In-Depth Notes on Database and Data Center Security
Database Security
- Database security has not progressed alongside the complexity of modern database management systems (DBMS).
- Key reasons include:
- Imbalance between DBMS complexity and security techniques.
- Sophisticated interactions relying on Structured Query Language (SQL).
- Lack of dedicated database security staff in organizations.
- Diverse mixture of database and OS platforms complicates security measures.
- Increased reliance on cloud technology for hosting databases.
Databases
- Defined as structured collections of data for use by applications.
- Includes relationships between data items.
- Can contain sensitive information requiring secure handling.
Database Management System (DBMS)
- A suite of programs designed for creating and managing databases.
- Provides ad hoc queries for multiple users and applications.
- Typical architecture includes:
- User Queries: How users interact with the database.
- Application Utilities: Support functions for database management.
- Processors:
- DDL Processor (Data Definition Language): Manages structural definitions.
- DML Processor (Data Manipulation Language): Handles data operations.
Relational Databases
- Structured as tables consisting of rows and columns
- Rows represent records, columns represent attributes.
- Each row must have a unique identifier called a primary key.
- Related tables can be linked through foreign keys.
Structured Query Language (SQL)
- Standard language for defining, manipulating, and querying data in relational databases.
- Can be used to create, insert, delete, and modify data, as well as create views and retrieve data.
SQL Injection Attacks (SQLi)
- One of the most common and potent security threats to databases.
- Involves sending malicious SQL commands aiming to exploit web applications.
- Attack goals:
- Bulk data extraction.
- Data modification or deletion.
- Execution of arbitrary commands or denial-of-service attacks.
SQLi Attack Techniques
- Inband Attacks:
- Use the same communication channel to inject SQL code and retrieve data.
- Includes techniques like tautology, end-of-line comments, and piggybacked queries.
- Inferential Attacks:
- No actual data transfer; based on observing server behavior to infer data.
- Key types:
- Illegal queries to analyze backend structure.
- Blind SQL injection that infers data without error messages.
SQLi Countermeasures
- Defensive Coding Practices: Ensure code is not vulnerable to SQLi.
- Parameterized Queries: Use safe queries that separate data from commands.
- Monitoring and Detection: Check queries for conformity to expected patterns during runtime.
Database Access Control
- Determines user access levels and rights (e.g., create, read, update, delete).
- Administration Models:
- Centralized: Few privileged users manage access.
- Decentralized: Table creators can grant/revoke access rights.
Role-Based Access Control (RBAC)
- Eases management by grouping users into roles with defined permissions.
- Capabilities include creating roles, defining permissions, and assigning users.
- Categories of users: Application owner, end user, administrator.
Inference and Access Control
- Inference: Unauthorized access to sensitive data through indirect channels.
- Need for techniques to prevent inference through database design or query restrictions.
Database Encryption
- Essential for protecting databases as valuable information resources.
- Encryption can be applied at various levels: entire database, record, or specific fields.
- Challenges include key management and inflexibility in record searching.
Data Center Security
- Data Center Definition: Facilities housing numerous servers, storage devices, and network infrastructure with high availability and environmental controls.
- Important for safety against physical and cyber threats.
- Elements of security include site security, physical security, network security, and data security.
- TIA-492 standard outlines telecommunications infrastructure requirements for data centers.