise Manager,
take the following steps
1. Open Enterprise Manager

SQL Serve Login …
2. Expand the server group in which your server is functioning
3. Expand the server you want to create the login for
4. Expand the security container
5. Click Logins
6. On the menu bar , click action , then click new login

SQL Serve Login …
7. Type the name of user

8. Depending on the type of Windows account you are creating , select either
the local server name or the domain name from the domain drop-down
list. Enterprise Manager automatically fills in
the machine or domain name in front of the username
9. Select the default database for the login from the Database drop-down list.
10. Select the default language for the login from the language drop-down list.

SQL Serve Login …
11. Click OK

SQL Serve Login …
 The second type of login is a SQL Server Login, sometimes called a SQL Server
active login.
 This login associated with a windows account, instead , it is a security account
created within SQL Server itself.
 Creating SQL Server Logins from command line
 To create a SQL Server login from the Query analyzer , you use the
SP_ADDLOGIN system stored procedure.
 The syntax is as follows :
sp_addlogin [@loginame = ] ‘login’
[ , [ @passwrd = ] ‘password’ ]
[ , [ @dbdef=] ‘database’]
[ , [ @deflanguage = ] ‘language’]
[ , [ @sid =] sid]
[ , [ @encryptopt =] ‘encryption_opotion’]
@loginame – choose for the login
@dbdef – Name of the default database for the user, The default is NULL
@deflanguage – The default language for the user.
The default is the current default language of the SQL Server Instance
@sid – Security Identification Number (SID).
The default is NULL, if it is NULL SQL Server
automatically generates SID for the login
@encryptopt – Specifies weather or not to encrypt the password in the database
SQL Serve Login …
For example
 To create a SQL Server login named ‘bmnantha’ with password ‘manish’
you issue the following command
exec sp_addlogin ‘bmnantha’ , ‘manish’
 To specify a default database of Northwind for bmnantha, enter the

following
exec sp_addlogin ‘bmnantha’, ‘manish’, ‘Northwind’

SQL Serve Login …
From Enterprise Manager

To create a new SQL Server login in Enterprise Manager , follow these steps
2. Expand the server group your is in
3. Expand the server you want to create the login for.
4. Expand the Security container
5. Click Logins
6. On the menu bar , Click Action, then click New Login
7. Type the name of the user, in this case , bmnantha
8. Click the SQL Server Authentication option button
9. Provide a password for the user in the password textbox. The password is marked as
you type
10. Click OK

SQL Serve Login …
The following figure gives the Server login properties – new login screen
(Latest Version)

Removing Users
 Removing an ORACLE User
SQL > DROP USER SCOTT;

User Dropped
 If the user does not have any objects , the command is successfully executed. If the user own
any objects CASECADE option should be used
SQL> DROP USER SCOTT CASCADE;

User Dropped
 SQL Server: Removing Windows Integrated Logins

From the command Line : Use the SP_DENYLOGIN system procedures
sp_denylogin [ @loginame = ] ‘login’
 The following statement drop the login account bmnantha.
exec sp_denylogin ‘myserver\bmnantha’
 From the Enterprise Manager

To drop the login in Enterprise Manager simply highlight the desired login and choose delete
from the action menu

Modifying Users
The existing user account can be changed such as password, database,
tablespace, quota, password profile, account by the DBA
 Modifying an ORACLE User
SQL > ALTER USER SCOTT IDENTIFIED BY LION;

User Altered
 SQL Server : Modifying Windows Integrated Login Attributes
 From the Command Line

The default database for the user initially set to master, to change the
database SP_DEFAULTDB system stored procedure is used.
sp_default [ @loginame = ] ‘login’ ,

[ @defdb =] ‘database’
 To change the default database to the login mydomain\bmnantha , issue the

following statement
exec sp_defaultdb ‘mydomain \bmnantha’ ,’Northwind’

Default Users
 ORACLE default users, will be created at the time of ORACLE software

installation
 SYS (Super user will all DBA rights , can’t be changed)

 SYSTEM (With Minimal DBA rights
 SCOTT (User without DBA rights)
 SQL server default users, will be created at the time of SQL Server
software installation
 SA ( System Administrator , It is equivalent to SYS in Oracle and can’t be

changed)
 BUILT-IN\Administrators ( Associated with the local administrators’ group
on the Windows server)

Remote Users
 All the DB user accounts are created and stored in the DB regardless of
whether they are connected locally or remotely.
 When a user logs on to the DB through the machine where the DB is

located , called as Local user.
 When a user logs on to the DB through the machine where the DB is

not located , called as remote user.
 ORACLE10g , remote users can be authenticated by the OS provided

the REMOTE_OS_AUTHENT initialization parameter is set to TRUE.
If the parameter is set to FALSE , user can’t login from remote.
 SQL Server does not support this type of remote user authentication.

Database Links
 It is a connection from one DB to another DB
 The linked DBs can be like
 Both be ORACLE10g
 Both be SQL Server
 Mix of ORACLE10g and SQL Server
 A DB link enables a user to perform Data Manipulation Language (DML) or
any other valid SQL statements on a DB.
 The following figure gives the architecture of DB Link
DB1 DB LINK DB2
 In Oracle 10g ,DB Links can be created in two ways as

1. Public – Which makes the database links accessible by every user in DB
2.Private – Which gives the ownership of the database to a user
The DB is not accessible by any other user unless the user has
been access by the owner
Database Links …
Authentication Methods
 Authentication methods for connecting ORACLE10g DB using DB link
mechanism.
 There are three types of authentication methods when creating a DB link.
 Authentication Method 1: CURRENT USER
 This authentication method orders ORACLE10g to use the current user
credentials for authentication to the DB to which the user is trying to link.
SQL > CONNECT SYSTEM@DB1

Enter password: ******
Connected
SQL > CREATE PUBLIC DATABASE LINK DB2

2 CONNECT TO CURRENT_USER
3 USING ‘DB2’
4 /
Database link created

Database Links …
 Authentication Method 2: FIXED USER

This authentication method orders ORACLE10g to use the user
password provided in this clause for authentication to the DB to
which the user is trying to link.

2 CONNECT TO SCOTT IDENTIFIED BY TIGER
3 USING ‘DB2’
4 /

Database Links …
 Authentication Method 3: CONNECT USER

This authentication method orders ORACLE10g to use
credentials of the connected user who has an existing account in
the database to which the user is trying to link.

2 USING ‘DB2’
3 /

Linked Servers
 Linked serves allow you to connect to almost any object Linking

Embedding Database (OLEDB) or Open Database Connectivity .
 Microsoft SQL Server 2000 also uses the concept of linked serves.
 OLEDB is a Microsoft component that allows Windows applications to
connect and access different database systems.
 ODBC is a Microsoft protocol used for connecting Windows
applications to different DB systems
 The following figure represents the Linked server architecture using SQL
Server
Linked Server
Server bmnantha Server manish

Linked Server …
Creating a new linked server with SQL Server

Remote Servers
 Along the same line as Linked Servers , you can communicate with
another SQL server by creating remote server
 Instead of using OLEDB , communications occurs across a Remote

Procedure Call (RPC)

Best Practices for Administrators and Managers
 The DBA job is never ending and very challenging

 DBA is constantly performing other administrative tasks such as backup,
recovery and performance tuning.
 To make wise decisions DBA have the sizable responsibility of keeping up
with database practices, database technology and database security issues.
 These are the best practices for administrating users, privileges , and roles.
 Follow you company ‘s procedures and policies to create , remove or modify
database users.
 Always change the default password and never write it, or save it in a file that
neither encrypted nor safe.
 Never share the user accounts with anyone , especially DBA accounts.
 Always document and create logs for changes to removals of database user
accounts.

Best Practices for Administrators and
Managers …
 These are the best practices for administrating users, privileges , and
roles…
 Never remove an account even if it is out dated, Instead disable or revoke
connections privileges of the account.
 Give access permission to users only as required and use different logins
and passwords for different applications.
 Educate users, developers and administrators on user administration best

practices as well as the company policies and procedures.
 Keep abreast (up-to date) of database and security technology. Should be

aware of all new vulnerabilities that may increase database security risks.
 Constantly review and modify the procedures as necessary to be in line up

with the company’s policies and procedures. Keep procedures up to date
with the dynamic nature of database and security technology

Profiles, Password Policies, Privileges and
Roles
Introduction
 The key to the house is the password
 Put the scenario into the context of computer passwords.
 For home security , in addition to changing the key , you might install an
alarm, , motion detector, camera, etc.,
 A company’s user accounts should have equal protection.
 The company needs to protect its assets and enforce stringent (strict,
precise, and exacting) guidelines to protect the keys to computer accounts.
 This key is the password

Defining and Using Profiles
• A profile is a security concept that describes the limitation of database

resources that are granted database uses.
• A profile is a way of defining database user behaviour to prevent users

from wasting resources such as memory and CPU consumption
• For this reason some DBMSs have implemented the profile concept.
• Not every DBMS offers profile concept.
• ORACLE does and Microsoft SQL Server 2000 doesn’t.

Defining and Using Profiles…
 Creating Profiles in ORACLE
 A profile in ORACLE helps define two elements of Security
 Restrictions on Resources
 Implementation of password policy
 The following figure shows the two aspects of a profile in ORACLE
PROFILE
PASSWORD RESOURCES
Aging CPU
Usage Memory
Verification Connections

ORACLE allows you to create a profiles using the CREATE PROFILE

statement. The full syntax of the statement follows
Create profile
Resource parameters Password parameters

CREATE PROFILE Profile_name
LIMIT
SESSIONS_PER_USER number
CPU_PER_SESSION hunderth of seconds
Resource Limits CPU_PER_CALL hunderth of seconds
CONNECT_TIME UNLIMITED minutes
IDLE_TIME minutes
LOGICAL_READS_PER_SESSION DEFAULT db_blocks
LOGICAL_READS_PER_CALL DEFAULT db blocks
COMPOSITE_LIMIT DEFAULT number
PRIVATE_SGA bytes
FAILED_LOGIN_ATTEMPTS number
PASSWORD_LIFE_TIME days
Password Limits
PASSWORD_REUSE_TIME number
PASSWORD_REUSE_MAX number
PASSWORD_LOCK_TIME days
PASSWORD_GRACE_TIME days
PASSWORD_VERIFY_FUNCTION function_name;
 In this syntax:
 First, specify the name of the profile that you want to create.
 Second, specify the LIMIT on either database resources or password
 Resource Parameters
 SESSIONS_PER_USER – specify the number of concurrent sessions that a user can have when
connecting to the Oracle database.
 CPU_PER_SESSION – specify the CPU time limit for a user session, represented in hundredth of
seconds.
 CPU_PER_CALL – specify the CPU time limit for a call such as a parse, execute, or fetch,
expressed in hundredths of seconds.
 CONNECT_TIME – specify the total elapsed time limit for a user session, expressed in minutes.
 IDLE_TIME – specify the number of minutes allowed periods of continuous inactive time during a
user session. Note that the long-running queries and other operations will not subject to this
limit.
 LOGICAL_READS_PER_SESSION – specify the allowed number of data blocks read in a user
session, including blocks read from both memory and disk.
 LOGICAL_READS_PER_CALL – specify the allowed number of data blocks read for a call to
process a SQL statement.
 PRIVATE_SGA – specify the amount of private memory space that a session can allocate in the
shared pool of the system global area (SGA).
 COMPOSITE_LIMIT – specify the total resource cost for a session, expressed in service units. The
total service units are calculated as a weighted sum of
of CPU_PER_SESSION CONNECT_TIME, LOGICAL_READS_PER_SESSION,
and PRIVATE_SGA.
 Password_parameters
 You use the following clauses to set the limits for password parameters:
 FAILED_LOGIN_ATTEMPTS – Specify the number of consecutive failed login attempts
before the user is locked. The default is 10 times.
 PASSWORD_LIFE_TIME – specify the number of days that a user can use the same
password for authentication. The default value is 180 days.
 PASSWORD_REUSE_TIME – specify the number of days before a user can reuse a
password.
 PASSWORD_REUSE_MAX – specify the number of password changes required before
the current password can be reused. Note that you must set values for
both PASSWORD_REUSE_TIME and PASSWORD_REUSE_MAX parameters make
these parameters take effect.
 PASSWORD_LOCK_TIME – specify the number of days that Oracle will lock an
account after a specified number of a consecutive failed login. The default is 1 day if you
omit this clause.
 PASSWORD_GRACE_TIME – specify the number of days after the grace period starts
during which a warning is issued and login is allowed. The default is 7 days when you
omit this clause.
 Note that to create a new profile, your user needs to have the CREATE PROFILE system
privilege.
Setting Profile Resource Limits: Example The following statement

creates the profile app_user:
SQL> CREATE PROFILE app_user

2 LIMIT
3 SESSIONS_PER_USER UNLIMITED
4 CPU_PER_SESSION UNLIMITED
5 CPU_PER_CALL 3000
6 CONNECT_TIME 45
7 IDLE_TIME 15
8 LOGICAL_READS_PER_SESSION DEFAULT
9 LOGICAL_READS_PER_CALL 1000
10 PRIVATE_SGA 15K
11 COMPOSITE_LIMIT 5000000;
12 /
Profile created

 To view all profiles created in the database , query the data dictionary view,
DBA_PROFILES
SQL> select * from dba_profiles where profile = 'DEFAULT';
PROFILE RESOURCE_NAME RESOURCE_TYPE LIMIT

---------- ---------------------------- ------------- --------- -----------
DEFAULT COMPOSITE_LIMIT KERNEL UNLIMITED
DEFAULT SESSIONS_PER_USER KERNEL UNLIMITED
DEFAULT CPU_PER_SESSION KERNEL UNLIMITED
DEFAULT CPU_PER_CALL KERNEL UNLIMITED
DEFAULT LOGICAL_READS_PER_SESSION KERNEL UNLIMITED
DEFAULT LOGICAL_READS_PER_CALL KERNEL UNLIMITED
DEFAULT IDLE_TIME KERNEL UNLIMITED
DEFAULT CONNECT_TIME KERNEL UNLIMITED
DEFAULT PRIVATE_SGA KERNEL UNLIMITED
DEFAULT FAILED_LOGIN_ATTEMPTS PASSWORD UNLIMITED
DEFAULT PASSWORD_LIFE_TIME PASSWORD UNLIMITED
DEFAULT PASSWORD_REUSE_TIME PASSWORD UNLIMITED
DEFAULT PASSWORD_REUSE_MAX PASSWORD UNLIMITED
DEFAULT PASSWORD_VERIFY_FUNCTION PASSWORD NULL
DEFAULT PASSWORD_LOCK_TIME PASSWORD UNLIMITED
DEFAULT PASSWORD_GRACE_TIME PASSWORD UNLIMITED
16 rows selected.

 To Modify a limit for profile , you use ALTER PROFILE as follows
SQL> ALTER PROFILE APP_USER

2 LIMIT IDLE_TIME 30;
Profile altered
 To assign a profile , use ALTER USER as follows
SQL> ALTER USER BMNANTHA PROFILE APP_USER

2 /
User altered
 In SQL Server 2000 or 2005 profiles of similar objects are not available

Designing and Implementing password policies
 Password is key to opening the user account.
 The stronger the password, the longer it takes a hacker to break it.
 Many hackers security violations begin with breaking password.

 If you joining any financial company the orientation program on
security administration including password selection, password
storage, and the company’s policies on password.

Designing and Implementing password policies …
 Password policy is a set of guidelines that enhances the

robustness of the password and reduces the likelihood of its
being broken
 Importance of Password Policies

 The frontline defence of your account is your password.
 If your password is weak, the hacker can break in, destroy your
data, and violate your sense of security .
 For this specific reason, most of the companies invest
considerable resources to strengthen authentication by adopting
technological measures that protect their assets.
Designing password policies

 Most companies use a standard set of guidelines for their password policies
 These guidelines can comprise one or more of the following
 Password Complexity – A set of guidelines used when selecting
password, for example minimum 8
characters, 1 special character, 1 Capital
letter, etc.,
The purpose of password complexity is to
decrease the chances of a hacker guessing or
breaking a password.
 Password Aging – Indication of how long the password
can be used before it expires
 Password usage – Indication of how many times the same
password can be used
 Password storage – A method of storing a password in an
encrypted manner

 Implementing Password Policies

 How to implement password policy depends on whether or not DBMS provides
functions that support password security
 ORACLE has invested heavily in providing mechanism to enforce security ,
including implementation of password policies.
 Whereas a Microsoft SQL Server depends on the OS to implement password
policies.

 Password Policies in ORACLE
CREATE PROFILE PASSWORD _POLICY

LIMIT
{{
|PASSWORD_LIFE_TIME 365
|PASSWORD_GRACE_TIME 10
|PASSWORD_REUSE_TIME UNLIMITED
|PASSWORD_REUSE_MAX 0
|FAILED_LOGIN_ATTEMPTS 3
|PASSWORD_LOCK_TIME UNLIMITED;
}
{ expr | UNLIMITED | DEFAULT }
|PASSWORD_VERYFY_FUNCTION
{function | NULL | DEFAULT }
}

 Oracle password security profile parameters
 Here are the password security parameters:
 failed_login_attempts - This is the number of failed login attempts before locking the
Oracle user account. The default in 11g is 10 failed attempts.
 password_grace_time - This is the grace period after the password_life_time limit is
exceeded.
 password_life_time - This is how long an existing password is valid. The default in
11g forces a password change every 180 days.
 password_lock_time - This is the number of days that must pass after an account is
locked before it is unlocked. It specifies how long to lock the
account after the failed login attempts is met. The default in 11g
is one day.
 password_reuse_max - This is the number of times that you may reuse a password and
is intended to prevent repeating password cycles (north, south,
east, west).
 password_reuse_time - This parameter specifies a time limit before a previous
password can be re-entered. To allow unlimited use of
previously used passwords, set password_reuse_time to
UNLIMITED.
 password_verify_function - This allows you to specify the name of a custom password
verification function.

 Profile creation using ORACLE Enterprise Manager Security Tools

Password Policies in SQL Server

 Microsoft SQL Server 2000 as a stand-alone product, does not provide for password policy
enforcement when logging on a SQL Server
 Microsoft architecture follows a model known as an Integrated Server System.
 In this method all the server applications and the resources they provide are tightly
integrated with the Windows server system and its security architecture.
 Password policy enforcement in a SQL Server environment handled by implementing SQL

server in Windows authentication mode and applying polices within the Windows Server
System
 There are two authentication protocols supported by Windows

 NTLM (Network LAN Manager)
 Kerberos 5

NTLM
 NTLM authenticates using a challenge / response methodology
 When the user attempt to access a resource , the server hosting the
resource “challenges” , user to prove his / her identity.
 User then issue a “response” to that challenge
 If the response is correct then the user is authenticated to the server.
 The server goes through an authorization process for the requested

resource.

 Authentication process consists of three messages
 Message 1 : Sent from the client to the server and is the initial request for authentication
 Message 2 : Sent from the server to client, contains challenge ( Eight bytes of Random
Data)
 Message 3 : Sent from client to server , contains response to the challenge
Workstation Server
Message 1
Message 2
Message 3
 The response is a 24-byte DES encrypted hash of the 8 byte challenge that can be decrypted
only by a set of DES keys created using the user’s password.
 The benefit to NTLM is that password are verified without ever actually sending the
password across the Web
Kerberos
 Kerberos authentication differs from NTLM in many ways.
 Instead of using password encrypt / decrypt challenge / response messages, a secret key,
known only to the server and client and also unique to the session, used to encrypt the
handshake data.
 This allows not only for the server to validate the authenticity of client , but for the client
to validate the authenticity of the server.
 This is an important difference and is one the reason Kerberos is more secure than NTLM
 Kerberos authentication requires a trusted third resource known as Key Distribution

Center (KDC).
 The KDC generates the secret key for each session established.
 The new session ticket , containing the new key, has a time-out value associated with it.

 Once the secret key is obtained from the KDC
 The client encrypts its request for a resource with the secret key.
 The server decrypts the message using the same key, decrypts just
on time stamp on the message and send back to client.
 This tells the server and the client has the same key for the session
which is established.

The following figures explain the authentication process in Kerberos
Workstation Server
Clients wants to access a Server
KDC issues key : Kclient {Scs for Server} , ticket = Kserver {Scs for Client}
KDC generates a key and issues a session ticket to the client
Workstation Server
Scs { Client Credentials , time}, ticket = Kserver { Scs for Client }
Scs { time }
Client sends authentication proof to the server

Granting and Revoking User Privileges
 Privilege is a method to permit or deny access to data or to perform

database operations (Data Manipulation)
 Privileges in ORACLE
 System Privileges – Privileges granted only by DBA or users who have

been granted the administration option.
 Object Privileges – Privileges granted to an ORACLE user by the scheme

owner of a database object or a user who has been
granted the GRANT option.

Granting and Revoking User Privileges …
 System Privileges :
There are more than 100
system privileges in
ORACLE , these are some
important frequently used
privileges  Object Privileges:
All DML are come
 CREATE USER
 CREATE SESSION
into object privileges
 CREATE ROLE
 CREATE PROCEDURE  INSERT
 CREATE TRIGGER  UPDATE
 CREATE TABLESPACE  DELETE
 CREATE TYPE  SELECT
 CREATE DATABASE LINK  INDEX
 CREATE TABLE  REFERENCES
 CREATE VIEW
 CREATE SEQUENCE
 DROP VIEW
 DROP USER
 DRO P TABLE

SQL GRANT Command
SQL GRANT is a command used to provide access or privileges on
the database objects to the users.
 The Syntax for the GRANT command is:
GRANT privilege_name ON object_name TO {user_name |PUBLIC
|role_name} [WITH GRANT OPTION];
 privilege_name is the access right or privilege granted to the user. Some of the access
rights are ALL, EXECUTE, and SELECT.
 object_name is the name of an database object like TABLE, VIEW, STORED PROC and
SEQUENCE.
 user_name is the name of the user to whom an access right is being granted.
 PUBLIC is used to grant access rights to all users.
 ROLES are a set of privileges grouped together.
 WITH GRANT OPTION - allows a user to grant access rights to other users.
Eaxmple :
SQL > Grant select on emp to bmnantha;
Grant succeeded
The schema owner of emp object gave select privilege to user bmnantha

SQL REVOKE Command:
The REVOKE command removes user access rights or privileges to the

database objects.
 The Syntax for the REVOKE command is:
REVOKE privilege_name ON object_name

FROM {user_name |PUBLIC |role_name}
 Example :
SQL > Revoke select on emp from bmnantha;

Revoke succeeded
The schema owner of emp object get back the select privilege to user
bmnantha

Privileges in SQL Server
 SQL Server has four levels of permissions
 System or Server level

 Database level
 Table (Object) level
 Column level
 Note : It is important to note that having server or database level permission

doesn’t mean you have access to subordinate objects.


Server Privileges
 Sysadmin – Can perform any function within the system
 Serveradmin – Can perform certain server-level functions.
 Setupadmin – Can manage linked servers and startup procedures
 Securityadmin – Can manage logons, change passwords
 Processadmin – Can manage processes running
 Dbcreator – Create, Alter and Drop Databases
 Diskadmin – Can manage the disk files for the server and database
 Bulkadmin – Can insert bulk insert operations


Database Privileges – Fixed Database Roles
 db_owner – Have complete access to the database

 db_accessadmin – Can add or remove users
 db_securityadmin – Can change all permissions, object ownership, roles and role
membership
 db_ddladmin – Can execute all DDL statements
 db_backupoperator – Can execute DBCC statements ( DBCC is a SQL Server tool
used for DB performance)
 db_datareader – Can issue SELECT and READTEXT statements
 db_datawriter – Can issue INSERT, UPDATE, DELETE and UPDATENEXT
statements
 db_denydatareader – Explicitly denied SELECT and READTEXT statements
 db_denydatawriter – Explicitly denied INSERT, UPDATE, DELETE and
UPDATENEXT statements


Database Privileges – Statement permissions
 CREATE TABLE
 CREATE VIEW
 CREATE PROCEDURE
 CREATE FUNCTION
 CREATE DEFAULT
 CREATE ROLE
 BACKUP DATABASE
 BACKUP LOG


Table and Database Objects privileges and Column level privileges
 Same as ORACLE Grant and Revoke command.
 Refer Slide numbers : 68 and 69

Creating , Assigning and Revoking User Roles
Creating role with ORACLE
 NOT IDENTIFIED Clause - Specify NOT IDENTIFIED to indicate that this role is
authorized by the database and that no password is
required to enable the role.
 IDENTIFIED Clause - Use the IDENTIFIED clause to indicate that a user must be
authorized by the specified method before the role is
enabled with the SET ROLE statement.

Creating , Assigning and Revoking User Roles …
Creating role with ORACLE – Example
 The following statement creates the role dw_manager:
CREATE ROLE dw_manager;

 Users who are subsequently granted the dw_manager role will inherit all of the
privileges that have been granted to this role.
 You can add a layer of security to roles by specifying a password, as in the following
example:
CREATE ROLE dw_manager IDENTIFIED BY warehouse;
 Users who are subsequently granted the dw_manager role must specify the
password warehouse to enable the role with the SET ROLE statement.
 The following statement creates global role warehouse_user:
CREATE ROLE warehouse_user IDENTIFIED GLOBALLY;

 The following statement creates the same role as an external role:
CREATE ROLE warehouse_user IDENTIFIED EXTERNALLY;

Assigning Role to User in ORACLE - Example
 To assign privileges to role issue the following statement
SQL > GRANT CREATE SESSION TO dw_manager;
Grant succeeded
 To assign a role to a user (Ex: bm_nantha) issue the following

statement
SQL > GRANT dw_manager to bm_nantha;
Grant succeeded

Create Roles with SQL Server
 To create a new database role using Query Analyzer , execute the

SP_ADDROLE system stored procedure
sp_addrole [ @rolename = ] ‘role’ [ , [ @ownername = ] ‘owner’ ]
@rolename – The name of the new role

@ownername – The owner of new role , default is dbo
 To add the role of “sales” to the database Northwind
use northwind
exec sp_addrole ‘sales’
 To add the user bm_nantha to the role sales
exec sp_addrolemember ‘sales’ , ‘bm_nantha’

Dropping a Role in ORACLE
 Example : To drop the role dw_manager, issue the following statement
DROP ROLE dw_manager;
Dropping a Role in SQL Server
 Example : To drop the user ‘bm_nantha’ from the role sales, issue the following
statement
use northwind
exec sp_droprolemember ‘sales’ , ‘jason’

Creating , Assigning and Revoking User Roles
Best Practices
 Never store passwords in plain text, make sure it is encrypted
 Change passwords frequently
 Make sure the passwords are complex
 Pick password that you can remember
 Use roles to control administer privileges
 Should report the compromise or loss of password security
 Should report to security any violation of company guidelines like roles, profiles,
privileges, passwords, etc.,
 Never give / share the password
 Never give the password over the phone
 Never type your password in an e-mail
 Use Windows integrated security mode for securing SQL Server
 Use Kerberos
 When Configuring Policies:
Require complex passwords , Set an account lockout threshold Do not allow
passwords to automatically reset , Expire end-user passwords , Enforce password
history
18CSE455T - Database Security and Privacy
Prepared by
Assistant Professor
Department of
Computer Science and
Engineering
SRMIST, Chennai
References :
1) Hassan A. Afyouni, “Database Security and Auditing”, Third Edition,

Cengage Learning, 2009
2) Charu C. Aggarwal, Philip S Yu, “Privacy Preserving Data Mining”:
Models and Algorithms, Kluwer Academic Publishers, 2008
3) Ron Ben Natan, ”Implementing Database Security and Auditing”,
Elsevier Digital Press, 2005.
4) http://adrem.ua.ac.be/sites/adrem.ua.ac.be/files/securitybook.pdf
5) www.docs.oracle.com
Dr.B.Muruganantham
26-10-2021 2
AP / CSE / SRMIST
UNIT III - Database Application Security Models &
Virtual Private Databases
 Introduction
 Types of Users
 Security Models
 Application Types
 Application Security Models
 Data Encryption
 Overview of VPD
 Implementation of VPD using Views
 Application Context in Oracle
 Implementing Oracle VPD
 Viewing VPD Policies and Application contexts using
Data Dictionary
 Policy Manager Implementing Row
 Column level Security with SQL Server
Dr.B.Muruganantham
26-10-2021 3
AP / CSE / SRMIST
Introduction
 A Database user being used to log on ( be authenticated ) to an

application
 For each application user , a database account must be created and

assign specific privileges.
 Application
 A program that solves a problem or performs a specific business
function
 Database
 A collection of related data files used by an applications
 DBMS
 A collection of programs that maintain data files (Database)
Dr.B.Muruganantham
26-10-2021 4
AP / CSE / SRMIST
Types of Users
 Application Administrator – Has application privileges to administer application

users and their roles ( do not require any special database privileges )
 Application owner – User who owns application tables and objects
 Application user – Perform tasks within the application
 DBA – Perform any administration tasks
 Database user- user account that has database roles and/or privileges assigned
to it
 Proxy user – User is employed to work on behalf of an application user
 Schema owner - User that owns database objects
 Virtual user – An account that has access to the database through another
database account; a virtual user is referred to in some cases as a proxy user
Dr.B.Muruganantham
26-10-2021 5
AP / CSE / SRMIST
Security Models
 There are two security models
 Access Matrix Model
 Access Modes Model
Dr.B.Muruganantham
26-10-2021 6
AP / CSE / SRMIST
Security Models…
 Access Matrix Model
 A conceptual model that specifies the right that each subject
– possesses for each object
 Subjects in rows and objects in columns
Object 1 Object 2 . . . Object m
Subject 1 Access Access . . . Access

[S1,01] [S1,02] [S1,0m]
Subject 2 Access Access . . . Access

[S2,01] [S2,02] [S2,0m]
. . . .
. . . .
. . . .
Subject n Access Access . . . Access

[Sn,01] [Sn,02] [Sn,0m]
Dr.B.Muruganantham
26-10-2021 7
AP / CSE / SRMIST
Security Models…
Access Matrix Model - Example
Dr.B.Muruganantham
26-10-2021 8
AP / CSE / SRMIST
Security Models…
Access Modes Model

 This model based on the Take-Grant models
 It uses both subject and object
 Object is the main security entity
 Access mode indicates that the subject can perform any task or not
 There are two modes
 Static Modes
 Dynamic Modes
Dr.B.Muruganantham
26-10-2021 9
AP / CSE / SRMIST
Security Models…
Access Modes – Static Modes
Access Mode Level Description
Use 1 Allows the subject to access the object without

modifying
Read 2 Allows the subject to read the content of the object
Update 3 Allows the subject to modify the content of the object
Create 4 Allows the subject to add instance to the object
Delete 4 Allows the subject to remove instance to the object
Dr.B.Muruganantham
26-10-2021 10
AP / CSE / SRMIST
Security Models…
Access Modes – Dynamic Modes
Access Mode Level Description
Allows the subject to grant any static access mode to any

Grant 1
other subject
Allows the subject to revoke a granted static access mode
Revoke 1 from the subject
Allows the subject to grant the grant privileges to other

Delegate 2
subjects
Allows the subject to grant the revoke privileges to other
Abrogate 2
subjects
Dr.B.Muruganantham
26-10-2021 11
AP / CSE / SRMIST
Application Types
 Mainframe applications
 Client / Server Applications
 Web Applications
 Data warehouse applications
Dr.B.Muruganantham
26-10-2021 12
AP / CSE / SRMIST
Application Types …
Mainframe applications
 Years back computing in corporations was centralized in the Management Information

System(MIS)
 MIS department is responsible for all information
 MIS mainly developed for Mainframe projects The following figure is Mainframe
application architecture
Workstation Mainframe
Server
CODE
DB
Server
Dr.B.Muruganantham
26-10-2021 13
AP / CSE / SRMIST
Client / Server Applications
 To overcome the limitations in MIS department the client / server architecture was
introduced
 It is based on a business model, client request and the server respond
 Client / Server architecture became a dominating configuration for all applications
 Flexible
 Scalable
 Processing power
 Three main components typically found in Client / Server architecture
 User interface component – Represents all screens, reports, etc.,
 Business logic component – Contains all the codes related to data
validations
 Data access component – Contains all the codes related to retrieves,
inserts, deletes and updates
Dr.B.Muruganantham
26-10-2021 14
AP / CSE / SRMIST

 A client / server application consists of minimum of two tiers .
 Normally four to five tiers is the maximum configuration
 The following figure represents the logical components of a client server architecture
CLIENT
Tier 1
User
Tier 2
Interface Business
Tier 3
Logic Business
Tier 4
Logic
Tier 5
SERVER
Dr.B.Muruganantham
26-10-2021 15
AP / CSE / SRMIST
 The following figure represents the physical architecture of a client/server
application
Client Server
DB
User Business Data Server
Interface Logic Access
 The data access component of client server architecture is the component

responsible for retrieving and manipulating data.
 The security model should be embedded in this component.
Dr.B.Muruganantham
26-10-2021 16
AP / CSE / SRMIST
Web Applications
 Client server application once dominated but not for long.
 Another architecture evolved with rise of dot-com and Web-based companies
 The new client / server architecture is based on the web and it is referred as a web
application or a Web-based application
 Web application uses HTTP protocol to connect and communicate to the server.
 Web pages are embedded with other web services.
 The following figure represents the logic components of Web application
architecture
CLIENT
Web browser layer Tier 1

Web server layer Tier 2
Application server layer Tier 3
Business logic layer Tier 4
Database server layer Tier 5
SERVER
Dr.B.Muruganantham
26-10-2021 17
AP / CSE / SRMIST
Components of Web application
 Web browser layer - Atypical browser program that allows user to

navigate through web pages found on the internet.
 Web server layer – A software program residing on a computer

connected to Internet
 Application server layer - A software program residing on a computer that is

used for data processing
 Business logic layer – A software program that implements business rules
 Database server layer – A software program that stores and manages data
Dr.B.Muruganantham
26-10-2021 18
AP / CSE / SRMIST
 The following figure shows a physical architecture that is typical for a
web-based application.
 In this architecture , each layer resides on a separate computer
 One or more web application layers could be housed on one computer

 The main reason for separating web application layers to reside on different
computers is to distribute the processing load
Server
Client
Application Server
Business Logic
Web Server
DB
Internet Server
Dr.B.Muruganantham
26-10-2021 19
AP / CSE / SRMIST
Data Warehouse Applications

 DW is subject oriented , time variant, non volatile and integrated system.
 DWs are decision support system.
 DW is a collection of many types of data taken from different data sources.
 The architecture of these types of data warehousing applications is typically of

a database server on which the application resides.
 The DW is accessed by software applications or reporting applications called

OLAP ( OnLine Analytical Processing)
Dr.B.Muruganantham
26-10-2021 20
AP / CSE / SRMIST
 The following figure shows the Physical and Logical structure of a data
warehouse
Server
DB
Server
Client Server
Transform
Data Source
DB
Server Data Application
Server
Server
Data
Warehouse DB
Database Server
Application
Server
Dr.B.Muruganantham
26-10-2021 21
AP / CSE / SRMIST
Application Security Models
 Database role based
 Application role based
 Application function based
 Application role and function based
 Application table based
Dr.B.Muruganantham
26-10-2021 22
AP / CSE / SRMIST
Application Security Models …
Security Model based on Database Roles
 This model depends on the application to authenticate the application users
by maintaining an end users in a table with their encrypted passwords
 In this model each end user is assigned a database role
 The user can access whatever the privileges are assigned to the role
 In this model proxy user needed to activate assigned roles
 The following figure shows the data model for this application (Security data
model based on database roles)
APPLICATION USERS APPLICATION USERS ROLES

APP_USER_ID
APP_USER-ID (FK)
APP-USERNAME
ROLE_NAME
APP_ENC_PASSWORD
CTL_INS_DTIM
FIRST_NAME
CTL_UPD_DTIM
LAST_NAME
CTL_USER_USER
CTL_INS_DTIM
CTL_USER_STAT
CTL_UPD_DTIM
CTL_UPD_USER
CTL_REC_STAT
Dr.B.Muruganantham
26-10-2021 23
AP / CSE / SRMIST
The following list presents the a brief description of these columns
Dr.B.Muruganantham
26-10-2021 24
AP / CSE / SRMIST
Tables used in security data model based on database roles
TABLE NAME DESCRIPTION
Stores and maintain all end users of the

APPLICATION_USERS applications with their encrypted
passwords
Contains all roles defined by the

APPLICATIONS_USERS_ROLES application and for each role that a
privilege is assigned , the privileges can be
read, write or read/write
Dr.B.Muruganantham
26-10-2021 25
AP / CSE / SRMIST
Architecture of a security data model based on database roles
Contains three columns:

Username, password and role
Application User with
no database privileges
Application
Authorization table
End User
Proxy user has read access

to authorization table and
Is assigned to all application Schema Owner
roles
All application tables are owned

by schema owner including
authorization table
Dr.B.Muruganantham
26-10-2021 26
AP / CSE / SRMIST
The following points on this type of security model are worth noting:
 This model uses the DB role functionality
 Therefore it is DB independent
 If the roles are implemented poorly , the model does not work properly
 Privileges to table are also DB dependent
 Can isolate the application security from the DB
 Maintenance of the application security does not require specific DB privileges
 Password must be surely encrypted

 The application must use proxy users to log on and connect to the application
database and activate specific roles for each database session
Dr.B.Muruganantham
26-10-2021 27
AP / CSE / SRMIST
Implementation in ORACLE
1. Creating the users by entering the following code:
Creating Application Owner
SQL > CREATE USER APP_OWNER IDENTIFIED BY APP_OWNER
2 DEFAULT TABLESPACE USERS
3 TEMPORARY TABLESPACE TEMP
4 QUOTA UNLIMITED ON USERS;
User created
SQL> GRANT RESOURCE, CREATE SESSION TO APP_OWNER;

Grant succeeded
Creating Proxy User
SQL > CREATE USER APP_PROXY IDENTIFIED BY APP_PROXY
2 DEFAULT TABLESPACE USERS
3 TEMPORARY TABLESPACE TEMP;
User created
SQL> GRANT CREATE SESSION TO APP_PROXY;

Grant succeeded
Dr.B.Muruganantham
26-10-2021 28
AP / CSE / SRMIST
Creating Application tables
SQL> CONN APP_OWNER@DB

Enter password : *********
Connected
SQL> CREATE TABLE CUSTOMERS

2 ( CUSTOMER_ID NUMBER PRIMARY KEY,
3 CUSTOMER_NAME VARCHAR2(50) );
Table created
SQL> CREATE TABLE AUTH_TABLE

2 ( APP_USER_ID NUMBER,
3 APP_USERNAME VARCHAR2(20),
4 APP_PASSWORD VARCHAR2(20),
5 APP_ROLE VARCHAR2(20) );
Table created
Dr.B.Muruganantham
26-10-2021 29
AP / CSE / SRMIST
Creating Application Roles
SQL> CONNECT SYSTEM@DB

Enter password: *******
Connected
SQL> CREATE ROLE APP_MGR;

Role created
SQL> CREATE ROLE APP_SUP;

Role created
SQL> CREATE ROLE APP_CLERK;

Role created
SQL> GRANT APP_MGR, APP_SUP, APP_CLERK TO APP_PROXY;

Grant succeeded
SQL> ALTER USER “APP_PROX” DEFAULT ROLE NONE;

User altered
Dr.B.Muruganantham
26-10-2021 30
AP / CSE / SRMIST
Assign grants
SQL> CONNECT APP_OWNER@DB

Connected
SQL> GRANT SELECT,INSERT,UPDATE,DELETE ON CUSTOMER TO APP_MGR;

Grant succeeded
SQL> GRANT SELECT,INSERT,UPDATE,DELETE ON CUSTOMER TO APP_SUP;

Grant succeeded
SQL> GRANT SELECTON CUSTOMER TO APP_CLREK;

Grant succeeded
SQL > GRANT SELECT ON AUTH_TABLE TO APP_PROXY;

Grant succeeded
Dr.B.Muruganantham
26-10-2021 31
AP / CSE / SRMIST
2. Add rows to the CUSTOMER table
SQL> CONN APP_OWNER@DB

Connected
SQL> INSERT INTO CUSTOMERS VALUES (1, ‘Tom’);

1 row inserted
SQL> INSERT INTO CUSTOMERS VALUES (2, ‘Linda’);

1 row inserted
SQL> COMMIT
Commit complete
Dr.B.Muruganantham
26-10-2021 32
AP / CSE / SRMIST
3. Add a row for an application user called APP_USER:
SQL> INSERT INTO AUTH_TABLE VALUES (100, ’APP_USER’

‘d323deq4fdfgdgg’, ‘APP_CLERK’);
1 row inserted
4. Now assume that APP_USER is trying to log in through PROXY_USER.

Your application should look up the role of the user by using the SELECT
statement and activating that role:
SQL> SELECT APP_ROLE FROM AUTH_TABLE WHERE APP_USERNAME =

‘APP_USER’;
APP_ROLE
----------------------------
APP_CLERK
Dr.B.Muruganantham
26-10-2021 33
AP / CSE / SRMIST
5.Activate the role for this specific APP_USER session:
SQL> CONN APP_PROXYUSER

Enter password : **********
Connected
SQL> SET ROLE APP_CLERK;

Role set
SQL> SELECT * FROM SESSION_ROLES;

ROLE
-------------------------
APP_CLERK
Dr.B.Muruganantham
26-10-2021 34
AP / CSE / SRMIST
Implementation in SQL Server
 In SQL Server 2000 you are using application roles.
 Application roles are the special roles you create in the database, that are then
activated at the time of authorization.
 Application roles requires a password and cannot contain members
 Application roles are inactive by default

 Application roles can be activated using the SP_SETAPPROLE , system stored
procedure
Dr.B.Muruganantham
26-10-2021 35
AP / CSE / SRMIST
Creating Application Roles using the command line
 To create an application role in the Query Analyzer, use the SP_ADDPROFILE

system-stored procedure
sp_addapprole [ @rolename = ] ‘role’, [@password =] ‘password’
Where :
@rolename – The name of the application role ( The value must be a valid
identifier and cannot already exist in the database)
@password – The password required to activate the role. (SQL Server stores
the password as an encrypted hash)
Example :
To create the application role of clerk for your Pharmacy database , use this command
exec sp_addapprole ‘clerk’, ‘Clerk@ccess’
Dr.B.Muruganantham
26-10-2021 36
AP / CSE / SRMIST
Creating Application Roles using SQL

Server Enterprise Manager
Follow the steps
2. Expand the Role container for your
Pharmacy database. Right click in the
right pane, the select New Database
Role
3. Type the name db_accessadmin in the
name box
4. Select Application Role under
Database role type
5. Enter password db@ccess in the text
box
6. Click OK to create the role.
Dr.B.Muruganantham
26-10-2021 37
AP / CSE / SRMIST
Dropping application Roles using Command line

 To drop an application role , using the Query Analyzer ,use the
SP_DROPAPPROLE system-stored procedure
sp_dropapprole [@rolename = ] ‘role’
Where
@rolename – The Application role to drop.
Dropping application Roles using Enterprising Manager
 Follow the steps

2. Expand the roles container of the database from which you are dropping
the role
3. Select and Delete the desired role
Dr.B.Muruganantham
26-10-2021 38
AP / CSE / SRMIST
Security Model based on Application Roles
 Depends on the application authenticate the application users.
 Authentication is accomplished by maintaining all end users in a table with their
encrypted passwords.
 Each end user is assigned an application role to read / write specific modules of
the applications.
 The following table contains the description of tables used for this model.
APPLICATION_USERS
APPLICATION USERS
APP_USER_ID
APP_ROLE_ID
APP_ROLE_ID (FK)
APP_USERNAME APP_ROLE_NAME
APP_ENC_PASSWORD APP_ROLE_DESCRIPTION
FIRST_NAME APP_ROLE_PRIVILEGE
LAST_NAME CTL_INS_DTTM
CTL_INS_DTTM CTL_UPD_DTTM
CTL_UPD_DTTM CTL_UPD_USER
CTL_UPD_USER CTL_REC_STAT
CTL_REC_STAT
Dr.B.Muruganantham
26-10-2021 39
AP / CSE / SRMIST
Architecture of Security Model based on Application Roles

Application
Authorization table
End User
Schema Owner

authorization table
Dr.B.Muruganantham
26-10-2021 40
AP / CSE / SRMIST
Security Model based on Application Roles
 When considering this security model , keeps this point in mind
 This model is primitive and does not allow the flexibility required to make
changes necessary for security
 Privileges are limited to any combination like read, add, read / update /
admin and so on
 The following list presents characteristics of this security model
 Isolating the application security from the database

 Only one role is assigned to an application user
 This lowers the risk of database violations
 Passwords must be securely encrypted
 The application must use a real database user to log on and connect to the
application database
Dr.B.Muruganantham
26-10-2021 41
AP / CSE / SRMIST
Security Model based on Application Functions
 Based on application functions depends on the application to authenticate the
application users
 Application divided into functions
 The following figure represents a data model for this type of application
APPLICATION_USERS APPLICATION_USERS_FUNCTIONS APPLICATION_FUNCTIONS
APP_USER_ID APP_FUNCTION_ID
APP_USER_ID (FK)
APP_FUNCTION_ID (FK)
APP_ROLE_ID (FK) APP_FUNCTION_NAME
APP_FUNCTION_PRIVILEGE_ID (FK)
APP_USERNAME APP_FUNCTION_DESCRIPTION
APP_ENC_PASSWORD CTL_INS_DTTM CTL_INS_DTTM
FIRST_NAME CTL_UPD_DTTM CTL_UPD_DTTM
LAST_NAME CTL_UPD_USER CTL_UPD_USER
CTL_INS_DTTM CTL_REC_STAT CTL_REC_STAT
CTL_UPD_DTTM
CTL_UPD_USER
CTL_REC_STAT
APPLICATION_FUNCTION_PRIVILEGE
APP_FUNCTION_PRIVILEGE_ID
APP_FUNCTION_PRIVILEGE_OPERATION
CTL_INS_DTTM
CTL_UPD_DTTM
CTL_UPD_USER
CTL_REC_STAT
Dr.B.Muruganantham
26-10-2021 42
AP / CSE / SRMIST
Architecture of Security Model based on Application Functions

Application
Authorization
End User tables owned
Schema Owner by application
owner
Schema Owner

authorization table
Dr.B.Muruganantham
26-10-2021 43
AP / CSE / SRMIST
The following list presenting the characteristics of this security model
 Isolating the application security from the database
 Only one role is assigned to an application user
 This lowers the risk of database violations
 Passwords must be securely encrypted

 The application must use a real database user to log on and connect to the
application database
 The application must be designed in a granular module.
Dr.B.Muruganantham
26-10-2021 44
AP / CSE / SRMIST
Security model based on Application Roles and Functions
 It is a combination of both the role and function security model
 Depends on the application to authenticate the application users
 The application authenticates users by maintaining all end users in a table with
their encrypted passwords
 Applications are divided into functions and roles are assigned to functions that
are in turn assigned to users.
 This model is highly flexible in implementing application security.
Dr.B.Muruganantham
26-10-2021 45
AP / CSE / SRMIST
 The following figure represents a data model for Security Model Based
on Application showing the ER Diagram
APPLICATION_USERS APPLICATION USERS ROLES APPLICATION _ROLES
APP_USER_ID APP_USER-ID (FK) APP_ROLE-ID

APP_ROLE_ID (FK)
APP_USERNAME APP_ROLE_NAME
APP_ENC_PASSWORD CTL_INS_DTIM APP_ROLE_DESCRIPTION
FIRST_NAME CTL_UPD_DTIM APP_ROLE_PRIVILEGE
LAST_NAME CTL_USER_USER CTL_INS_DTIM
CTL_INS_DTTM CTL_USER_STAT CTL_UPD_DTIM
CTL_UPD_DTTM CTL_USER_USER
CTL_UPD_USER CTL_USER_STAT
CTL_REC_STAT
APPLICATION_FUNCTIONS APPLICATION_ ROLE_FUNCTIONS APPLICATION_FUNCTION_PRIVILEGE
APP_FUNCTION_ID APP_FUNCTION_ID (FK) APP_FUNCTION_PRIVILEGE_ID

APP_ROLE_PRIVILEGE (FK)
APP_FUNCTION_NAME APP_ROLE-ID (FK) APP_FUNCTION_PRIVILEGE_DESCRIPTION
APP_FUNCTION_DESCRIPTION CTL_INS_DTTM CTL_INS_DTTM
CTL_INS_DTTM CTL_UPD_DTTM CTL_UPD_DTTM
CTL_UPD_DTTM CTL_UPD_USER CTL_UPD_USER
CTL_UPD_USER CTL_REC_STAT CTL_REC_STAT
CTL_REC_STAT
Dr.B.Muruganantham
26-10-2021 46
AP / CSE / SRMIST
 Architecture of a Security data model based on application roles and

function
Contains columns for
Username, password , role
function and privilege

Application
Authorization
table
Schema Owner
Schema Owner

authorization table
Dr.B.Muruganantham
26-10-2021 47
AP / CSE / SRMIST
 The following list presents the characteristics of security model based

on application roles and functions
 Provides utmost flexibility for implementing application security
 Isolate the application security from the database

 Maintenance of the application security does not require specific database
privileges
 Lowers the risk of database violations
 Password must be surely encrypted
 The application must be designed in a very granular fashion
Dr.B.Muruganantham
26-10-2021 48
AP / CSE / SRMIST
Security Model Based on Application Tables
 Depends on application to authenticate users by maintaining all end users in a
table with their encrypted passwords
 All application provides privileges to the user based on tables
 User is assigned access privilege to each table owned by the application owner
 The following figure represents a data model for this security model
APPLICATION_USERS APPLICATION_USER_TABLES APPLICATION_TABLES
APP_USER_ID APP_USER_ID (FK) APP_TABLE_ID

APP_TABLE_ID (FK)
APP_USERNAME APP_TABLE_PRIVILEGE_ID (FK) APP_TABLE_NAME
APP_ENC_PASSWORD APP_TABLE_DESCRIPTION
FIRST_NAME CTL_INS_DTTM CTL_INS_DTTM
LAST_NAME CTL_UPD_DTTM CTL_UPD_DTTM
CTL_INS_DTTM CTL_UPD_USER CTL_UPD_USER
CTL_UPD_DTTM CTL_REC_STAT CTL_REC_STAT
CTL_UPD_USER
CTL_REC_STAT
APPLICATION_TABLE_PRIVILEGES
APP_TABLE_PREVILIGES_ID
APP_TABLE_PRIVILEGE_DESCRIPTION
CTL_INS_DTTM
CTL_UPD_DTTM
CTL_UPD_USER
CTL_REC_STAT
Dr.B.Muruganantham
26-10-2021 49
AP / CSE / SRMIST
Architecture of a Security Model Based on Application Tables
Authorization table has four columns

Username, password , table and
accesss (0,1,2,3,4,5)

Application
Authorization
table
Schema Owner
Schema Owner

authorization table
Dr.B.Muruganantham
26-10-2021 50
AP / CSE / SRMIST
 The following list presents the characteristics of security model based on

application tables
 Isolate the application security from the database

 Maintenance of the application security does not require specific database
privileges
 Lowers the risk of database violations
 Security is implemented easily by using table access privileges
Dr.B.Muruganantham
26-10-2021 51
AP / CSE / SRMIST
Characteristics of Security Model
Security Model Applicatio

Database Application
Application n Role and Application
Role Function
Role based Function Table Based
based Based
Characteristics Based
Is flexible in implementing
application security No No No Yes No
Isolates application security

from the DB Yes Yes Yes Yes Yes
Maintenance of application
security does not require No No No Yes No
specific DB privileges
Password must be securely

encrypted Yes Yes Yes Yes Yes
Uses real DB user to log on No Yes Yes Yes Yes

Is business-function specific
No No Yes Yes No
Dr.B.Muruganantham
26-10-2021 52
AP / CSE / SRMIST
Data Encryption
 Encryption is a security method in which information is encoded in
such a way that only authorized user can read it.
 It uses encryption algorithm to generate ciphertext that can only be read

if decrypted.
 Types of Encryption
 There are two types of encryptions schemes as listed below:
 Symmetric Key encryption
 Public Key encryption
Dr.B.Muruganantham
26-10-2021 53
AP / CSE / SRMIST
Data Encryption
 Symmetric key encryption algorithm uses same cryptographic keys for both
encryption and decryption of cipher text.
 Public key encryption algorithm uses pair of keys, one of which is a secret key and
one of which is public. These two keys are mathematically linked with each other.
Dr.B.Muruganantham
26-10-2021 54
AP / CSE / SRMIST
 VPD (Virtual Private Database) is shared database schema containing data
that belongs to many users , and each user can view or manipulate
the data the user owns
User can only see and

modify data of deptno 20
Schema Owner
User can only see and

modify data of deptno 10
Dr.B.Muruganantham
26-10-2021 55
AP / CSE / SRMIST
 Not every database system offers a mechanism to implement VPD with

out VIEW objects.
 ORACLE offered VPD in several versions before the release of 10G
 ORACLE uses two other names to refer VPDs

 Row Level Security (RLS)
 Fine Grain Access (FGA)
Dr.B.Muruganantham
26-10-2021 56
AP / CSE / SRMIST
Architecture of Virtual Private Database
DBMS_RLS
Package
VPD policy automatically adds a

WHERE clause predicate Deptid = 20 Schema Owner
EMP Table
-----
Submits Query is rewritten to become
SELECT * FROM PRODUCTS ------ SELECT * FROM PRODUCTS
WHERE DEPTID = 20
-----
Policy
Function
Dr.B.Muruganantham
26-10-2021 57
AP / CSE / SRMIST
 Setup Test Environment
 Create an Application Context
 Create Login Trigger
 Create Security Policies
 Apply Security Policies to Tables
 Test VPD
Dr.B.Muruganantham
26-10-2021 58
AP / CSE / SRMIST
Setup Test Environment
 First we must create a user to act as the schema owner for this example. Obviously,
you will perform the following tasks using your current schema owner.
CONNECT sys/password@service AS SYSDBA;
CREATE USER schemaowner IDENTIFIED BY schemaowner DEFAULT TABLESPACE

users TEMPORARY TABLESPACE temp;
GRANT connect, resource TO schemaowner;
CREATE USER user1 IDENTIFIED BY user1 DEFAULT TABLESPACE users TEMPORARY

TABLESPACE temp;
GRANT connect, resource TO user1;
CREATE USER user2 IDENTIFIED BY user2 DEFAULT TABLESPACE users

TEMPORARY TABLESPACE temp;
GRANT connect, resource TO user2; GRANT EXECUTE ON DBMS_RLS TO PUBLIC;
Dr.B.Muruganantham
26-10-2021 59
AP / CSE / SRMIST
CONN schemaowner/schemaowner@service
CREATE TABLE users (id NUMBER(10) NOT NULL, ouser VARCHAR2(30) NOT
NULL, first_name VARCHAR2(50) NOT NULL, last_name VARCHAR2(50) NOT
NULL);
CREATE TABLE user_data (column1 VARCHAR2(50) NOT NULL, user_id

NUMBER(10) NOT NULL);
INSERT INTO users VALUES (1,'USER1','User','One');
INSERT INTO users VALUES (2,'USER2','User','Two');
COMMIT;
GRANT SELECT, INSERT ON user_data TO user1, user2;
Dr.B.Muruganantham
26-10-2021 60
AP / CSE / SRMIST
Create an Application Context
 Grant CREATE ANY CONTEXT to the schema owner then create the context and
context package.
GRANT create any context, create public synonym TO schemaowner;
CONNECT schemaowner/schemaowner@service;
CREATE CONTEXT SCHEMAOWNER USING SCHEMAOWNER.context_package;
CREATE OR REPLACE PACKAGE context_package AS PROCEDURE

set_context;
END;
/
Dr.B.Muruganantham
26-10-2021 61
AP / CSE / SRMIST
 Next we create the context_package body which will actually set the user context.
CREATE OR REPLACE PACKAGE BODY context_package IS

PROCEDURE set_context IS v_ouser VARCHAR2(30); v_id NUMBER;
BEGIN
DBMS_SESSION.set_context('SCHEMAOWNER','SETUP','TRUE');
v_ouser := SYS_CONTEXT('USERENV','SESSION_USER');
BEGIN
SELECT id INTO v_id FROM users WHERE ouser = v_ouser;
DBMS_SESSION.set_context('SCHEMAOWNER','USER_ID', v_id);
EXCEPTION WHEN NO_DATA_FOUND THEN
DBMS_SESSION.set_context('SCHEMAOWNER','USER_ID', 0);
END;
DBMS_SESSION.set_context('SCHEMAOWNER','SETUP','FALSE');
END set_context;
END context_package;
Dr.B.Muruganantham
26-10-2021 62
AP / CSE / SRMIST
 Next we make sure that all users have access to the Context_Package.
GRANT EXECUTE ON SCHEMAOWNER.context_package TO PUBLIC;
CREATE PUBLIC SYNONYM context_package FOR SCHEMAOWNER.context_package;
Create Login Trigger
 Next we must create a trigger to fire after the user logs onto the database.
CREATE OR REPLACE TRIGGER SCHEMAOWNER.set_security_context

AFTER LOGON ON DATABASE
BEGIN
SCHEMAOWNER.context_package.set_context;
END;
Dr.B.Muruganantham
26-10-2021 63
AP / CSE / SRMIST
Create Security Policies
 In order for the context package to have any effect on the users interaction with
the database, we need to define a security_package for use with the security
policy. This package will tell the database how to treat any interactions with the
specified table.
CONNECT schemaowner/schemaowner@service;
CREATE OR REPLACE PACKAGE security_package AS

FUNCTION user_data_insert_security(owner VARCHAR2, objname VARCHAR2)
RETURN VARCHAR2;
FUNCTION user_data_select_security(owner VARCHAR2, objname VARCHAR2)

RETURN VARCHAR2;
END security_package;
Dr.B.Muruganantham
26-10-2021 64
AP / CSE / SRMIST
 Next we create the security_package body.
CREATE OR REPLACE PACKAGE BODY Security_Package IS
FUNCTION user_data_select_security(owner VARCHAR2, objname VARCHAR2) RETURN VARCHAR2 IS
predicate VARCHAR2(2000);
BEGIN
predicate := '1=2';
IF (SYS_CONTEXT('USERENV','SESSION_USER') = 'SCHEMAOWNER') THEN
predicate := NULL;
ELSE
predicate := 'USER_ID = SYS_CONTEXT(''SCHEMAOWNER'',''USER_ID'')';
END IF;
RETURN predicate;
END user_data_select_security;
FUNCTION user_data_insert_security(owner VARCHAR2, objname VARCHAR2) RETURN VARCHAR2 IS

predicate VARCHAR2(2000);
BEGIN
predicate := '1=2';
IF (SYS_CONTEXT('USERENV','SESSION_USER') = 'SCHEMAOWNER') THEN
predicate := NULL;
ELSE
predicate := 'USER_ID = SYS_CONTEXT(''SCHEMAOWNER'',''USER_ID'')';
END IF;
RETURN Predicate;
END user_data_insert_security;
END security_package;
Dr.B.Muruganantham
26-10-2021 65
AP / CSE / SRMIST
 Next we make sure that all users have access to the Security_Package.
GRANT EXECUTE ON SCHEMAOWNER.security_package TO PUBLIC;
CREATE PUBLIC SYNONYM security_package FOR SCHEMAOWNER.security_package;
Apply Security Policies to Tables
 The DBMS_RlS package is used to apply the security policay, implemented by

security_package, to the relevant tables.
BEGIN
DBMS_RLS.add_policy('SCHEMAOWNER', 'USER_DATA',
'USER_DATA_INSERT_POLICY',
'SCHEMAOWNER', 'SECURITY_PACKAGE.USER_DATA_INSERT_SECURITY',
'INSERT', TRUE);
DBMS_RLS.add_policy('SCHEMAOWNER', 'USER_DATA',
'USER_DATA_SELECT_POLICY',
'SCHEMAOWNER', 'SECURITY_PACKAGE.USER_DATA_SELECT_SECURITY',
'SELECT');
END;
Dr.B.Muruganantham
26-10-2021 66
AP / CSE / SRMIST
Test VPD
 Finally, test that the VPD is working correctly.
CONNECT user1/user1@service;
INSERT INTO schemaowner.user_data (column1, user_id) VALUES ('User 1', 1);
COMMIT;
CONNECT user2/user2@service
COMMIT;
CONNECT schemaowner/schemaowner@service
SELECT * FROM schemaowner.user_data;
CONNECT user1/user1@Service;
CONNECT user2/user2@Service
Dr.B.Muruganantham
26-10-2021 67
AP / CSE / SRMIST
Column level Security with SQL Server
 Column level permissions provide a more granular level of security for data in
your database. You do not need to execute a separate GRANT or DENY
statements for each column; just name them all in a query:
GRANT SELECT ON data1.table (column1, column2) TO user1;
GO
DENY SELECT ON data1.table (column3) TO user1;
GO
 If you execute a DENY statement at table level to a column for a user, and after
that you execute a GRANT statement on the same column, the DENY permission
is removed and the user can have access to that column. Similarly, if you execute
GRANT and then DENY, the DENY permission will be in force.
Dr.B.Muruganantham
26-10-2021 68
AP / CSE / SRMIST
18CSE455T - Database Security and Privacy
Prepared by
Assistant Professor
Department of
Engineering
SRMIST, Chennai
References :

5) www.docs.oracle.com
Dr.B.Muruganantham
12-11-2021 2
AP / CSE /SRMIST
UNIT IV-AUDITING DATABASE ACTIVITIES
 Introduction
 Using Oracle Database Activities
 Creating DLL Triggers with Oracle
 Auditing Database Activities with Oracle Auditing
 Server Activity with SQL Server 2000
 Security and Auditing Project Case Study
Dr.B.Muruganantham
12-11-2021 3
AP / CSE /SRMIST
Introduction
 Security is the buzzword of this decade
 It’s on everyone’s mind

 Today , crime brings to a mind a whole new set of risks to privacy and
confidentiality
 Security requires action
 Many private and public Institutions / Organizations are taking
serious action against security risks
 These actions encompass not only the establishment and enforcement
of new security measure, but also the reinforcement of those measures
through tough audit controls
Dr.B.Muruganantham
12-11-2021 4
AP / CSE /SRMIST
Introduction
Auditing is the responsibility of developers,

DBA, and Business Managers
SECURITY
AUDITING
The auditing mechanism would enable
users to trace changes to sensitive data
As DBA , you might be summoned to yours

manager’s incident that left the DB is
unavailable for hours.
Dr.B.Muruganantham
12-11-2021 5
AP / CSE /SRMIST
Auditing Overview
Definitions
 In general, an audit examines the documentation that reflects the action, practices
and conduct of business or individual.
 Database auditing follows this general definitions
 The list that follows contains general auditing and database auditing definitions.
 Audit / Auditing - The process of examining and validating documents, data,
processes, systems, or other activities to ensure that the
audited entity complies with its objective
 Audit log – A document that contains all activities that are being audited
ordered in a chronological manner.
 Audit objectives – A set of business rules, system controls, government

regulations or security policies against which the audited
entity is measured to determine compliance
Dr.B.Muruganantham
12-11-2021 6
AP / CSE /SRMIST
Auditing Overview
Definitions …
 Auditor – A person with proper qualifications and ethics, who is authorized to examine, verify,
and validate documents, data, processes, systems, or activities and to produce an
audit report
 Audit procedure – A step-by-step instructions for performing auditing process
 Audit report – A document that contains the audit findings and is generated by an
individual(s) conducting the audit
 Audit trail – A chronological record of document changes, data changes, system activities, or
operational events
 Data audit – A chronological record of data changes stored in a log file or a database table
object
 Database auditing - A chronological record of database activities , such as shutdown, startup,

logons, and data structure changes of database objects
 Internal auditing – Auditing activities conducted by the staff members of the organization.
 External auditing - Auditing activities conducted by the staff members outside of the
organization.
Dr.B.Muruganantham
12-11-2021 7
AP / CSE /SRMIST
Auditing Activities
 Auditing activities are performed as a part of an audit, audit process or audit plan
 The following list presents the auditing activities
(Note : Activities are not listed in any specific order)
 Evaluate and apprise the effectiveness and adequacy of the audited entity
according to the auditing objectives and procedures
 Ascertain and review the reliability and integrity of the audited entity
 Ensures the organization being audited is in compliance with the policies,
procedures, regulations, laws, and standards of the government and the
industry.
 Establish plans , policies, and procedures for conducting audits.
 Keep abreast of all changes to the audited entity.
 Keep abreast of updates and new audit regulations, laws, standards, and
policies set by industry, government, or the company itself.
 Provide all audit details to all company employee involved in the audit. These
details include : resources requirements, audit plans, and audit schedules.
Dr.B.Muruganantham
12-11-2021 8
AP / CSE /SRMIST
Auditing Activities…
 Publish audit guidelines and procedures to the company itself and its partners
and clients when appropriate.
 Act as liaison between the company and the external audit team.
 Act as a consultant to architects, developers and business analysts to ensure
that the company being audited is structured in accordance with the audited
objectives
 Organize and conduct internal audits
 Ensure all the contractual items are met by the organization being audited.
 Identify the audit types that will be used

 Work jointly with the Security Department to identify security issues that
must be addressed
 Provide consultation to the Legal Department to identify regulations and laws
with the company must comply
Dr.B.Muruganantham
12-11-2021 9
AP / CSE /SRMIST
Auditing Environment
Components of Auditing Environment
 Objectives
 An audit without objectives is useless
 To conduct audit you must know what the audit you must know what the audited entity is
to be measured
 Usually , the objectives are set by the organization , industry standards, or government
regulations and laws
 Procedures
 To conduct an audit, step-by-step instructions and tasks must be documented ahead of
time.
 In the case of government conducted audit, all instructions are available public
 In the case of organizational audit, specialized personal document the procedure to be
used not only for the business itself, but also for the audit
 People
 Every auditing environment must have an auditor , even in the case of automatic audit
 Other people involved in the audit are employees, manager, and anyone being audited
 Audited entities
 This includes people, documents, processes, systems, activities or any operation that are
being audited
Dr.B.Muruganantham
12-11-2021 10
AP / CSE /SRMIST
Auditing Environment …
 The following figure shows the four major components of the auditing
environment
AUDITING
EINVIRONMENT
Dr.B.Muruganantham
12-11-2021 11
AP / CSE /SRMIST
Database Auditing Environment …
 The following figure shows the five major components of the auditing
environment
Database
AUDITING
EINVIRONMENT
Dr.B.Muruganantham
12-11-2021 12
AP / CSE /SRMIST
Auditing Process
 Database applications widely used by major corporate companies, mostly large

financial and online trading companies.
 The Quality Assurance (QA) team retested every database application function
and try to find bugs.
 This type of auditing resembles QA or even performance monitoring
 The purpose of QA process in software engineering to make sure that the system
is bug free and that the system is functioning according to its specification.
 The auditing process ensures that the system is working and complies with the
policies, standards, regulations or laws set forth by organization, industry or
government.
Dr.B.Muruganantham
12-11-2021 13
AP / CSE /SRMIST
Auditing Process …
 Another way to distinguish between QA and Auditing Process is by examining
the timing of each
 QA – during development phase, before the implementation of the system.
 Auditing Process – After the system is implemented and in production.
 Auditing is also not the same as performance monitoring
 Auditing objectives are totally different
 Performance Monitoring is to observe the degradation in performance
 Auditing validates compliance to policy not performance
Dr.B.Muruganantham
12-11-2021 14
AP / CSE /SRMIST
 Differences in QA , Auditing and Performance Monitoring processes
PROCESS ACTIVE TIMING OBJECTIVES
QA During development and Test the product to make sure it is

before the product not working properly and is not
commissioned into defective
production
Auditing After the product Verify that the product or system is

commissioned into working and complies with the
production policies, standards, regulations or
laws
Performance After the product Monitor Performance in terms of

Monitoring commissioned into Response time,
production
Dr.B.Muruganantham
12-11-2021 15
AP / CSE /SRMIST
 The below figure illustrates the auditing process flow
Ensures that Identify the
auditing changes and
objectives are provide
met according feedback to the
to business system
Make sure all policies and development
objectives are specifications phase
well defined
System Development Life Cycle
Planning, Analysis,
Design, Development, UNDERSTAND REVIEW, VERIFY & REPORT &
PRODUCTION OBJECTIVE VALIDATE DOCUMENT
Testing, and
Implementation
Policies , Laws ,
Regulations and
Industry standards
must be
incorporated as the
part of System
requirements and
Specification
Dr.B.Muruganantham
12-11-2021 16
AP / CSE /SRMIST
Auditing Objectives
 Auditing objectives are established as a part of the development process of the entity to
be audited
 For example , when a software application is being coded, the developers include in their
software development design objectives the capability to audit the application
 Auditing objectives are established and documented for the following reasons:
 Complying – Identify all company policies , government regulations, laws and the
industry standards with which your company comply.
 Informing – All policies, regulations, laws and standards must be published and
communicated to all parties involved in the development and operation
of the audited entity.
 Planning – Knowing all the objectives enables the author to plan and document
procedures to asses the audited entity.
 Executing – Without auditing objectives, the person conducting the audit

cannot evaluate, verify, or review the audited entity and cannot
determine if the auditing objectives have been met
Dr.B.Muruganantham
12-11-2021 17
AP / CSE /SRMIST
Auditing Objectives
 The top ten database auditing objectives
 Data Integrity – Ensure that data is valid and in full referential integrity
 Applications Users and roles – Ensures that users are assigned roles that correspond
to their responsibilities and duties
 Data Confidentiality – Identify who can read data and what data can be read
 Access Control – Ensures that the application records times and duration when a
user logs onto the database or application
 Data changes – Create an audit trail of all data changes
 Data Structure Changes – Ensures that the database logs all data structure changes
 Database or application availability – Record the number of occurrences and
duration of application or database shutdowns all the startup times . Also, record all
reason for any unavailability.
 Change Control – Ensure that a change control mechanism is incorporated to track
necessary and planned changes to the database or application.
 Physical Access – Record the physical access to the application or the database where
the software and hardware resides.
 Auditing Reports – Ensure that reports are generated on demand or automatically ,
showing all auditable activities
Dr.B.Muruganantham
12-11-2021 18
AP / CSE /SRMIST
Auditing Classification and Types
Audit Classifications
 Every industry and business sector uses different classifications of audits.
 Definition of each classification can differ from business to business.
 Will discuss most generic definition of audit classifications.
Internal Audit
 An internal audit is an audit that is conducted by a staff member of the company
being audited
 The purpose and intention of an internal audit is to :
 Verify that all auditing objectives are met by conducting a well-planned and
scheduled audit
 Investigate a situation that was promoted by an internal event or incident.
This audit is random , not planned or scheduled.
Dr.B.Muruganantham
12-11-2021 19
AP / CSE /SRMIST
Auditing Classification and Types …
External Audit
 An external audit is conducted by a party outside the company that is being
audited.
 The purpose and intention of an External audit is to :
 Investigate the financial or operational state of the company . This audit is

initiated at will by the government or promoted by suspicious activities or
accusations.
 The person conducting this audit is usually employed and appointed by the
government.
 Verify that all objectives are met. This audit is typically planned and
scheduled.
 Ensure objectivity and accuracy.
 This audit is typically performed to certify that the company is complying
with standards and regulations.
Dr.B.Muruganantham
12-11-2021 20
AP / CSE /SRMIST
 Automatic Audit
 An automatic audit is promoted and performed automatically.

 Automatic audits are mainly for systems and DB systems.
 Some systems that employ this type of audit to generate reports and logs.
 Manual Audit
 Completely performed by humans

 The team uses various methods to collect audit data, including interviews, document
reviews and observation.
 The auditors may even perform the operational task of the audited entity.
 Hybrid Audit
 Combination of Automatic and Manual Audits
Dr.B.Muruganantham
12-11-2021 21
AP / CSE /SRMIST
Audit Types
Financial Audit – Ensures that all financial transactions are accounted for an
comply with law.
Ex : Companies save all trading transactions for a period of time
to comply with government regulations
Security Audit – Evaluates if the system is as secure as it should be.
The audit identifies security gaps and vulnerabilities
Ex: Company might ask a hacker to break the company’s

network system to determine how secure or vulnerable the
network is.
Compliance Audit – Verifies that the system complies with industry standards,
government regulations, or partner and client policies
Ex: All pharmaceutical companies must keep paper trails of all

research activities to comply with industry standards as well
government regulations
Dr.B.Muruganantham
12-11-2021 22
AP / CSE /SRMIST
Operational Audit –Verifies if an operation is working according to the policies of the

company
Ex: When a new hire starts work, the HR department provides ID
Card, Sign disclosure , Confidentiality papers, tax forms , etc.,
Investigative Audit – Performed in response to an event, request, threat, or incident to

verify the integrity of the system.
Ex: Employee might have committed a fraudulent activity
Product Audit – Performed to ensure that the product complies with industry
standards. This audit sometimes confused with testing, but it
should not be.
A product audit does not include auditing of its functionality but
entails how it was produced and who worked on its development.
Preventive Audit – Performed to identify problems before they occur.

Ex: Company should conduct both random and routine audits to
verify that the business operations are being performed
according to specifications.
Dr.B.Muruganantham
12-11-2021 23
AP / CSE /SRMIST
Benefits and Side Effects of Auditing
 Benefits
 Enforces company policies, government regulations and laws
 Lowers the incidence of security violations
 Identifies the security gaps and vulnerabilities
 Provides an audit trail of activities

 Provides another means to observe and evaluate operations of the audited entity
 Provides the sense or state of security and confidence in the audited entity
 Identifies or removes doubts
 Makes the organisation being audited more accountable
 Develops controls that can be used for purposes other than auditing
Dr.B.Muruganantham
12-11-2021 24
AP / CSE /SRMIST
Benefits and Side Effects of Auditing
 Side Effects
 Performance problems due to preoccupation with the audit instead of the

normal work activities
 Generation of many reports and documents that may not be easily or quickly
disseminated
 Disruption to the operations of the audited entity
 Consumption of resources, and added costs from downtime
 Friction between operators and auditor
 From a DB perspective
• Could degrade the performance of the system

• Also generate a massive number of logs, reports, and that require a system
purge
Dr.B.Muruganantham
12-11-2021 25
AP / CSE /SRMIST
Auditing Models
Action
Start
 Before auditing models, it is more Yes
important that , understand how

Get Username and Credentials
audit is processed for data and DB
activities
Is action
 The flowchart presents data auditing registered
for
current
 The flowchart shows what happens Check if user?
user is
when a user perform an action to a registered
in audit
DB object repository?
 Specific checks occur to verify if the Yes

action , the user or the object are
registered in auditing repository No
 If they are registered the followings Is action

registered
are recorded for
No current
 State the object before the user?
action was taken along with the

No
time of action
Yes
 Description of the action that
was performed Get Previous value and record it in
the database
 Name of the user or userid who
performed the action Action
Continue with action
Completed
Dr.B.Muruganantham
12-11-2021 26
AP / CSE /SRMIST
Auditing Models …
Simple Auditing Model 1
 The first auditing model is The given figure illustrates this SIMPLE MODEL 1
called ‘SIMPLE” because it is APP_ENTITY
APP_ACTION _TYPE
APP_AUDIT _ACTION
easy to understand and ENTITY_ID ACTION_TYPE_ID
AUDIT_ACTION_ID
develop. ENTITY_NAME ACTION_TYPE_DESC
ENTITY_TYPE ENTITY_ID (FK) CTL_REC_STAT
CTL_REC_STAT ACTION_TYPE_ID (FK)
 This model registers audited AUDIT_START_DATE
AUDIT_EXPIRE_DATE
entities in the audit model CTL_INS_DTTM
repository to CTL_UPD_DTTM
chronologically track CTL_UPD_USER
CTL_REC_STAT
activities performed on or
by these entities.
APP_AUDIT _DATA
 An entity can be a user, AUDIT_DATE_ID
table, column, and an AUDIT_ACTION_ID (FK)
activity can be a DML AUDIT_DATA
transaction and logon and AUD_INS_DTTM
AUD_UPD_DTTM
logoff times. AUD_UPD_USER
AUD_REC_STAT
Dr.B.Muruganantham
12-11-2021
AP / CSE /SRMIST 27
Auditing Models …
Simple Auditing Model 2
The given figure illustrates this Simple auditing
model 2
 In this model , only column
value changes are stored for
APP_AUDIT_TABLE
audit purposes.
TABLE_ID
TABLE_NAME
 The audit data table
TABLE_DESCRIPTION
APP_AUDIT_DATA contains APP_AUDIT_DATA
AUDIT
chronological data on all AUDIT_DATA_ID ARCHIVE
changes on column that are ARCHIVE_COUNT
TABLE_ID (FK)
PURGE
registered in AUDIT_DATA
PURGE_COUNT
CTL_INS_DTTM
APP_AUDIT_TABLE. COLUMNS
CTL_UPD_DTTM
COLUMNS_COUNTSR
CTL_UPD_USER
START_DATE
CTL_REC_STAT
 There is a purging and archiving END_DATE
mechanism is used to help CTL_INS_DTTM
CTL_UPD_DTTM
reduce the amount of data CTL_UPD_USER
stored in DB. CTL_REC_STAT
Dr.B.Muruganantham
12-11-2021 28
AP / CSE /SRMIST
Auditing Models …
Advanced Auditing Model
 This Model is called “advanced” because of its flexibility
 More flexible than simple models
 Used as an auditing application with a user interface
 Of course the repository for tis model is more complex than previous models
 It contains data stores to register all entities that can be audited
Dr.B.Muruganantham
12-11-2021 29
AP / CSE /SRMIST
Auditing Models …
The following figure presents the flow of the user interface
Audit Table
Audit User
Interface
Table
Data
Table
Name
Populate
Table Request Table
4 Table Name User
Perform Data
Name Name
audit
check
3 5
Table 6 7
1 Set Set
Name View Build
Populate tables Users
Audit Audit
tables for for
Data View
audit Audit
2
Perform
Audit
Audit
Table
Data Audit
Audit Name Table
Data User
Data Table Name Table Data
Column Table Data
Name
Name Name
Columns Audit Data Objects Audit Table Audit User
Dr.B.Muruganantham
12-11-2021 30
AP / CSE /SRMIST
Auditing Models …
 Data model of the repository for an Advanced Auditing Model
APP_TABLES APP_USERS
APP_COLUMNS
ENTITY_ID ENTITY_ID
ENTITY_ID
TABLE_ID USER_ID
COLUMN_NAME TABLE_NAME TABLE_NAME
TABLE_ID (FK) CTL_REC_STAT CTL_REC_STAT
CTL_REC_STAT
APP_AUDIT_ACTION
AUDIT_ACTION_ID
ENTITY_ID (FK)
ENTITY_TYPE
ACTION_TYPE_ID (FK)
AUDIT_START_DATE
AUDIT_EXPIRE_DATE APP_AUDIT_DATA
CTL_INS_DTTM AUDIT_DATA_ID
CTL_UPD_DTTM
APP_ACTION_TYPE CTL_UPD_USER AUDIT_ACTION_ID
CTL_REC_STAT (FK)
ACTION_TYPE_ID AUDIT_DATA
ACTION_TYPE_DESC CTL_INS_DTTM
CTL_REC_STAT CTL_UPD_DTTM
CTL_UPD_USER
CTL_REC_STA
Dr.B.Muruganantham
12-11-2021 31
AP / CSE /SRMIST
Auditing Models …
Historical Data Model
 This model is used for applications that require a record of the whole row
when a DML transaction is performed on the table
 Typically used in most financial applications
 With this model , the whole row is stored in the HISTORY table, before it is
changed or deleted
 The following figures illustrates this model
APP_DATA_TABLE
APP_DATA_TABLE _HISTORY
PRIMARY_KEY_COLUMN
PRIMARY_KEY_COLUMN
DATA_COLUMN_01 DATA_COLUMN_01
DATA_COLUMN_02 DATA_COLUMN_02
……………………………. …………………………….
……………………………. …………………………….
……………………………. …………………………….
DATA_COLUMN_n DATA_COLUMN_n
CTL_INS_DTTM CTL_INS_DTTM
CTL_UPD_DTTM CTL_UPD_DTTM
CTL_UPD_USER CTL_UPD_USER
CTL_REC_STAT CTL_REC_STAT
Dr.B.Muruganantham
12-11-2021 32
AP / CSE /SRMIST
Auditing Models …
Auditing Application Actions Model
 There may be a requirement for an application to audit specific operations or
actions
 The following figure represents a Data Model of a repository for auditing
application actions
APP_AUDIT_ACTIONS APP_AUDIT_TRAIL APP_DATA_DICTIONARY
ACTION_ID ACTION_TRAIL_ID ACTION_ID
ACTION_DESC OBJECT_ID ACTION_DESC

CTL_INS_DTTM CLASS_ID (FK) CTL_INS_DTTM
CTL_UPD_DTTM ACTION_ID (FK) CTL_UPD_DTTM
CTL_UPD_USER REASON CTL_UPD_USER
CTL_REC_STAT CTL_INS_DTTM CTL_REC_STAT
CTL_UPD_DTTM
CTL_UPD_USER
CTL_REC_STAT
Dr.B.Muruganantham
12-11-2021 33
AP / CSE /SRMIST
Auditing Models …
C2 Security
 C2 security is a type of security rating that evaluates the security framework for
computer products used in government and military organizations and institutes.
 The standard was conceived by the U.S. National Computer Security Center (NCSC)
to create a minimum security benchmark for all computing products and
applications that process confidential government and military information.
 The National Security Administration has given a C2 security rating to Microsoft SQL
Server 2000.
 This means that the server passes requirements set by the Department of Defence
and is typically implemented in military and government applications
 When configured as C2 system, SQL Server utilizes DACLs (Discretionary Access

Control to manage security and audit activity
Dr.B.Muruganantham
12-11-2021 34
AP / CSE /SRMIST
Auditing Models …
 Requirements for enabling C2 auditing in SQL Server include the following :
 The Microsoft Windows Server must be configured as C2 system
 Windows Integrated Authentication is supported, but SQL native security
is not supported
 Only transactional replication is supported
 The following SQL Server services are not included in a C2 evaluation
• SQL Mail
• Full Test Search
• English Query
• DTC
• Meta Data Services
• Analysis Services (OLAP)
Dr.B.Muruganantham
12-11-2021 35
AP / CSE /SRMIST
Oracle Triggers
 Trigger is an event driven program

 Executed automatically based on event occurs
 It is a PL/SQL procedure
 ORACLE has six DML events also known as trigger timings
 Trigger mainly used for the following purposes
 Performing audits (Primary use)
 Preventing invalid data from being inserted into the tables
 Implementing business rules ( Not highly recommended if the business rule is
complex)
 Generating values for columns
Dr.B.Muruganantham
12-11-2021 36
AP / CSE /SRMIST
Oracle Triggers …
 ORACLE trigger timings or events for DML events
Application
User
INSERT UPDATE DELETE

Statement Statement Statement
BEFORE INSERT BEFORE UPDATE BEFORE DELETE

TRIGGER TRIGGER TRIGGER
PL/SQL Code PL/SQL Code PL/SQL Code
TABLE ROW
BEFORE INSERT BEFORE UPDATE BEFORE DELETE

TRIGGER TRIGGER TRIGGER
PL/SQL Code PL/SQL Code PL/SQL Code
Dr.B.Muruganantham
12-11-2021 37
AP / CSE /SRMIST
Oracle Triggers …
Trigger Syntax
CREATE [ OR REPLACE ] TRIGGER <trigger_name>
Trigger Timing
[BEFORE | AFTER | INSTEAD OF ]
[INSERT | UPDATE | DELETE......] Trigger Event
ON<name of underlying object>
[FOR EACH ROW] Row Level
[WHEN<condition for trigger to get execute> ] Conditional Clause
DECLARE <Declaration part>
BEGIN <Execution part>
EXCEPTION <Exception handling part> Error Handling Mechanism
END;
Dr.B.Muruganantham
12-11-2021 38
AP / CSE /SRMIST
Oracle Triggers …
The given syntax shows the different optional statements that are present in trigger
creation.
 BEFORE/ AFTER will specify the event timings.

 INSERT/UPDATE/LOGON/CREATE/etc. will specify the event for which the
trigger needs to be fired.
 ON clause will specify on which object the above-mentioned event is valid. For
example, this will be the table name on which the DML event may occur in the
case of DML Trigger.
 Command "FOR EACH ROW" will specify the ROW level trigger.
 WHEN clause will specify the additional condition in which the trigger needs to
fire.
 The declaration part, execution part, exception handling part is same as that of
the other PL/SQL blocks. Declaration part and exception handling part are
optional.
Dr.B.Muruganantham
12-11-2021 39
AP / CSE /SRMIST
Oracle Triggers …
ORACLE Trigger Execution
 A trigger can be in either of two distinct modes:
 Enabled - An enabled trigger executes its trigger action if a triggering statement is
issued and the trigger restriction (if any) evaluates to TRUE.
 Disabled - A disabled trigger does not execute its trigger action, even if a triggering
statement is issued and the trigger restriction (if any) would evaluate to
TRUE.
 For enabled triggers, Oracle automatically
 executes triggers of each type in a planned firing sequence when more than one
trigger is fired by a single SQL statement
 performs integrity constraint checking at a set point in time with respect to the
different types of triggers and guarantees that triggers cannot compromise integrity
constraints
 provides read-consistent views for queries and constraints
 manages the dependencies among triggers and objects referenced in the code of the
trigger action
 uses two-phase commit if a trigger updates remote tables in a distributed database
 if more than one trigger of the same type for a given statement exists, Oracle fires
each of those triggers in an unspecified order
Dr.B.Muruganantham
12-11-2021 40
AP / CSE /SRMIST
Oracle Triggers …
 The following figure gives the Order of trigger execution
3 BEFORE Trigger
Row
4 AFTER Trigger level
1 BEFORE Trigger
ROW
Statement
level
2 AFTER Trigger
TABLE
Dr.B.Muruganantham
12-11-2021 41
AP / CSE /SRMIST
Oracle Triggers …
Example : Row level Trigger
CREATE OR REPLACE TRIGGER customers_update_credit_trg

BEFORE UPDATE OF credit_limit
ON customers
FOR EACH ROW
WHEN (NEW.credit_limit > 0)
BEGIN
-- check the credit limit
IF :NEW.credit_limit >= 2 * :OLD.credit_limit THEN
raise_application_error(-20101,'The new credit ' || :NEW.credit_limit ||
' cannot increase to more than double, the current credit ' || :OLD.credit_limit);
END IF;
END;
Dr.B.Muruganantham
12-11-2021 42
AP / CSE /SRMIST
Oracle Triggers …
Example : Statement level Trigger
CREATE OR REPLACE TRIGGER customers_credit_trg

BEFORE UPDATE OF credit_limit
ON customers
DECLARE
l_day_of_month NUMBER;
BEGIN
-- determine the transaction type
l_day_of_month := EXTRACT(DAY FROM sysdate);
IF l_day_of_month BETWEEN 28 AND 31 THEN

raise_application_error(-20100,'Cannot update customer credit from 28th to 31st');
END IF;
END;
Dr.B.Muruganantham
12-11-2021 43
AP / CSE /SRMIST
Oracle Triggers …
 User can view all triggers created on a table by using USER_TRIGGERS data
dictionary view.
 The structure of USER_TRIGGERS view is as follows
SQL > DESC USER_TRIGGERS

Name Null? Type
----------------- ------ -------------
TRIGGER_NAME VARCHAR2(30)
TRIGGER_TYPE VARCHAR2(16)
TRIGGERING_EVENT VARCHAR2(227)
TABLE_OWNER VARCHAR2(30)
BASE_OBJECT_TYPE VARCHAR2(16)
TABLE_NAME VARCHAR2(30)
COLUMN_NAME VARCHAR2(4000)
REFERENCING_NAMES VARCHAR2(128)
WHEN_CLAUSE VARCHAR2(4000)
STATUS VARCHAR2(8)
DESCRIPTION VARCHAR2(4000)
ACTION_TYPE VARCHAR2(11)
TRIGGER_BODY LONG
Dr.B.Muruganantham
12-11-2021 44
AP / CSE /SRMIST
SQL Server Triggers
SQL Server Triggers

 Similar to ORACLE, SQL Server provides a trigger mechanism that fires
automatically when a DML statement occurs
 The CREATE TRIGGER statement allows you to create a new trigger that is
fired automatically whenever an event such as INSERT, DELETE,
or UPDATE occurs against a table.
 The following illustrates the syntax of the CREATE TRIGGER statement:
CREATE TRIGGER trigger_name

ON table_name
AFTER {[INSERT],[UPDATE],[DELETE]}
[NOT FOR REPLICATION]
AS
{sql_statements}
Dr.B.Muruganantham
12-11-2021 45
AP / CSE /SRMIST
SQL Server Triggers…
In this syntax:
 The schema_name is the name of the schema to which the new trigger belongs.
The schema name is optional.
 The trigger_name is the user-defined name for the new trigger.
 The table_name is the table to which the trigger applies.
 The event is listed in the AFTER clause. The event could be INSERT, UPDATE,
or DELETE. A single trigger can fire in response to one or more actions against
the table.
 The NOT FOR REPLICATION option instructs SQL Server not to fire the trigger
when data modification is made as part of a replication process.
 The sql_statements is one or more Transact-SQL used to carry out actions once
an event occurs.
Dr.B.Muruganantham
12-11-2021 46
AP / CSE /SRMIST
Auditing Database Activities with ORACLE
 ORACLE provides the mechanism for auditing everything:
 From tracking who is creating and modifying the structure
 Who is granting privileges to whom
 The activities are divided into two types based on the type of SQL command
statement used :
 Activities defined by DDL (Data Definition Language)
 Activities defined by DCL (Data Control Language)
Dr.B.Muruganantham
12-11-2021 47
AP / CSE /SRMIST
Auditing Database Activities with ORACLE
Auditing DDL Activities
 ORACLE uses a SQL-based audit command
 The following figure presents the audit syntax diagram ( ORACLE 10g)
Dr.B.Muruganantham
12-11-2021 48
AP / CSE /SRMIST
Auditing Database Activities with ORACLE …
Audit command syntax Where :
AUDIT Statement option – Tells ORACLE to audit the specified
{ DDL or DCL statement
{ { statement_option | ALL } DDL – CREATE, ALTER, DROP and TRUNCATE
[,{statement_option | ALL }] …… DCL – GRANT , REVOKE
|,{syetem_privilege | ALL System privilege – Tell ORACLE to audit the specified
PRIVILEGES } privilege such as SELECT, CREATE ANY, or ALTER ANY
}
[BY { proxy [,proxy]….. Object_option – Specifies the type of privileges for the
| user [,user]….. specified object to be audited
] BY SESSION – Tells ORACLE to record audit data once
| per session even if the audited statement issued multiple
{Object_option [, object_option ] …… | times in session
ALL }
BY ACCESS - Tells ORACLE to record audit data every
ON { [ schema. ] object
time audited statement is issued.
|DIRECTORY directory_name
|DEFAULT WHENEVER SUCCESSFUL – Tells ORACLE to capture
} audit data only when the audited command is successful
}
WHENEVER NOT SUCCESSFUL- Tells ORACLE to
[ BY {SESSION | ACCESS } } capture audit data only when the audited command fails
[WHENEVER [NOT] SUCESSFUL ] ;
Dr.B.Muruganantham
12-11-2021 49
AP / CSE /SRMIST
DDL activities Example :
 Suppose you want to audit a table named CUSTOMER every time it is altered or
every time a record from a table deleted.
 The following steps show you how to do this.
 Before perform , drop are disable all triggers associated with CUSTOMER table.
Step 1 : Use any user other than SYS or SYSTEM to create the CUSTOMER
SQL> CREATE TABLE CUSTOMER

2 (
3 ID NUMBER ,
4 NAME VARCHAR2 (20),
5 CR_LIMIT NUMBER
6 );
Table created
Dr.B.Muruganantham
12-11-2021 50
AP / CSE /SRMIST
Step 2 : Add three rows into the CUSTOMER table and commit changes
SQL > INSERT INTO CUSTOMER VALUES (2, ‘BMNANTHA’, 200);
1 row created
SQL > INSERT INTO CUSTOMER VALUES (3, ‘MURUGAN’, 300);
1 row created
SQL > INSERT INTO CUSTOMER VALUES (1, ‘GANESH’, 100);
1 row created
SQL > COMMIT;

Commit complete
Dr.B.Muruganantham
12-11-2021 51
AP / CSE /SRMIST
Step 3 : Log on as SYS or SYSTEM to enable auditing , as specified in this example
the first statement for ALTER and the next is for DELETE
SQL > CONNECT SYSTEM @ SEC

Enter password : ******
Connected.
SQL > AUDIT ALTER ON DBSEC.CUSTOMER BY ACCESS WHENEVER
2 SUCCESSFUL;
Audit succeeded.
SQL > AUDIT DELETE ON DBSEC.CUSTOMER BY ACCESS

WHENEVER
2 SUCCESSFUL;
Audit succeeded.
Dr.B.Muruganantham
12-11-2021 52
AP / CSE /SRMIST
Step 4 : Login as the owner of CUSTOMER table, DBSEC delete a row and modify
the structure of the table, as specified in the following code
SQL > CONNECT DBSEC@ SEC

Connected.
SQL > DELETE FROM CUSTOMER WHERE ID = 3;
1 row deleted.
SQL > ALTER TABLE CUSTOMER MODIFY NAME VARCHAR2(30);
Table altered
Dr.B.Muruganantham
12-11-2021 53
AP / CSE /SRMIST
In this step you will see the audit records stored in the auditing tables caused by the DELETE
and ALTER statements issued in step 4.
Step 5 : Login in as SYSTEM and view the DBA_AUDIT_TRAIL
Two records will be available as shown in the figure below
Dr.B.Muruganantham
12-11-2021 54
AP / CSE /SRMIST
 When audit process got over of a specific object or command, you may turn it
off by using the NO AUDIT statement.
 The following step turns off auditing on the two statements issued in step 3.
SQL > NOAUDIT ALTER ON DBSEC.CUSTOMER;
Noaudit succeeded.
SQL > NOAUDIT DELETE ON DBSEC.CUSTOMER;
Noaudit succeeded.
Dr.B.Muruganantham
12-11-2021 55
AP / CSE /SRMIST
DCL Activities Example:
 You are auditing the GRANT privilege issued on a TEMP table owned by DBSEC.
 The following steps shows how to audit the DCL statements audited.
 The same steps to be followed for all DCL Commands.
Step 1 : Log on as SYSTEM or SYS and issue an AUDIT statement as follows
SQL> CONN SYSTEM

Connected
SQL> DELETE SYS.AUD$;

1 row deleted.
SQL> COMMIT;
Commit complete.
SQL> AUDIT GRANT ON DBSEC.TEMP;

Audit succeeded
Dr.B.Muruganantham
12-11-2021 56
AP / CSE /SRMIST
Step 2: Log on as DBSEC and grant SELECT and UPDATE privileges to SYSTEM on
TEMP table
SQL> CONN DBSEC
Enter password : *****
Connected.
SQL> GRANT SELECT ON TEMP TO SYSTEM;

Grant succeeded.
SQL> GRANT UPDATE ON TEMP TO SYSTEM

Grant succeeded.
Step 3: Log on as SYSTEM and display the contents of DBA_AUDIT_TRAIL.
SQL> SELECT USERNAME, TIMESTAMP, OWNER, OBJ_NAME FROM

2 DBA_AUDIT_TRAIL;
USERNAME TIMESTAMP OWNER OBJ_NAME
------------------- --------------- --------------- ---------------
DBSEC 20-Jan-20 DBSEC TEMP
DBSEC 20-Jan-20 DBSEC TEMP
2 rows selected
Dr.B.Muruganantham
12-11-2021 57
AP / CSE /SRMIST
Auditing Server Activity with SQL Server 2000
 Microsoft SQL Server 2000 provides auditing as a way to track and log activity for
each SQL Server occurrence
 User must be a member of the sysadmin fixed server role to enable or modify
auditing
 Every modification of an audit is an auditable event
 There are two types of auditing in SQL Server 2000
 Auditing
 C2Auditing
 Auditing can have significant impact on performance
 The audit trail analysis can also be costly in terms of system
 It is recommended that SQL profiler be run on a server separate from the
production server
Dr.B.Muruganantham
12-11-2021 58
AP / CSE /SRMIST
Auditing Server Activity with SQL Server
2000 …
Implementing SQL Profiler
 One of the tools that accompanies SQL Server 2000 is SQL Profiler
 This tool provides the user interface for auditing events.
 You can audit several types of events using SQL Profiler
EVENT DESCRIPTION For each event, you can

audit
End user events All SQL commands, LOGIN/LOGOUT,  Date and time of the
enabling event
 User who caused the
DBA events DDL (other than security events),
event to occur
Configuration (DB or Server)
 Type of Event
Security events GRANT/REVOKE/DENY/ LOGIN USER  Success or failure of
ROLE/ADD/REMOVE/CONFIGURE the event
Utility events BACKUP/RESTORE/BULK INSERT/ BCP/  Origin of the request
DBCC Commands  Name of the object
accessed
Server events SHUTDOWN , PAUSE, START  Text of the SQL
statement (Passwords
Audit events ADD AUDIT, MODIFY AUDIT, STOP AUDIT
replace with *****)
Dr.B.Muruganantham
12-11-2021 59
AP / CSE /SRMIST
2000 …
 Security audit should be enable first

 This is done by setting the security auditing level under the SQL server
properties in Enterprise Manager
 Security events can be audited on success, failure or both
 Follow these steps

1. Open the Enterprise Manager
2. Expand the appropriate SQL Server group
3. Right click on the desired server
4. Click properties
5. On the security tab, select the desired security level as shown in the
figure in slide no 61
Dr.B.Muruganantham
12-11-2021 60
AP / CSE /SRMIST
2000 …
 SQL Server configuration
Dr.B.Muruganantham
12-11-2021 61
AP / CSE /SRMIST
2000 …
 After the audit level is set, you can then use SQL Profiler to monitor security
events.
 The following events can be audited
 ADD DB USER  LOGIN CHANGE PASSWORD

 ADD LOGIN TO SERVER ROLE  LOGIN CHANGE PROPERTY
 ADD MEMBER TO DB ROLE  LOGIN FAILED
 ADD ROLE  Login GDR ( GRANT, DENT, REVOKE )
 APP ROLE CHANGE PASSWORD  Object Derived Permissions
 BACKUP / RESTORE  Object GDR
 CHANGE AUDIT  Object Permissions
 DBCC  Server Start and Stop
 LOGIN  Statement GDR
 LOGOUT  Statement Permission
Dr.B.Muruganantham
12-11-2021 62
AP / CSE /SRMIST
2000 …
 You can start SQL Profiler by selecting it from the program group on the Start
menu or from the tools menu in Enterprise.
 To start a new Audit Trace from the file menu, Click New , then Trace
 It is shown in the below figure
Dr.B.Muruganantham
12-11-2021 63
AP / CSE /SRMIST
2000 …
The new trace dialog box appears,
as shown in the figure
On the general tab, you provide:
 A name for the trace

 The server you want to audit
 The base template to start with
 Where to save the audit data, either to
a file or to a DB
 A stop time, if you don’t want the trace
to run indefinitely
Dr.B.Muruganantham
12-11-2021 64
AP / CSE /SRMIST
2000 …
 On the events tab, you specify
events to be audited and in which
category they belong
 As shown in the figure
Dr.B.Muruganantham
12-11-2021 65
AP / CSE /SRMIST
2000 …
Add the Login Change Password
security event to the trace by
performing following steps
 Expand the Security Audit node

under Available event classes
 Click Audit Login Change

Password Event
 Click the Add button
Audit Login Change Password Event

should now appear under security
Audit in Selected event classes, as
shown in the figure
Dr.B.Muruganantham
12-11-2021 66
AP / CSE /SRMIST
2000 …
Data Definition Auditing

 To audit DDL statements, on the
Events tab of your trace, you select
Object:Created and Object:Deleted
under the objects Category
 These two events audit all CREATE

and DROP statements.
 It is shown in the figure
Dr.B.Muruganantham
12-11-2021 67
AP / CSE /SRMIST
2000 …
Database Auditing with SQL Server
 To audit operations to the database

files, select events under the Database
category as shown in the figure
Dr.B.Muruganantham
12-11-2021 68
AP / CSE /SRMIST
2000 …
Database errors auditing with SQL

Server
 To audit errors that occur within

the database, select the events
under the Errors and Warnings
category on the Events tab of your
trace, as shown in the figure
Dr.B.Muruganantham
12-11-2021 AP / CSE /SRMIST 69
Security and Auditing Project Case Study
Introduction
 A DB developer is assigned to new database application project and is asked to

develop an auditing scheme to comply with the industry standards
 Developers often face this problem
 DBA are often asked to provide an effective data security and auditing design
 The case studies follow require you to use these concepts, methods, and
techniques to solve data accessibility
 This cases can be implemented in either ORACLE or SQL Server
Dr.B.Muruganantham
12-11-2021 70
AP / CSE /SRMIST
CASE 1 : Developing an Online Database
 A new dot-com has decided to launch an affiliated Web site, specifically

for individuals interested in database issues.
 The main mission of the Web site is to provide a forum for database
technical tips, issues, and scripts.
 The CIO and his technical team held a meeting to draft the requirements
for the new web site and decided that it would include the following.
 Technical documents
 A forum where members can exchange ideas and share experiences
 Online access
 A tips section
 Technical support for error messages
Dr.B.Muruganantham
12-11-2021 71
AP / CSE /SRMIST
 Immediately after the meeting, the newly appointed project manager asks you to
implement security for the site.
 The manager mentions that the security of a public database is so important that
the CIO himself / herself has outlined the security requirements, as follows
 The online DB will have 10 public host database accounts that allow multiple
sessions
 The password of a public host account must be reset to its original setting whenever
disconnects or logoffs occur
 The maximum duration for a session is 45 minutes
 Allocations will be set on memory and CPU
Dr.B.Muruganantham
12-11-2021 72
AP / CSE /SRMIST
 Storage for each public host account must be limited to 1 MB

 The public host accounts will have privileges to create the most common
database objects
 All newly created database objects must be removed before logoff
 The database must have the default human resources user account enabled.
 When number of logs onto the database, all session information, such as IP
address, terminal , user session information must be recorded for future
analysis.
Note : You may add other security auditing features, as long as you do not
overlook any of the requirements in this list
Dr.B.Muruganantham
12-11-2021 73
AP / CSE /SRMIST
Case 2 : Taking Care of Payroll

 Acme Payroll Systems is a small payroll services company that has been in
business for two years and has had only one major customer
 Suddenly, it lands a contract with another large corporation
 If the company hired you as Database consultant to design and implement a

virtual private database for the existing payroll application.
 The main objective of the virtual private database feature is allow each client to
administer his own payroll data without violating the privacy of other clients.
Dr.B.Muruganantham
12-11-2021 74
AP / CSE /SRMIST
The given figure represents the payroll application model for case 2
EMPLOYEE COMPANY PAYROLL_PERIOD
EMPLOYEE_ID COMPANY_ID PP_ID
COMPANY_ID (FK) PP_ID (FK) PP_DESCRIPTION
TAX_ID CONTACT_NAME
FIRST_NAME STREET_NAME
LAST_NAME CITY
HOURLY_SALARY STATE COMPANY_ADMINISTRATORS
FED_CODE ZIPCODE CA_ID
STATE_CODE PHONE
FAX COMPANY_ID (FK)
MEDICAL_ELECTION
EMAIL FIRST_NAME
FOUR01_ELECTION
URL LAST_NAME
MEDICAL_DEDUCTION
STATUS SYSTEM_USERNAME
OTHER_DEDUCTION
SICK_DAYS
VACATION_DAYS
TIMESHEET
TS_ID DAILY_WORK_HOURS
EMPLOYEE_ID (FK) DWH_ID

START_DATE TS_ID (FK )
END_DATE WORK_DAY
WORK_HOURS WORK_HOURS
SICK_HOURS SICK_HOURS
Dr.B.Muruganantham
12-11-2021 75
AP / CSE /SRMIST
Case 3 : Tracking Town Contracts

 A small town has hired you as a database specialist on contract
 Your job is to develop a new database application to keep track of the jobs
awarded to different contractors
 All town hall employees will use the application
 After several interviews with clerks and managers , you found out that a prior
attempt at application development by a consulting company resulted in a
draft of an entity – relationship ( ER ) diagram
 The ER diagram depicts all the required information about the contractors
and the awarded jobs.
Dr.B.Muruganantham
12-11-2021 76
AP / CSE /SRMIST
The given figure presents Contractor job data model for case 3
CONTRACTOR JOB
CONTRACTOR_ID JOB_ID
TAX_ID CONTRACTOR_ID ( FK )
CONTRACTOR_TYPE_ID ( FK ) JOB_TYPE_ID ( FK )
CONTRACTOR_NAME JOB_DESRIPTION
STREET_ADDRESS_01 JOB_CLASSIFICATION
STREET_ADDRESS_02 JOB_RATE
CITY START_DATE
STATE COMPLETION_DATE
ZIPCODE DAILY_PENALTY
CONTACT_NAME PAYMENT_AGREEMENT
PHONE
FAX
MOBILE_PHONE
EMAIL
URL
CONTRACTOR_STATUS
CONTRACTOR JOB_TYPE
CONTRACTOR_TYPE_ID JOB_TYPE_ID
CONTRACTOR_TYPE_DESCRIPTION JOB_TYPE_DESCRIPTION
Dr.B.Muruganantham
12-11-2021 77
AP / CSE /SRMIST
 During your meeting with the project manager for this application , you are
asked to design an application with the following capabilities
 Track all changes made to the application data
 Obtain the approval of project manager before accepting any contract job
for more than $10,000
 Alert the project manager whenever an awarded job is modified to a value

greater than $10,000
 Implement three levels of security
 The DEPARTMENT CLERK level allows clerks to add and update records
 The DEPARTMENT MANAGER level allows clerks to add, update, delete

and approve records
 The EXTERNAL CLERK level allows employees outside the department

only to view data.
Dr.B.Muruganantham
12-11-2021 78
AP / CSE /SRMIST
Case 4 : Tracking Database Changes
 A friend recommended you to the company he/she works for
 The need your help to solve a series of database and application violations
 When you meet with the hiring manager, he/she explains that there has been
a series of inexplicable, suspicious activities on the applications and
production databases
 The company wants to know
 Who accessed these databases?
 Who modified data?
 Who changed the data structure?
Dr.B.Muruganantham
12-11-2021 79
AP / CSE /SRMIST
 Also the company want to have an audit trail for all these activities but that
company was not interested in historical changes trail
 As a consultant, your job is to design an audit model to meet these

requirements
 The following is the summary of the project requirements
 Audit of database connections
 Audit trail of users that are performing DML operations
 Audit trail of users that are modifying structures of the application schema
tables
Dr.B.Muruganantham
12-11-2021 80
AP / CSE /SRMIST
Sample data model for case 4
 You may use two tables illustrated in the given figure as sample of application
schema tables.
PHYSICIAN ALERT_SCHEDULE
PHYSICIAN_ID ALERT_ID
FIRST_NAME PHYSICIAN_ID ( FK )
LAST_NAME ALERT_TIMESTAMP
MOBILE_NUMBER ALERT_STATUS
PAGER_NUMBER ALERT_COUNT
RESPONSE
Dr.B.Muruganantham
12-11-2021 81
AP / CSE /SRMIST
Case 5 : Developing a Secured Authorization Repository

 A small retail company has asked you to provide them with database security
services
 The main requirement of this project is to create a security data model that
will be used for by the central authorization module
 This model should include an auditing repository
 This model will store
 Application users
 Roles
 Applications
 Application Modules
Dr.B.Muruganantham
12-11-2021 82
AP / CSE /SRMIST
 Your mission is to create an authorization data model with a relevant auditing repository
 The following is a summary of the project security requirements
 There must be one database user account for the application schema owner
 Database – assigned roles are not followed
 There must be application roles only
 Each application use is assigned to application modules
 Each application user is assigned a security level that indicates the type of operations the
user can perform within the application.
 Operations are READ,WRITE, DELETE and ADMINISTER
 Passwords must be stored within the designed security module
 Each user has a logon identification number to the application
 The security model should have the flexibility to logically lock, disable and remove
accounts
 Application accounts must have an activation date and expiry date

Dr.B.Muruganantham
12-11-2021 83
AP / CSE /SRMIST
 The security module must be coupled with an auditing module that meets these
auditing requirements
 It must have an audit trail of the date and time a user connects and disconnects
from application
 It must have an audit trail of application operations that includes the date and
time operations were performed by the application user
 It must have an audit trail of all activities and operations performed on the
security module
 The auditing module must be coupled with the security module
Note : You are provide only a design solution , not an implementation
Dr.B.Muruganantham
12-11-2021 84
AP / CSE /SRMIST
15CS338E - Database Security and Privacy
Prepared by
Assistant Professor
Department of
Engineering
SRMIST, Chennai
References :

5) http://charuaggarwal.net/toc.pdf
Dr.B.Muruganantham
12-11-2021 2
AP/CSE/SRMIST
UNIT V - PRIVACY PRESERVING DATA MINING
TECHNIQUES
 Introduction
 Privacy Preserving Data Mining Algorithms
 General Survey
 Randomization Methods
 Group Based Anonymization
 Distributed Privacy Preserving Data Mining
 Curse of Dimensionality
 Application of Privacy Preserving Data Mining
Dr.B.Muruganantham
12-11-2021 3
AP/CSE/SRMIST
Introduction - privacy-preserving data mining
 The problem of privacy-preserving data mining has become more important in

recent years because of the increasing ability to store personal data about users,
and the increasing sophistication of data mining algorithms to leverage this
information.
 The problem has been discussed in multiple communities such as the

database community, the statistical disclosure control community and the
cryptography community.
 This tutorial will try to explore different topics from the perspective of different
communities and give a fused idea of the work in different communities.
Dr.B.Muruganantham
12-11-2021 4
AP/CSE/SRMIST
Privacy Preserving Data Mining Algorithms
 A number of techniques such as randomization and k-anonymity have been

suggested in recent years in order to perform privacy-preserving data mining.
 Furthermore, the problem has been discussed in multiple communities such as the
database community, the statistical disclosure control community and the
cryptography community.
 The key directions in the field of privacy-preserving data mining are as follows:
 Privacy-Preserving Data Publishing
 Changing the results of Data Mining Applications to preserve privacy
 Query Auditing
 Cryptographic Methods for Distributed Privacy
 Theoretical Challenges in High Dimensionality
Dr.B.Muruganantham
12-11-2021 5
AP/CSE/SRMIST
Privacy Preserving Data Mining Algorithms …
Privacy-Preserving Data Publishing:
 These techniques tend to study

 different transformation methods associated with privacy
 These techniques include methods such as randomization ,
k-anonymity ,and l-diversity .
 Another related issue is how the perturbed data can be used in
conjunction with classical data mining methods such as association rule
mining
 Other related problems include that of determining privacy-preserving
methods to keep the underlying data useful (utility-based methods), or
the problem of studying the different definitions of privacy, and how
they compare in terms of effectiveness in different scenarios.
Dr.B.Muruganantham
12-11-2021 6
AP/CSE/SRMIST
Changing the results of Data Mining Applications to
preserve privacy :
 In many cases, the results of data mining applications such as

association rule or classification rule mining can compromise the
privacy of the data.
 This has spawned a field of privacy in which the results of data mining
algorithms such as association rule mining are modified in order to
preserve the privacy of the data.
 A classic example of such techniques are association rule hiding

methods, in which some of the association rules are suppressed in order
to preserve privacy.
Dr.B.Muruganantham
12-11-2021 7
AP/CSE/SRMIST
Query Auditing:
 Such methods are akin to the previous case of modifying the results of
data mining algorithms
 Here, we are either modifying or restricting the results of queries.
Cryptographic Methods for Distributed Privacy:
 In many cases, the data may be distributed across multiple sites, and the
owners of the data across these different sites may wish to compute a
common function.
 In such cases, a variety of cryptographic protocols may be used in order

to communicate among the different sites, so that secure function
computation is possible without revealing sensitive information.
Dr.B.Muruganantham
12-11-2021 8
AP/CSE/SRMIST
Theoretical Challenges in High Dimensionality:
 Real data sets are usually extremely high dimensional, and this
makes the process of privacy-preservation extremely difficult both
from a computational and effectiveness point of view.
 It has been shown that optimal k-anonymization is NP-hard.

Furthermore, the technique is not even effective with increasing
dimensionality, since the data can typically be combined with
either public or background information to reveal the identity of
the underlying record owners.
Dr.B.Muruganantham
12-11-2021 9
AP/CSE/SRMIST
General Survey:
 There is a broad survey of privacy preserving data-mining methods.
 It provides an overview of the different techniques and how they relate

to one another.
 The idea is to provide an overview of the field for a new reader from the
perspective of the data mining community.
 However, more detailed discussions are deferred to future chapters

which contain descriptions of different data mining algorithms.
Dr.B.Muruganantham
12-11-2021 10
AP/CSE/SRMIST
Privacy Preserving Data Mining Algorithms –
A General Survey
 Statistical Methods for Disclosure Control
 Measures of Anonymity
 The k-anonymity Method
 The Randomization Method
 Quantification of Privacy
 Utility Based Privacy-Preserving Data Mining
 Mining Association Rules under Privacy Constraints
 Cryptographic Methods for Information Sharing and Privacy
 Privacy Attacks
 Query Auditing and Inference Control
 Privacy and the Dimensionality Curse
 Personalized Privacy Preservation
 Privacy-Preservation of Data Streams
 Conclusions and Summary
Dr.B.Muruganantham
12-11-2021 11
AP/CSE/SRMIST
A General Survey
Statistical Methods for Disclosure Control
 The topic of privacy-preserving data mining has often been studied

extensively by the data mining community without sufficient attention to
the work done by the conventional work done by the statistical disclosure
control community.
 Detailed methods for statistical disclosure control have been presented

along with some of the relationships to the parallel work done in the
database and data mining community.
 This includes methods such as k-anonymity, swapping, randomization,

micro-aggregation and synthetic data generation.
 The idea is to give the readers an overview of the common themes in

privacy-preserving data mining by different communities.
Dr.B.Muruganantham
12-11-2021 12
AP/CSE/SRMIST
A General Survey
Measures of Anonymity
 There are a very large number of definitions of anonymity in the

privacy-preserving data mining field.
 This is partially because of the varying goals of different privacy-

preserving data mining algorithms.
 For example, methods such as k-anonymity, l-diversity and t-closeness

are all designed to prevent identification, though the final goal is to
preserve the underlying sensitive information.
 Each of these methods is designed to prevent disclosure of sensitive

information in a different way.
Dr.B.Muruganantham
12-11-2021 13
AP/CSE/SRMIST
A General Survey
The k-anonymity Method
 An important method for privacy de-identification is the method of k-

anonymity.
 The motivating factor behind the k-anonymity technique is that many

attributes in the data can often be considered pseudo-identifiers which can
be used in conjunction with public records in order to uniquely identify
the records.
 For example, if the identifications from the records are removed, attributes
such as the birth date and zip-code an be used in order to uniquely identify
the identities of the underlying records.
 For example, if the identifications from the records are removed, attributes
such as the birth date and zip-code an be used in order to uniquely identify
the identities of the underlying records.
Dr.B.Muruganantham
12-11-2021 14
AP/CSE/SRMIST
A General Survey
The Randomization Method

 The randomization technique uses data distortion methods in order to
create private representations of the records
 In most cases, the individual records cannot be recovered, but only
aggregate distributions can be recovered.
 These aggregate distributions can be used for data mining purposes. Two
kinds of perturbation are possible with the randomization method:
 Additive Perturbation:
 In this case, randomized noise is added to the data records. The overall
data distributions can be recovered from the randomized records.
 Data mining and management algorithms re designed to work with
these data distributions.
 Multiplicative Perturbation:
 In this case, the random projection or random rotation techniques are
used in order to perturb the records.
Dr.B.Muruganantham
12-11-2021 15
AP/CSE/SRMIST
A General Survey
Quantification of Privacy
 A key issue in measuring the security of different privacy-preservation

methods is the way in which the underlying privacy is quantified.
 The idea in privacy quantification is to measure the risk of disclosure

for a given level of perturbation.
Dr.B.Muruganantham
12-11-2021 16
AP/CSE/SRMIST
A General Survey
Utility Based Privacy-Preserving Data Mining
 Most privacy-preserving data mining methods apply a transformation

which reduces the effectiveness of the underlying data when it is
applied to data mining methods or algorithms.
 There is a natural trade-off between privacy and accuracy, though this

trade-off is affected by the particular algorithm which is used for
privacy preservation.
 A key issue is to maintain maximum utility of the data without

compromising the underlying privacy constraints.
Dr.B.Muruganantham
12-11-2021 17
AP/CSE/SRMIST
A General Survey
Mining Association Rules under Privacy Constraints
 Since association rule mining is one of the important problems in data

mining
 There are two aspects to the privacy preserving association rule mining
problem
1. When the input to the data is perturbed, it is a challenging problem to

accurately determine the association rules on the perturbed data.
2. A different issue is that of output association rule privacy.

In this case, to ensure that none of the association rules in the
output result in leakage of sensitive data.
This problem is referred to as association rule hiding by the

database community, and that of contingency table privacy-
preservation by the statistical community.
Dr.B.Muruganantham
12-11-2021 18
AP/CSE/SRMIST
A General Survey
Cryptographic Methods for Information Sharing and Privacy
 In many cases, multiple parties may wish to share aggregate private data,
without leaking any sensitive information at their end
 For example, different superstores with sensitive sales data may wish to
coordinate among themselves in knowing aggregate trends without
leaking the trends of their individual stores.
 This requires secure and cryptographic protocols for sharing the

information across the different parties. The data may be distributed in
two ways across different sites:
 Horizontal Partitioning: In this case, the different sites may have different
sets of records containing the same attributes.
 Vertical Partitioning: In this case, the different sites may have different
attributes of the same sets of records.
Dr.B.Muruganantham
12-11-2021 19
AP/CSE/SRMIST
A General Survey
Privacy Attacks
 It is useful to examine the different ways in which one can make

adversarial attacks on privacy-transformed data.
 This helps in designing more effective privacy-transformation methods.
 Some examples of methods which can be used in order to attack the

privacy of the underlying data include SVD-based methods, spectral
filtering methods and background knowledge attacks.
Dr.B.Muruganantham
12-11-2021 20
AP/CSE/SRMIST
A General Survey
Query Auditing and Inference Control
 Many private databases are open to querying. This can compromise the
security of the results, when the adversary can use different kinds of
queries in order to undermine the security of the data.
 For example, a combination of range queries can be used in order to

narrow down the possibilities for that record. Therefore, the results over
multiple queries can be combined in order to uniquely identify a record,
or at least reduce the uncertainty in identifying it.
 There are two primary methods for preventing this kind of attack:
 Query Output Perturbation: In this case, we add noise to the output of the
query result in order to preserve privacy.
 Query Auditing: In this case, we choose to deny a subset of the queries, so

that the particular combination of queries cannot be used in order to violate
the privacy
Dr.B.Muruganantham
12-11-2021 21
AP/CSE/SRMIST
A General Survey
Privacy and the Dimensionality Curse
 In recent years, it has been observed that many privacy-preservation

methods such as k-anonymity and randomization are not very effective
in the high dimensional case
Personalized Privacy Preservation
 In many applications, different subjects have different requirements for

privacy.
 For example, a brokerage customer with a very large account would

likely have a much higher level of privacy-protection than a customer
with a lower level of privacy protection.
 In such case, it is necessary to personalize the privacy-protection

algorithm.
Dr.B.Muruganantham
12-11-2021 22
AP/CSE/SRMIST
A General Survey
Privacy-Preservation of Data Streams
• A new topic in the area of privacy preserving data mining is that of

data streams, in which data grows rapidly at an unlimited rate.
• In such cases, the problem of privacy-preservation is quite challenging

since the data is being released incrementally.
• In addition, the fast nature of data streams obviates the possibility of

using the past history of the data.
Dr.B.Muruganantham
12-11-2021 23
AP/CSE/SRMIST
A General Survey
Conclusions and Summary
 The broad areas of privacy are as follows:
Privacy-preserving data publishing:

This corresponds to sanitizing the data, so that its privacy remains preserved.
Privacy-Preserving Applications:
This corresponds to designing data management and mining algorithms in such a way that
the privacy remains preserved. Some examples include association rule mining,
classification, and query processing.
Utility Issues:
Since the perturbed data may often be used for mining and management purposes,
its utility needs to be preserved. Therefore, the data mining and privacy transformation
techniques need to be designed effectively, so to preserve the utility of the results.
Distributed Privacy, cryptography and adversarial collaboration:

This corresponds to secure communication protocols between trusted parties, so that
information can be shared effectively without revealing sensitive information about
particular parties.
Dr.B.Muruganantham
12-11-2021 24
AP/CSE/SRMIST
Randomization Method
 The randomization method is a technique for privacy-preserving data
mining in which noise is added to the data in order to mask the attribute
values of records.
 The noise added is sufficiently large so that individual record values

cannot be recovered.
 Therefore, techniques are designed to derive aggregate distributions

from the perturbed records.
 Subsequently, data mining techniques can be developed in order to work

with these aggregate distributions.
Dr.B.Muruganantham
12-11-2021 25
AP/CSE/SRMIST
Randomization Method …
The method of randomization can be described as follows.
 Consider a set of data records denoted by X = {x1 . . .xN}
 For record xi ∈ X
 we add a noise component which is drawn from the

probability distribution fY (y).
 These noise components are drawn independently, and are denoted y1 . . . yN.
 Thus, the new set of distorted records are denoted by

x1 +y1 . . .xN +yN.
 We denote this new set of records by
z1 . . . zN.
 In general, it is assumed that the variance of the added noise is large enough, so that
the original record values cannot be easily guessed from the distorted data.
 Thus, the original records cannot be recovered, but the distribution of the original
records can be recovered.
Dr.B.Muruganantham
12-11-2021 26
AP/CSE/SRMIST
 Thus, if X be the random variable denoting the data distribution
for the original record
 Y be the random variable describing the noise distribution
 Z be the random variable denoting the final record
We have:
Z=X+Y
X=Z−Y
 Now, we note that N instantiations of the probability distribution Z
are known, whereas the distribution Y is known publicly.
 For a large enough number of values of N, the distribution Z can be
approximated closely by using a variety of methods such as kernel
density estimation.
 By subtracting Y from the approximated distribution of Z, it is
possible to approximate the original probability distribution X
Dr.B.Muruganantham
12-11-2021 27
AP/CSE/SRMIST
 One key advantage of the randomization method is that it is relatively

simple, and does not require knowledge of the distribution of other
records in the data.
 This is not true of other methods such as k-anonymity which require the
knowledge of other records in the data.
 Therefore, the randomization method can be implemented at data

collection time, and does not require the use of a trusted server
containing all the original records in order to perform the
anonymization process.
 While this is a strength of the randomization method, it also leads to

some weaknesses, since it treats all records equally irrespective of their
local density.
Dr.B.Muruganantham
12-11-2021 28
AP/CSE/SRMIST
Privacy Quantification
 The quantity used to measure privacy should indicate how closely the
original value of an attribute can be estimated.
 A measure that defines privacy as follows:

If the original value can be estimated with c% confidence to
lie in the interval [α1, α2], then the interval width (α2 − α1)
defines the amount of privacy at c% confidence level.
 For example,
If the perturbing additive is uniformly distributed in an interval
of width 2α, then α is he amount of privacy at confidence level 50%
and 2α is the amount of privacy at confidence level 100%.
 However, this simple method of determining privacy an be subtly

incomplete in some situations.
Dr.B.Muruganantham
12-11-2021 29
AP/CSE/SRMIST
Randomization Methods for Data Streams
 The randomization approach is particularly well suited to privacy-

preserving data mining of streams, since the noise added to a given
record is independent of the rest of the data.
 However, streams provide a particularly vulnerable target for

adversarial attacks with the use of PCA (Principle Component
Analysis) based techniques because of the large volume of the data
available for analysis.
Dr.B.Muruganantham
12-11-2021 30
AP/CSE/SRMIST
Multiplicative Perturbations
 The most common method of randomization is that of additive

perturbations.
 However, multiplicative perturbations can also be used to good effect

for privacy-preserving data mining.
 Many of these techniques derive their roots in the work of which

shows how to use multi-dimensional projections in order to reduce the
dimensionality of the data.
 This technique preserves the inter record distances approximately, and

therefore the transformed records can be used in conjunction with a
variety of data mining applications.
Dr.B.Muruganantham
12-11-2021 31
AP/CSE/SRMIST
 As in the case of additive perturbations, multiplicative perturbations are not
entirely safe from adversarial attacks.
 In general, if the attacker has no prior knowledge of the data, then it is

relatively difficult to attack the privacy of the transformation.
 However, with some prior knowledge, two kinds of attacks are possible
 Known Input-Output Attack:

 In this case, the attacker knows some linearly independent collection of
records, and their corresponding perturbed version. In such cases, linear
algebra techniques can be used to reverse-engineer the nature of the privacy
preserving transformation.
 Known Sample Attack:

 In this case, the attacker has a collection of independent data samples from
the same distribution from which the original data was drawn. In such cases,
principal component analysis techniques can be used in order to reconstruct
the behavior of the original data.
Dr.B.Muruganantham
12-11-2021 32
AP/CSE/SRMIST
Data Swapping
 Noise addition or multiplication is not the only technique which can be used to
perturb the data.
 A related method is that of data swapping, in which the values across different records
are swapped in order to perform the privacy-preservation
 One advantage of this technique is that the lower order marginal totals of the data are
completely preserved and are not perturbed at all.
 Therefore certain kinds of aggregate computations can be exactly performed

without violating the privacy of the data.
 This technique does not follow the general principle in randomization which allows
the value of a record to be perturbed independent;y of the other records.
 Therefore, this technique can be used in combination with other frameworks

such as k-anonymity, as long as the swapping process is designed to preserve the
definitions of privacy for that model.
Dr.B.Muruganantham
12-11-2021 33
AP/CSE/SRMIST
Group Based Anonymization
 The randomization method is a simple technique which can be easily
implemented at data collection time, because the noise added to a given record
is independent of the behavior of other data records.
 This is also a weakness because outlier records can often be difficult to mask.
 Clearly, in cases in which the privacy-preservation does not need to be

performed at data-collection time, it is desirable to have a technique in which
the level of inaccuracy depends upon the behavior of the locality of that given
record.
 Another key weakness of the randomization framework is that it does not

consider the possibility that publicly available records can be used to identify the
identity of the owners of that record.
 Therefore, a broad approach to many privacy transformations is to construct

groups of anonymous records which are transformed in a group-specific way.
Dr.B.Muruganantham
12-11-2021 34
AP/CSE/SRMIST
Group Based Anonymization …
The k-Anonymity Framework
 In many applications, the data records are made available by simply

removing key identifiers such as the name and social- security
numbers from personal records.
 However, other kinds of attributes (known as pseudo-identifiers) can

be used in order to accurately identify the records.
 For example, attributes such as age, zip-code and sex are available
in public records such as census rolls.
 When these attributes are also available in a given data set, they can
be used to infer the identity of the corresponding individual.
 A combination of these attributes can be very powerful, since they

can be used to narrow down the possibilities to a small number of
individuals.
Dr.B.Muruganantham
12-11-2021 35
AP/CSE/SRMIST
 In k-anonymity techniques, it reduce the granularity of representation of
these pseudo-identifiers with the use of techniques such as generalization and
suppression.
 In the method of generalization, the attribute values are generalized to a range

in order to reduce the granularity of representation.
 For example, the date of birth could be generalized to a range such as year
of birth, so as to reduce the risk of identification.
 In the method of suppression, the value of the attribute is removed

completely.
 It is clear that such methods reduce the risk of identification with the use of
public records, while reducing the accuracy of applications on the transformed
data.
 In order to reduce the risk of identification, the k-anonymity approach

requires that every tuple in the table be indistinguishability related to no fewer
than k respondents.
Dr.B.Muruganantham
12-11-2021 36
AP/CSE/SRMIST
 k-anonymity approach can be formalized as follows:
 Each release of the data must be such that every combination of

values of quasi-identifiers ( are pieces of information that are not of
themselves unique identifiers) can be indistinguishably matched to
at least k respondents.
 The first algorithm for k-anonymity approach uses domain

generalization hierarchies of the quasi-identifiers in order to build
k-anonymous tables.
 The concept of k-minimal generalization has been proposed in order to

limit the level of generalization for maintaining as much data precision
as possible for a given level of anonymity.
 Subsequently, the topic of k-anonymity has been widely researched.
Dr.B.Muruganantham
12-11-2021 37
AP/CSE/SRMIST
 It was note that the problem of optimal anonymization is inherently a difficult
one.
 It has been shown that the problem of optimal k-anonymization is NP-hard.
Nevertheless, the problem can be solved quite effectively by the use of a number of
heuristic methods.
 A method proposed by Bayardo and Agrawal is the k-Optimize algorithm which

can often obtain effective solutions.
 The approach assumes an ordering among the quasi-identifier attributes.
 The values of the attributes are discretized into intervals quantitative attributes) or
grouped into different sets of values (categorical attributes). Each such grouping is
an item.
 For a given attribute, the corresponding items are also ordered. An index is
created using these attribute-interval pairs (or items) and a set enumeration tree is
constructed on these attribute-interval pairs.
 k-Optimize algorithm can use a number of pruning strategies to good effect.

Dr.B.Muruganantham
12-11-2021 38
AP/CSE/SRMIST
 A branch and bound technique can be used to successively improve the

quality of the solution during the traversal process.
 Incognito method has been proposed for computing a k-minimal

generalization with the use of bottom-up aggregation along domain
generalization hierarchies.
 The Incognito method uses a bottom-up breadth-first search of the

domain generalization hierarchy, in which it generates all the possible
minimal k-anonymous tables for a given private table.
Dr.B.Muruganantham
12-11-2021 39
AP/CSE/SRMIST
 First, it checks k-anonymity for each single attribute, and removes all
those generalizations which do not satisfy k-anonymity. Then, it
computes generalizations in pairs, again pruning those pairs which do
not satisfy the k-anonymity constraints.
 Incognito algorithm computes (i + 1)-dimensional generalization

candidates from the i-dimensional generalizations, and removes all
those generalizations which do not satisfy the k-anonymity constraint.
 This approach is continued until, no further candidates can be

constructed, or all possible dimensions have been exhausted.
Dr.B.Muruganantham
12-11-2021 40
AP/CSE/SRMIST
Personalized Privacy-Preservation
Not all individuals or entities are equally concerned about their privacy.
• For example, a corporation may have very different constraints on the

privacy of its records as compared to an individual.
• This leads to the natural problem that we may wish to treat the records in
a given data set very differently for anonymization purposes.
• From a technical point of view, this means that the value of k for
anonymization is not fixed but may vary with the record.
• A condensation based approach has been proposed for privacy-preserving

data mining in the presence of variable constraints on the privacy of the
data records.
Dr.B.Muruganantham
12-11-2021 41
AP/CSE/SRMIST
Personalized Privacy-Preservation…
 This technique constructs groups of non-homogeneous size from the data,
such that it is guaranteed that each record lies in a group whose size is at
least equal to its anonymity level
 Subsequently, pseudo-data is generated from each group so as to create a

synthetic data set with the same aggregate distribution as the original data.
 Another interesting model of personalized anonymity is discussed in which

a person can specify the level of privacy for his or her sensitive values.
 This technique assumes that an individual can specify a node of the domain
generalization hierarchy in order to decide the level of anonymity that he
can work with.
 This approach has the advantage that it allows for direct protection
 of the sensitive values of individuals than a vanilla k-anonymity method

which is susceptible to different kinds of attacks.
Dr.B.Muruganantham
12-11-2021 42
AP/CSE/SRMIST
Utility Based Privacy Preservation
 The process of privacy-preservation leads to loss of information for data mining
purposes.
 This loss of information can also be considered a loss of utility for data mining
purposes.
 Since some negative results on the curse of dimensionality suggest that a lot of
attributes may need to be suppressed in order to preserve anonymity, it is
extremely important to do this carefully in order to preserve utility.
 We note that many anonymization methods use cost measures in order to

measure the information loss from the anonymization process.
 Examples of such utility measures include
 Generalization height
 Size of anonymized group
 Discernability measures of attribute values
 Privacy information loss ratio
Dr.B.Muruganantham
12-11-2021 43
AP/CSE/SRMIST
Utility Based Privacy Preservation…
 A method for utility-based data mining using local recoding was

proposed, The approach is based on the fact that different attributes
have different utility from an application point of view.
 Most anonymization methods are global, in which a particular tuple

value is mapped to the same generalized value globally.
 In local recoding, the data space is partitioned into a number of

regions, and the mapping of the tuple to the generalizes value is local
to that region.
 This kind of approach has greater flexibility, since it can tailor the
generalization process to a particular region of the data set.
Dr.B.Muruganantham
12-11-2021 44
AP/CSE/SRMIST
Utility Based Privacy Preservation…
 Another indirect approach to utility based anonymization is to make the privacy-
preservation algorithms more aware of the workload.
 Typically, data recipients may request only a subset of the data in many cases, and
the union of these different requested parts of the data set is referred to as the
workload.
 A workload in which some records are used more frequently than others tends to
suggest a different anonymization than one which is based on the entire data set.
 Another direction for utility based privacy-preserving data mining is to

anonymize the data in such a way that it remains useful for particular kinds of
data mining or database applications.
 In such cases, the utility measure is often affected by the underlying application at
hand.
 There is a method has been proposed for k-anonymization using an information-

loss metric as the utility measure.
Dr.B.Muruganantham
12-11-2021 45
AP/CSE/SRMIST
Sequential Releases
 Privacy-preserving data mining poses unique problems for dynamic applications
such as data streams because in such cases, the data is released sequentially.
 In other cases, different views of the table may be released sequentially.
 Once a data block is released, it is no longer possible to go back and increase the
level of generalization.
 On the other hand, new releases may sharpen an attacker’s view of the data and may
make the overall data set more susceptible to attack.
 A technique discussed in relies on lossy joins in order to cripple an attack based on
global quasi identifiers.
 The intuition behind this approach is that if the join is lossy enough, it will reduce
the confidence of the attacker in relating the release from previous views to the
current release.
 A new generalization principle called m-invariance is proposed, which effectively
limits the risk of privacy-disclosure in re-publication.
 The broad idea in this approach is to progressively and consistently increase the
generalization granularity, so that the released data satisfies the k-anonymity
requirement both with respect to the current table, as well as with respect to the
previous releases
Dr.B.Muruganantham
12-11-2021 46
AP/CSE/SRMIST
The l -diversity Method
 The k-anonymity is an attractive technique because of the simplicity of the
definition and the numerous algorithms available to perform the anonymization.
 The k-anonymity is an attractive technique because of the simplicity of the
definition and the numerous algorithms available to perform the anonymization.
 Nevertheless the technique is susceptible to many kinds of attacks especially
when background knowledge is available to the attacker
 Some kinds of such attacks are as follows:
 Homogeneity Attack:
 In this attack, all the values for a sensitive attribute within a group of k
records are the same. Therefore, even though the data is k-anonymized,
the value of the sensitive attribute for that group of k records can be
predicted exactly.
 Background Knowledge Attack:
 In this attack, the adversary can use an association between one or more
quasi-identifier attributes with the sensitive attribute in order to narrow
down possible values of the sensitive field further
Dr.B.Muruganantham
12-11-2021 47
AP/CSE/SRMIST
The l -diversity Method
 While k-anonymity is effective in preventing identification of a record, it may
not always be effective in preventing inference of the sensitive values of the
attributes of that record.
 Therefore, the technique of l-diversity was proposed which not only

maintains the minimum group size of k, but also focuses on maintaining the
diversity of the sensitive attributes.
 Therefore, the l-diversity model for privacy is defined as follows:
 Let a q∗-block be a set of tuples such that its non-sensitive values

generalize to q∗.
 A q∗-block is l-diverse
• if it contains l “well represented” values for the sensitive attribute S.
• A table is l-diverse, if every q∗-block in it is l-diverse.
 when there are multiple sensitive attributes, then the l-diversity problem
becomes especially challenging because of the curse of dimensionality.
Dr.B.Muruganantham
12-11-2021 48
AP/CSE/SRMIST
The t-closeness Model
• The t-closeness model is a further enhancement on the concept of l-

diversity.
• One characteristic of the l-diversity model is that it treats all values of

a given attribute in a similar way irrespective of its distribution in the
data.
• A t-closeness model was proposed which uses the property that the
distance between the distribution of the sensitive attribute within an
anonymized group should not be different from the global distribution
by more than a threshold t.
Dr.B.Muruganantham
12-11-2021 49
AP/CSE/SRMIST
Distributed Privacy-Preserving Data Mining
 The key goal in most distributed methods for privacy-preserving data mining is
to allow computation of useful aggregate statistics over the entire data set
without compromising the privacy of the individual data sets within the
different participant.
 Thus, the participants may wish to collaborate in obtaining aggregate results,

but may not fully trust each other in terms of the distribution of their own data
sets.
 For this purpose, the data sets may either be horizontally partitioned or be
vertically partitioned.
 In horizontally partitioned data sets, the individual records are spread out
across multiple entities, each of which have the same set of attributes.
 In vertical partitioning, the individual entities may have different attributes (or
views) of the same set of records.
 Both kinds of partitioning pose different challenges to the problem of

distributed privacy preserving data mining.
Dr.B.Muruganantham
12-11-2021 50
AP/CSE/SRMIST
Distributed Privacy-Preserving Data Mining …
 The problem of distributed privacy-preserving data mining overlaps closely with a
field in cryptography for determining secure multi-party computations.
 The broad approach to cryptographic methods tends to compute functions over

inputs provided by multiple recipients without actually sharing the inputs with
one another.
 For example, in a 2-party setting, Alice and Bob may have two inputs x and y
respectively, and may wish to both compute the function f(x, y) without revealing
x or y to each other.
 This problem can also be generalized across k parties by designing the k argument
function h(x1 . . . xk). Many data mining algorithms may be viewed in the context
of repetitive computations of many such primitive functions such as the scalar dot
product, secure sum etc.
 In order to compute the function f(x, y) or h(x1 . . . , xk), a protocol will have to
designed for exchanging information in such a way that the function is computed
without compromising privacy.
Dr.B.Muruganantham
12-11-2021 51
AP/CSE/SRMIST
Distributed Privacy-Preserving Data Mining …
 That the robustness of the protocol depends upon the level of trust one is
willing to place on the two participants Alice and Bob.
 This is because the protocol may be subjected to various kinds of adversarial

behavior:
 Semi-honest Adversaries:
 In this case, the participants Alice and Bob are curious and attempt to
learn from the information received by them during the protocol, but
do not deviate from the protocol themselves. In many situations, this
may be considered a realistic model of adversarial behavior.
 Malicious Adversaries:
 In this case, Alice and Bob may vary from the protocol, and may send
sophisticated inputs to one another to learn from the information
received from each other.
Dr.B.Muruganantham
12-11-2021 52
AP/CSE/SRMIST
The Curse of Dimensionality
 Many privacy-preserving data-mining methods are inherently limited by the
curse of dimensionality in the presence of public information.
 For example, the technique in analyzes the k-anonymity method in the

presence of increasing dimensionality.
 The curse of dimensionality becomes especially important when adversaries

may have considerable background information, as a result of which the
boundary between pseudo-identifiers and sensitive attributes may become
blurred.
 This is generally true, since adversaries may be familiar with the subject of
interest and may have greater information about them than what is publicly
available.
 This is also the motivation for techniques such as l-diversity in which

background knowledge can be used to make further privacy attacks.
Dr.B.Muruganantham
12-11-2021 53
AP/CSE/SRMIST
Applications of Privacy-Preserving Data Mining
 The problem of privacy-preserving data mining has numerous

applications in homeland security, medical database mining, and
customer transaction analysis.
 Some of these applications such as those involving bio-terrorism and

medical database mining may intersect in scope.
 Number of different applications of privacy-preserving data mining

methods.
 Medical Databases: The Scrub and Datafly Systems

 Bioterrorism Applications
 Homeland Security Applications
 Genomic Privacy
Dr.B.Muruganantham
12-11-2021 54
AP/CSE/SRMIST
Applications of Privacy-Preserving Data Mining …
Medical Databases: The Scrub and Datafly Systems
Scrub :
 The scrub system was designed for de-identification of clinical notes and letters which
typically occurs in the form of textual data.
 Clinical notes and letters are typically in the form of text which contain references to
patients, family members, addresses, phone numbers or providers.
 Traditional techniques simply use a global search and replace procedure in order to
provide privacy.
 However clinical notes often contain cryptic references in the form of abbreviations
which may only be understood either by other providers or members of the same
institution.
 Therefore traditional methods can identify no more than 30-60% of the identifying
information in the data
 The Scrub System uses local knowledge sources which compete with one another based
on the certainty of their findings.
 Such a system is able to remove more than 99% of the identifying information from the
data.
Dr.B.Muruganantham
12-11-2021 55
AP/CSE/SRMIST
Datafly Systems:
 The Datafly System was one of the earliest practical applications of

privacy-preserving transformations.
 This system was designed to prevent identification of the subjects of

medical records which may be stored in multidimensional format.
 The multi-dimensional information may include directly identifying

information such as the social security number, or indirectly identifying
information such as age, sex or zip-code.
 The system was designed in response to the concern that the process of
removing only directly identifying attributes such as social security
numbers was not sufficient to guarantee privacy.
Dr.B.Muruganantham
12-11-2021 56
AP/CSE/SRMIST
 Typically, the user of Datafly will set the anonymity level depending
upon the profile of the data recipient in question.
 The overall anonymity level is defined between 0 and 1, which defines

the minimum bin size for each field.
 An anonymity level of 0 results in Datafly providing the original data,

whereas an anonymity level of 1 results in the maximum level of
generalization of the underlying data.
 The Datafly system is one of the earliest systems for anonymization,

and is quite simple in its approach to anonymization.
Dr.B.Muruganantham
12-11-2021 57
AP/CSE/SRMIST
Bioterrorism Applications
 Often a biological agent such as anthrax produces symptoms which are

similar to other common respiratory diseases such as the cough, cold and
the flu.
 In the absence of prior knowledge of such an attack, health care providers

may diagnose a patient affected by an anthrax attack of have symptoms
from one of the more common respiratory diseases.
 In order to identify such attacks it is necessary to track incidences of these

common diseases as well.
 Therefore, the corresponding data would need to be reported to public

health agencies. However, the common respiratory diseases are not
reportable diseases by law.
Dr.B.Muruganantham
12-11-2021 58
AP/CSE/SRMIST
 Homeland Security Applications
 A number of applications for homeland security are inherently
intrusive because of the very nature of surveillance.
 Some examples of such applications are as follows:
 Credential Validation Problem:
• Trying to match the subject of the credential to the person
presenting the credential.
• For example, the theft of social security numbers presents a
serious threat to homeland security.
 Identity Theft:
• A related technology is to use a more active approach to
avoid identity theft.
• The identity angel system , crawls through cyberspace, and
determines people who are at risk from identity theft.
• This information can be used to notify appropriate parties.
Dr.B.Muruganantham
12-11-2021 59
AP/CSE/SRMIST
Web Camera Surveillance:
 One possible method for surveillance is with the use of publicly

available webcams which can be used to detect unusual activity.
 this is a much more invasive approach than the previously discussed

techniques because of person specific information being captured in
the webcams.
 The approach can be made more privacy-sensitive by extracting only

facial count information from the images and using these in order to
detect unusual activity.
Dr.B.Muruganantham
12-11-2021 60
AP/CSE/SRMIST
Video-Surveillance:
 In the context of sharing video-surveillance data, a major threat is the use

of facial recognition software, which can match the facial images in
videos to the facial images in a driver license database.
 While a straightforward solution is to completely black out each face, the

result is of limited new, since all facial information has been wiped out.
 A more balanced approach is to use selective downgrading of the facial

information, so that it scientifically limits the ability of facial recognition
software to reliably identify faces, while maintaining facial details in
images.
 The algorithm is referred to as k-Same, and the key is to identify faces

which are somewhat similar, and then construct new faces which
construct combinations of features from these similar faces.
Dr.B.Muruganantham
12-11-2021 61
AP/CSE/SRMIST
The Watch List Problem:
 The motivation behind this problem is that the government typically has
a list of known terrorists or suspected entities which it wishes to track
from the population.
 The aim is to view transactional data such as store purchases, hospital

admissions, airplane manifests, hotel registrations or school attendance
records in order to identify or track these entities.
 This is a difficult problem because the transactional data is private, and

the privacy of subjects who do not appear in the watch list need to be
protected.
 Therefore, the transactional behavior of non-suspicious subjects may

not be identified or revealed.
 The watch list problem is currently an open problem.
Dr.B.Muruganantham
12-11-2021 62
AP/CSE/SRMIST
Genomic Privacy
• Recent years have seen tremendous advances in the science of DNA
sequencing and forensic analysis with the use of DNA.
• As result, the databases of collected DNA are growing very fast in the both the
medical and law enforcement communities.
• DNA data is considered extremely sensitive, since it contains almost uniquely
identifying information about an individual.
• As in the case of multi-dimensional data, simple removal of directly
identifying data such as social security number is not sufficient to prevent re-
identification.
• It has been shown that a software called CleanGene can determine the
identifiability of DNA entries independent of any other demographic or other
identifiable information.
• The software relies on publicly available medical data and knowledge of
particular diseases in order to assign identifications to DNA entries.
• Another method for compromising the privacy of genomic data is that of trail
re-identification, in which the uniqueness of patient visit patterns is exploited
in order to make identifications.
Dr.B.Muruganantham
12-11-2021 63
AP/CSE/SRMIST

Database Security and Privacy Overview

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Database Security and Privacy Overview

Uploaded by

Copyright:

Available Formats

18CSE455T – DATABASE SECURITY AND PRIVACY

1) Hassan A. Afyouni, “Database Security and Auditing”, Third Edition, Cengage

 Security is Avoiding unauthorised access ( with limited time

 There is no 100% Security in all kind of software and hardware .

 Security violations and attacks are increased globally at an average rate of

 Wise decisions are not made without accurate and timely

 At the same time integrity of information is more important.

 The integrity of the information depends on the integrity of its

 Data is processed and transformed by a collection of

 Information System mainly classified into three categories

1) Transaction Processing System (TPS)

2) Decision Support System (DSS)

3) Expert System (ES)

Category Characteristics Typical Application

 Data – The information stored in the Database for future

 Procedures – Manual , Guidelines, Business rules and Policies

 Hardware – Computer System, Fax, Scanner, Printer, Disk

 Software – DBMS, OS, Programming Languages, Other

 Network – Communication Infrastructure

 People – DBA, System Admin, Programmers, Users,

 A collection of meaningful Interelated Information System

 It is both Physical and Logical

 Representing the logical information in a physical device

 Using CLIENT / SERVER Architecture

 Request and Reply protocols are used to communicate client and

 Set of programs to access the database for data manipulation or processing

 DBMS contains information about a particular enterprise

 DBMS provides an environment that it both convenient and efficient to use

 Data redundancy and inconsistency

 Difficulty in accessing data

 Data isolation – multiple files and format

 Concurrent access by multiple users

 Information is one of the most valuable asset in an organization

 Many companies have Information Security Department

 Information Security consists of the procedures and measures taken to

 According to the National Security Telecommunications and

Confidentiality Integrity Availability

Information Security Architecture

 Applications – Application design and implementation , which includes

 Operating Systems – This access point is defined as authentication to the

 DBMS – The logical structure of the database, which includes memory ,

 Data files – Another access point that influences database security

Category Description Examples

Design and  Related to improper software  System design errors

 Threat is defined as “ An indication of impending danger or harm”

Threat type Definition Examples

Technological Often caused by some sort of malfunction in  Power failure

 Risks are simply the a part of doing business

 Categories of database security risks are shown in the below figure

Risk Type Definition Examples

 People always tend to protect assets regardless of what they are

 Corporations treat their assets in the same way

 Assets are the infrastructure of the company operation

 There are four main types of assets

 Logical assets – Logical aspects of an information system such as business

 Intangible assets – Business reputation, quality, and public confidence

 Human assets – Human skills, knowledge and expertise

Identification – Entails the identification and investigation of resources

At the start of the chapter database security was defined as

After discussing a lot of database security , various information systems and

Database security is a collection of security polices and procedures, data

An Operating System (OS) is a collection of programs that allows the to