CS 477 Fall 24 - Chapter 7

Chapter Seven: Database Security

  • Instructor: Dr. Mahmoud Qutqut

  • Course: CSC 477: Security in Computing (Fall 2024)

  • Contact: qutqut.m@gust.edu.kw

Overview of Database Security

  • Definition of Data Security: Protective measures to secure data against unauthorized access, ensuring confidentiality, integrity, and availability.

Need for Database Security

  • Sensitive Information: Organizational databases often store critical information such as:

    • Corporate financial data

    • Customer and employee personal information (e.g., Social Security numbers, credit card info)

    • Health care and proprietary data

  • Threats to Security: Information concentrated in databases can be targeted by unauthorized access and misuse. Thus, specialized database security measures are essential.

Challenges in Database Security

  • Complexity of Database Management Systems (DBMS): There is a gap between the complexity of modern DBMS and existing security techniques.

  • Diverse Environments: Organizations may use multiple database and OS platforms (e.g., Oracle, Microsoft, UNIX) which complicates security management.

  • Cloud Dependency: Increasing reliance on cloud storage introduces additional security challenges.

Understanding Databases

  • Definition: A database is a structured collection of data used by applications, containing data relationships and ensuring controlled access.

  • Schema: The logical structure in which data is organized.

  • User Interactions: Users extract data using specific queries.

Database Management System (DBMS)

  • Role of DBMS: A suite of utilities for constructing and maintaining databases, providing access control, and supporting multiple users.

  • Components: Includes data definition language (DDL), data manipulation language (DML), query languages, and various access management systems.

Advantages of Databases

  • Shared Access: Multiple users can access a common data repository.

  • Controlled Access: Only authorized users can view/modify information.

  • Minimal Redundancy: Reduces data duplication.

  • Data Consistency: Changes reflect across all users.

  • Data Integrity: Protects data accuracy and prevents unwanted changes.

SQL and Querying Databases

  • Structured Query Language (SQL): Standardized language for managing and querying relational databases, allowing data manipulation and schema definition.

    • Basic Command Example: SELECT Ename, Eid, Ephone FROM Employee WHERE Did = 15

Database Security Requirements

  • Physical Database Integrity: Protects against physical damage (e.g., hardware failures).

  • Logical Database Integrity: Ensures authorized modifications.

  • Element Integrity: Data accuracy maintained through access control and validation.

Database Disclosure and Sensitivity

  • Sensitive Data Identification: Can be inherently sensitive, from sensitive sources, or declared sensitive by administrators.

  • Disclosure Types: Includes exact data, bounds, existence, probabilities, and inferences.

SQL Injection (SQLi) Attacks

  • Definition: A technique that exploits vulnerabilities in web application interfaces with databases, allowing attackers to execute arbitrary SQL commands.

  • Common Goals: Bulk extraction of data, modification/deletion of data, or launching DoS attacks.

  • Attack Mechanism: SQL injection can occur through improperly sanitized user inputs leading to unauthorized commands being executed.

Countermeasures Against SQLi

  1. Defensive Coding

    • Implement input validation and use parameterized queries to prevent vulnerabilities.

  2. Detection

    • Anomaly detection patterns against normal behavior.

  3. Run-Time Prevention

    • Techniques to monitor queries at runtime for adherence to security models.

Role-Based Access Control (RBAC)

  • RBAC in Databases: User permissions categorized into roles (e.g., application owner, end users, administrators).

  • Access Control Implementation: Different access rights can be specified at various levels including specific tables, rows, or columns.

Database Encryption

  • Purpose: Ensure data confidentiality, particularly sensitive information.

  • Types of Encryption: Can be applied at various levels - database, record, attribute, or field.

  • Challenges: Key management complexity and inflexibility when searching encrypted data.

Data Center Security Considerations

  • Security Priorities: Protecting massive amounts of sensitive data housed in data centers.

  • Threat Types: Includes denial of service, privacy breaches, SQL injection, malware, and physical threats.

  • Security Models: Incorporates encryption, firewalls, and physical security protocols.

Summary

  • Key Themes: Importance of database security, the complexity of current systems, SQLi risks, effective countermeasures, and the significance of data center security.

Key Aspects of Database Security

Definition

Data Security: Protective measures focused on securing data from unauthorized access to ensure confidentiality, integrity, and availability.

Importance of Database Security

  • Sensitive Information: Databases often contain critical data such as corporate financials, personal information (e.g., Social Security numbers, credit card data), and proprietary information.

  • Threats: Concentrated data can be vulnerable to unauthorized access, making specialized security measures necessary.

Challenges in Database Security

  • Complex DBMS: The complexity of today's Database Management Systems (DBMS) exceeds available security techniques.

  • Diverse Environments: Organizations may operate different database platforms (e.g., Oracle, Microsoft, UNIX), complicating security management.

  • Cloud Storage: Increasing dependence on cloud services introduces additional security risks.

Database Management System (DBMS) Overview

  • Role: A suite of tools for building and maintaining databases, managing access control, and supporting multiple users.

  • Components: Data definition language (DDL), data manipulation language (DML), and query languages.

Database Security Requirements

  • Physical Integrity: Protection against physical damage (e.g., hardware failures).

  • Logical Integrity: Ensures that only authorized changes are made to the database.

  • Element Integrity: Maintains data accuracy through validation and access control.

SQL Injection (SQLi)

  • Definition: Exploits web application vulnerabilities enabling attackers to execute arbitrary SQL commands.

  • Countermeasures:

    • Implement input validation and parameterized queries.

    • Use anomaly detection and run-time monitoring techniques.

Role-Based Access Control (RBAC)

  • Concept: Categorizes user permissions into roles, allowing different access rights at various levels (e.g., tables, rows, columns).

Database Encryption

  • Purpose: Ensures confidentiality of sensitive data.

  • Challenges: Key management complexity and difficulties in searching encrypted data.

Data Center Security

  • Priorities: Protecting sensitive data stored in data centers.

  • Threats: Includes denial of service, SQL injections, malware, and physical risks.

Summary

Effective database security is critical for protecting sensitive information. It requires a multi-faceted approach, addressing complex threats while implementing robust access control and encryption strategies.

Enhanced Overview of Database Security

Definition of Data Security

Data Security involves protective measures that secure data against unauthorized access, guaranteeing confidentiality, integrity, and availability.

Importance of Database Security

  • Sensitive Information: Maintains critical data such as corporate financials, personal information (Social Security numbers, credit card info), and proprietary data.

  • Threats to Security: Concentrated data increases vulnerability. Specialized security measures are vital to defend against unauthorized access.

Challenges in Database Security

  • Complexity of DBMS: Modern Database Management Systems overwhelm current security techniques due to intricate configurations.

  • Diverse Environments: Organizations often use varied database platforms (e.g., Oracle, Microsoft, UNIX), complicating uniform security measures.

  • Cloud Dependency: Heightened reliance on cloud services introduces additional challenges and potential security risks.

Database Management System (DBMS) Role

  • Functions: A suite of tools for building, maintaining databases, and managing access control for multiple users.

  • Core Components: Includes data definition language (DDL), data manipulation language (DML), and query languages.

Database Security Requirements

  • Physical Integrity: Safeguards against physical damage (like hardware failures).

  • Logical Integrity: Validates that only authorized modifications apply to the database.

  • Element Integrity: Ensures data accuracy through robust validation and controlled access.

SQL Injection (SQLi) Overview

  • Definition: This method exploits vulnerabilities, allowing attackers to execute arbitrary SQL commands.

  • Preventive Measures:

    • Employ input validation and parameterized queries.

    • Implement anomaly detection and run-time monitoring techniques.

Role-Based Access Control (RBAC)

  • Implementation: User permissions are categorized into roles, allowing tailored access rights at specific levels (tables, rows, or columns).

Database Encryption Importance

  • Purpose: Protects the confidentiality of sensitive data in storage and transmission.

  • Challenges: Includes complexities in key management and limitations when searching within encrypted data.

Data Center Security Considerations

  • Focus Areas: Imperative for protecting sensitive information stored within physical data centers.

  • Potential Threats: Encompass denial of service attacks, SQL injections, malware incidents, and physical security breaches.

Summary

Comprehensive database security plays a pivotal role in safeguarding sensitive information, necessitating an integrated approach that tackles intricate threats while promoting stringent access control and encryption strategies.