Sie sind auf Seite 1von 7

DATABASE SECURITY

THREATS OF DATABASE

Accidental loss

Theft & fraud

Loss of privacy or confidentiality

Loss of data integrity

Loss of availability

1. Accidental loss

Loss occurs due to human error. It is usually by chance loss of data.

These losses can be minimized.

By,

User authorization

Uniform software installation procedure

Hardware maintenance schedule

2. Theft & fraud

Theft “steal of data” by an unauthorized user.

Fraud “ intentially ” spoiling the data.

These two activities are performed usually electronic means.

Example,

Someone may being away the data on his flash.

This can be avoided by,

Maintaining physical security

Fire wall

3. Loss of privacy

Privacy means:

Protection relating to individual data.

Confidently means:

Protection of data of organization.

Failure to these protection causes.

Black mail

Bribery

Public embarrassment

State of federal laws govern by protection of data.

Otherwise this security may cause financial & reputation loss.

4. Loss of data integrity

“Integrity” means soundness of data and extent of validity of data.

If data is not secured then this can be hampered someone may. Alter the data due to which it becomes invalid. So recovery and backup procedures should be used.

Invalid data may cause “wrong decisions”.

5. Loss of availability

Destructive hardware , networks, applications may cause the data to become unavailable.

Virus may cause this problem.

ESTABLISHING DATA SECURITY

Server Security

Network security

Web security

Web privacy

1. Server security

Multiple users, including database servers, need to be protected. Each should be located in a secure are, accessible only to authorized administrator and supervisor. Logical access controls, including server and administrator and passwords, provide layers of protection against intrusion. Password management utilities should be included as part of the network and operating systems.

Reliance on operating system authentication should not be encouraged.

2. Network security

Securing client/server systems includes securing the network between client and server. The encryption of data so that attackers cannot read a data packet being transmitted is obviously an important part of network security. For example, authentication of the client workstation

that is attempting to access the server also helps to enforce network security and application system.

3. Web security

If an organization wishes only to make static HTML pages available, protection must be established for the HTML files stored on web pages.

Sensitive files may be kept on another server accessible through an organization s intranet. Security measures for dynamic web page generation are different.

Web security include ways to restrict access to web servers.

Restrict the number of users on the web server as much as possible.

Restrict access to the web server, keeping a minimum number of ports open.

Remove any unneeded programs that load automatically when setting up the server.

4. Web privacy

Protection of individual privacy when using the internet has become an important issue. E-mail, E-commerce and marketing and other online resources have created new computer mediated communication paths.

Application that return individualized responses require that information be collected about the individual but at the same time proper respect for the privacy and dignity of employee.

MEASURES

Subset of database that is presented to one or more users view is a virtual table.

A view is created by queering one or more of the base tables.

View present only that data which is required by user.

So, user cannot view other private, confidential data. Example:

Worker of production dept. views data relating to material type, query relating to material & access.

INTEGRITY CONTROLS

Integrity control protect data from unauthorized use and update.

These controls include,

Limit the value in field

Limit actions that can perform on date

Limit execution process

Domail “ domain is the way to user-define data”

Once a domain is defined any field can be assigned that domain as its data.

Authorization rules

Authorization rules are controlled incorporated in the data management system. That restrict access to data and also restrict the actions that people may take when they access data. For example, a person who can supply a particular password may be authorized to read any record in a database but cannot necessarily modify any of those records.

Authorization table for salespersons

 

Customer

Order

record

record

Read

Y

Y

Insert

Y

Y

Modify

Y

N

Delete

N

N

ENCRYPTION

Data encryption can be used to protect highly sensitive data such as customer credit card numbers or account balances. Encryption in the coding or scrambling of data so that humans cannot read them. Some DBMS products include encryption routines that automatically encode sensitive data when are stored or transmitted over communication channels. For example, encryption is commonly used in electronic fund transfer (EFT) systems. Other DBMS products provide exits that allow users to code heir own encryption routines.

AUTHENTICATION SCHEMES

In an electronic environment, a user can provide his or her identity by supplying one or more of the fallowing factors.

Something the user knows, usually a password or personal identification number (PIN)

Something the user possesses, such as a smart card or token.

Some unique personal characteristic, such as fingerprint or retinal scan

Authentication schemes are called one-factor, two-factor or three factor authentication, depending on how many of these factors are employed. Authentication becomes stronger in proportion to the number of factors that are used.

SECURITY POLICY & PROCEDURES

Personal controls

Physical controls

Maintenance controls

Data privacy controls

USER-DEFINES PROCEDURES

Some DBMS products provide user exists (or interface ) that allow system designers or users to create their own user-defined procedures for security, in addition to the authorization rules we have just described. For example, a user procedure might be designed to provide positive user identification. In attempting to log on to the computer, the user might be required to supply a procedure name are supplied, the systems then calls the procedure, which ask the user a series of questions whose answers should be known only to that password holder.