Scribd
Upload
11 views

DBA Security

Uploaded by

Diaa Uliyan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
11 views

DBA Security

Uploaded by

Diaa Uliyan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 28

DATABASE ADMINISTRATION AND

SECURITY

© PEARSON EDUCATION LIMITED,


2004-2010
1
OBJECTIVES
• The distinction between data administration
and database administration.
• The purpose and tasks associated with data
administration and database administration.
• The scope of database security.

2
© Pearson Education Limited, 2004
OBJECTIVES
• Why database security is a serious concern
for an organization.
• The type of threats that can affect a database
system.
• How to protect a computer system using
computer-based controls.

3
© Pearson Education Limited, 2004
DATA ADMINISTRATION AND DATABASE
ADMINISTRATION

• Data Administrator (DA) and Database


Administrator (DBA) are responsible for
managing and controlling activities
associated with corporate data and
corporate database, respectively.
• DA is more concerned with early stages of
lifecycle and DBA is more concerned with
later stages.

4
© Pearson Education Limited, 2004
DATA ADMINISTRATION

• Management and control of corporate


data, including:
– database planning
– development and maintenance of standards,
policies, and procedures
– conceptual and logical database design

5
© Pearson Education Limited, 2004
DATA ADMINISTRATION TASKS

© Pearson Education Limited, 2004 6


DATABASE ADMINISTRATION

• Management and control of physical


realization of a database system,
including:
– physical database design and implementation
– setting security and integrity controls
– monitoring system performance
– reorganizing the database

7
© Pearson Education Limited, 2004
DATABASE ADMINISTRATION TASKS

© Pearson Education Limited, 2004 8


COMPARISON OF DATA AND DATABASE
ADMINISTRATION

© Pearson Education Limited, 2004 9


DATABASE SECURITY
• Mechanisms that protect the database against
intentional or accidental threats.
• Not only apply to the data held in a database.
Breaches of security may affect other parts of
the system, which may in turn affect the
database.

10
© Pearson Education Limited, 2004
DATABASE SECURITY
• Includes hardware, software, people, and
data.
• Growing importance of security is the
increasing amounts of crucial corporate data
being stored on computer.

11
© Pearson Education Limited, 2004
DATABASE SECURITY
• Outcomes to avoid:
– theft and fraud
– loss of confidentiality (secrecy)
– loss of privacy
– loss of integrity
– loss of availability

12
© Pearson Education Limited, 2004
DATABASE SECURITY
• Threat
– Any situation or event, whether intentional or
unintentional, that may adversely affect a system
and consequently the organization.

13
© Pearson Education Limited, 2004
EXAMPLES OF THREATS AND POSSIBLE OUTCOMES

14
© Pearson Education Limited, 2004
SUMMARY OF THREATS TO COMPUTER SYSTEMS

15
© Pearson Education Limited, 2004
TYPICAL MULTI-USER COMPUTER ENVIRONMENT

16
© Pearson Education Limited, 2004
COUNTERMEASURES – COMPUTER-
BASED CONTROLS

• Authorization
• Views
• Backup And Recovery
• Integrity
• Encryption
• Redundant array of independent disks
(RAID)

17
© Pearson Education Limited, 2004
COUNTERMEASURES – COMPUTER-BASED
CONTROLS
• Authorization
– The granting of a right or privilege that enables a
subject to have legitimate access to a database
system or a database system’s object.
• Authentication
– A mechanism that determines whether a user is,
who he or she claims to be.

18
© Pearson Education Limited, 2004
COUNTERMEASURES – COMPUTER-BASED
CONTROLS
• View
– A view is a virtual table that does not necessarily
exist in the database but can be produced upon
request by a particular user, at the time of
request.

19
© Pearson Education Limited, 2004
COUNTERMEASURES – COMPUTER-BASED
CONTROLS

• Backup
– Process of periodically taking a copy of the
database and log file (and possibly programs) onto
offline storage media.
• Journaling
– Process of keeping and maintaining a log file (or
journal) of all changes made to database to enable
recovery to be undertaken effectively in the event
of failure.

20
© Pearson Education Limited, 2004
COUNTERMEASURES – COMPUTER-
BASED CONTROLS
• Integrity
– Prevents data from becoming invalid, and hence
giving misleading or incorrect results.
• Encryption
– Encoding the data by a special algorithm that
renders the data unreadable by any program
without the decryption key.

21
© Pearson Education Limited, 2004
REDUNDANT ARRAY OF INDEPENDENT DISKS
(RAID)
• Hardware that the DBMS runs on must be
fault-tolerant, meaning that the DBMS should
continue to operate even if one of the
hardware components fails.
• Suggests having redundant components that
can be seamlessly integrated into the working
system whenever there are failures.

22
© Pearson Education Limited, 2004
REDUNDANT ARRAY OF INDEPENDENT DISKS
(RAID)
• The main hardware components that should be fault-
tolerant include disk drives, disk controllers, CPU,
power supplies, and cooling fans.
• Disk drives are the most vulnerable components with
the shortest times between failure of any of the
hardware components.
• One solution is to provide a large disk array
comprising an arrangement of several independent
disks that are organized to improve reliability and at
the same time increase performance.

23
© Pearson Education Limited, 2004
LINKS
• http://en.wikipedia.org/wiki/Database_security
• http://www.dbta.com/Categories/Database-
Security_332.aspx
• http://www.craigsmullins.com/dbta_035.htm &
http://www.craigsmullins.com/dbta_056.htm
• http://iase.disa.mil/stigs/checklist/index.html

© Pearson Education Limited, 2004 24


SQL-INJEKTIOT JA NIIDEN EHKÄISY
JOUNI HUOTARI & JUHA PELTOMÄKI
© Pearson Education Limited, 2004 25
SUOJAUTUMINEN SQL-INJEKTIOILTA
• Virheilmoitusten kustomointi
– Ei liikaa tietoa käyttäjälle
• Syötteiden tarkastus / suodatus
– Vaaralliset käskyt / merkit
– Käytetään valmisfunktioita
• Parametroitu SQL
– Monissa ohjelmointikielissä kuten Javassa Prepared
Statement: paikkamerkit kyselyn parametreille
– Parametrit heittomerkkien väliin
ESIMERKKEJÄ

Lähde: http://xkcd.com/327/

Jos sovelluksessa on esim. merkkijono


String sql = ”SELECT fieldlist FROM table WHERE
(name = '” + param_nimi +”');”
ja siihen sijoitetaan em. pojan nimi, lopputulos on
SELECT * FROM table WHERE (name =
'Robert');DROP TABLE Students;--';
© Pearson Education Limited, 2004 27
ESIMERKKEJÄ
• Peltomäen Juhan opetusmateriaali:
http://homes.jamk.fi/~huojo/opetus/IIO30200/PHP-tietoturva.html
• Testaus:
http://student.labranet.jamk.fi/~pelju/php/6db/query_form.php

© Pearson Education Limited, 2004 28

You might also like