Notes and Study Materials

Security Of DBMS

 

 

Security refers to activities and measures to ensure the confidentiality, integrity, and availability of an information system and its main asset, data.3 It is important to understand that securing data requires a comprehensive, company-wide approach. 

To understand the scope of data security, let’s discuss each of the three security goals in more detail:

You May Also Like:

Database is Corporate Asset
Role of Databases in An Organizations
Summary of DBA Activities
DBA Evoluation

 

• Confidentiality deals with ensuring that data is protected against unauthorized access, and if the data are accessed by an authorized user, that the data are used only for an authorized purpose. In other words, confidentiality entails safeguarding data against disclosure of any information that would violate the privacy rights of a person or organization. Data must be evaluated and classified according to the level of confidentiality: highly restricted (very few people have access), confidential (only certain groups have access), and unrestricted (can be accessed by all users).

 

 

• Integrity, within the data security framework, is concerned with keeping data consistent, free of errors, or anomalies. Integrity focuses on maintaining the data free of inconsistencies and anomalies. The DBMS plays a pivotal role in ensuring the integrity of the data in the database. However, from the security point of view, integrity deals not only with the data in the database but also with ensuring that organizational processes, users, and usage patterns maintain such integrity.

 

• Availability refers to the accessibility of data whenever required by authorized users and for authorized purposes. To ensure data availability, the entire system (not only the data component) must be protected from service degradation or interruption caused by any source (internal or external).

 

Security Policies:

 

A security policy is a collection of standards, policies, and procedures created to guarantee the security of a system and ensure auditing and compliance. The security audit process starts by identifying the security vulnerabilities in the organization’s information system infrastructure and identifying measures to protect the system and data against those vulnerabilities.

 

Security Vulnerabilities:

 

Security vulnerability is a weakness in a system component that could be exploited to allow unauthorized access or cause service disruptions. The nature of such vulnerabilities could be of multiple types: technical (such as a flaw in the operating system or Web browser), managerial (for example, not educating users about critical security issues), cultural (hiding passwords under the keyboard or not shredding confidential reports), procedural (not requiring complex passwords or not checking user IDs), and so on. Whatever the case, when a security vulnerability is left unchecked, it could become a security threat. A security threat is an imminent security violation that could occur at any time due to unchecked security vulnerability.

 

A security breach occurs when a security threat is exploited to negatively affect the integrity, confidentiality, or availability of the system. Security breaches can yield a database whose integrity is either preserved or corrupted:

 

• Preserved: Action is required to avoid the repetition of similar security problems, but data recovery may not be necessary. As a matter of fact, most security violations are produced by unauthorized and unnoticed access for information purposes, but such snooping does not disrupt the database.

 

• Corrupted: Action is required to avoid the repetition of similar security problems, and the database must be recovered to a consistent state. Corrupting security breaches include database access by computer viruses and by hackers whose actions are intended to destroy or alter data.

 

Database Security:

 

Database security refers to the use of the DBMS features and other related measures to comply with the security requirements of the organization. From the DBA’s point of view, security measures should be implemented to protect the DBMS against service degradation and the database against loss, corruption, or mishandling.

 

To protect the DBMS against service degradation there are certain minimum recommended security safeguards. For example:

• Change default system passwords.

• Change default installation paths.

• Apply the latest patches.

• Secure installation folders with proper access rights.

• Make sure only required services are running.

• Set up auditing logs.

• Set up session logging.

• Require session encryption.

Protecting the data in the database is a function of authorization management. Authorization management defines procedures to protect and guarantee database security and integrity. Those procedures include, but are not limited to, user access management, view definition, DBMS access control, and DBMS usage monitoring.

User access management: This function is designed to limit access to the database and likely includes at least the following procedures:

 

Define each user to the database: This is achieved at the operating system level and at the DBMS level. At the operating system level, the DBA can request the creation of a logon user ID that allows the end user to log on to the computer system. At the DBMS level, the DBA can either create a different user ID or employ the same user ID to authorize the end user to access the DBMS.

 

Assign passwords to each user: This, too, can be done at both operating system and DBMS levels. The database passwords can be assigned with predetermined expiration dates. The use of expiration dates enables the DBA to screen end users periodically and to remind users to change their passwords periodically, thus making unauthorized access less probable.

 

Define user groups: Classifying users into user groups according to common access needs facilitates the DBA’s job of controlling and managing the access privileges of individual users. Also, the DBA can use database roles and resource limits to minimize the impact of rogue users in the system.

 

Assign access privileges: The DBA assigns access privileges or access rights to specific users to access specified databases. An access privilege describes the type of authorized access. For example, access rights may be limited to read-only, or the authorized access might include READ, WRITE, and DELETE privileges. Access privileges in relational databases are assigned through SQL GRANT and REVOKE commands.

 

Control physical Access: Physical security can prevent unauthorized users from directly accessing the DBMS installation and facilities. Some common physical security practices found in large database installations include secured entrances, password-protected workstations, electronic personnel badges, closed-circuit video, voice recognition, and biometric technology.

 

View definition: The DBA must define data views to protect and control the scope of the data that are accessible to an authorized user. The DBMS must provide the tools that allow the definition of views that are composed of one or more tables and the assignment of access rights to a user or a group of users. The SQL command CREATE VIEW is used in relational databases to define views.

 

DBMS access control: Database access can be controlled by placing limits on the use of DBMS query and reporting tools. The DBA must make sure that those tools are used properly and only by authorized personnel.

 

 

DBMS usage monitoring: The DBA must also audit the use of the data in the database. Several DBMS packages contain features that allow the creation of an audit log, which automatically records a brief description of the database operations performed by all users. Such audit trails enable the DBA to pinpoint access violations.

You May Also Like:

DA and DBA

Database Administration Tools

Denormalization

Back to DBMS Questions