Update Seminar Form
Rachit Bhatia and I presented a seminar on
in which we covered the following areas:
Database Security refers to the protection of data against unauthorized disclosure, alteration or destruction.
Or more or less it means making sure that the user is allowed to do any thing that they desire to do with the database.
Basically database security can be broken down into the following key points of interest.
Table Access Control <
Restricting Database Access
Server security is the process of limiting actual access to the database server itself . "what if your database server is supplying information to dynamic web pages?", we should say, "Your database back end should never be on the same machine as your web server, not just for security, but for performance!" If your database server is supplying information to a web server then it should be configure to allow connections only from that web server.
Trusted IP address
Every server, should be configured to only allow trusted IP addresses. If it's a back end for a web server., then only that web server's address should be allowed to access that database server. If the database server is supplying information to a homegrown application that is running on the internal network, then it should only answer to addresses from within the internal network.
There are numerous aspects of security problems: Legal,social and ethical aspects.
Operating system support.
Issues that are specific concern for the database itself.
Approaches to Data Security
There are two broad approaches to data security for modern DBMSs.They are known as discretionary and mandatory control, respectively.
In both the cases , the data object that needs to be protected can range all the way from an entire database on one hand to a specific component within a specific tuple on the other hand.
Regardless of the approaches, all decisions as to which users are allowed to perform which operations on which objects are policy decisions.
Discretionary Access Control
Authorities : Till what point a user is allowed and to what extent.
It has four components:
Name. The authority will be registered in the catalog under this name.
Privileges, like RETREIVE and DELETE.
The Relvar to which the authorities applies.
User Ids who are granted the privileges.
AUTHORITY < authority name >
GRANT < privilege commalist >
ON < relvar name >
TO < user ID commalist >
The privileges are RETRIEVE [( attribute name commalist)]
INSERT [( attribute name commalist)]
UPDATE [( attribute name commalist)]
DELETE and ALL.
An audit trail is essentially a special file or database in which the system automatically keeps track of all operations performed by users on the regular data. A typical audit trail might contain the following information :
Request (source text)
Terminal from which the operation was invoked & its user
Date and time of the operation
Relvar, tuples, attributes affected
Old values & new values.
Mandatory Access COntrol
Mandatory controls are applicable to databases in which the data has rather static and rigid classification structure.eg certain military or government environments. The basic idea is that each object has a classification level (e.g. top secret,secret, confidential etc .), and each user has a clearance level. The following simple rules are adopted :
User i can retrieve object j only if the clearance level of i is => j.
User i can update object j only if the clearance level of i is = to the classification level of j.
Overall Security Classification Scheme
An overall security classification scheme is given according to the level of security provided by different approaches.
The four classes
which are written in increasing order.
Prof. Ashay Dharwadker