![Discretionary Access Control
•
The word “Discretionary” means to act in a way to avoid the Revealing of Confidential
information.
•
In this method , we can GRANT and REVOKE privileges to different Users of the
Database.
Now you will think, what is this?
GRANT? REVOKE? Privileges?
Well, GRANT = “To allow” OR “To give some rights”,
REVOKE = “To cancel the GRANT” i.e. “Not to allow”
and Privileges = Permissions i.e. various commands like CREATE,UPDATE etc.
•
•
GRANT and REVOKE are Database Commands used to operate Database.
We will use these commands like this,
» GRANT [Privileges] ON [Database Objects] TO USER [With GRANT Option];
» REVOKE [Privileges] ON [Database Object] FROM USER;
1/14/2014
6](https://image.slidesharecdn.com/securityofthedatabase-140114082028-phpapp01/85/Security-of-the-database-6-320.jpg)
Security of the database
- 1. Security of the Database A Presentation By_ Pratik Tamgadge 1/14/2014 1
- 2. Contents • What is Database Security? • Issues in Database security • How to Secure? – – – – – – Access Control Mechanism Cryptography Backup and Recovery RAID Implementation Views Digital Signatures • Security in Microsoft Access and Oracle DBMS 1/14/2014 2
- 3. What is Database Security? • In today’s world, we need everything secured whether it is your mobile phone , computer , vehicle or almost anything. • So do your Database. • As it stores your Personal, Confidential and Critical data. • If we look at the definition part of Database Security , we may say, It’s the mechanism that protects the database against intentional or accidental threats. 1/14/2014 3
- 4. Issues in Database Security • Unauthorized access to your Database. • Managing large amount of data which belongs to relatively large organization. • Keeping track of all the authorized Users of the Database. • Physical Security. • Network Security. 1/14/2014 4
- 5. Now How You’ll Secure it? Well, these are some basic security measures which you can have to your Databases. Access Control Mechanism » As the name “Access Control” itself describes that this mechanism is all about User’s Access to the Databases. » In this mechanism, we have three kinds of Access Control. 1. Discretionary Access Control 2. Mandatory Access Control. 3. Role based Access Control. 1/14/2014 5
- 6. Discretionary Access Control • The word “Discretionary” means to act in a way to avoid the Revealing of Confidential information. • In this method , we can GRANT and REVOKE privileges to different Users of the Database. Now you will think, what is this? GRANT? REVOKE? Privileges? Well, GRANT = “To allow” OR “To give some rights”, REVOKE = “To cancel the GRANT” i.e. “Not to allow” and Privileges = Permissions i.e. various commands like CREATE,UPDATE etc. • • GRANT and REVOKE are Database Commands used to operate Database. We will use these commands like this, » GRANT [Privileges] ON [Database Objects] TO USER [With GRANT Option]; » REVOKE [Privileges] ON [Database Object] FROM USER; 1/14/2014 6
- 7. Mandatory Access Control • • • This method provides Multilevel Security by Classifying data and Users into different SECURITY LEVELS. Now in this, Security has its class or level. Implementation of Mandatory Access Control is in, – Government of Nations – Military – Business Intelligence • Mandatory Access Control provides Security for extreme Confidential Information. • Security Classes are like, – – – – • • Top Security (TS) Secret (S) Confidential (C) Unclassified (U) Note : Intensity of Security is like, TS > S > C > U Now you will wonder how security is classified? Well, it is classified using Bell-LaPadula Model. 1/14/2014 7
- 8. Role Based Access Control • Roll based Access Control provides Security according to the ROLE of the User who is accessing the Database. • ROLE of the user is created using CREATE command. • Role gives permissions to only authorized users to access the data. • Thus Roles provides security in a smart and simple way. 1/14/2014 8
- 9. Cryptography • Cryptography is a way of enclosing the data called Encryption while Sending and disclosing that data called Decryption while it is received. • Have a look at this, 1/14/2014 9
- 10. Cryptography contd. • There are two types of Cryptography. – Symmetric Key Cryptography • In this , Both sender and receiver have the same key for Encryption and Decryption. – Asymmetric Key Cryptography • In this , Sender uses Public Key for Encryption and Receiver uses its own Private key for Decryption. 1/14/2014 10
- 11. Backup and Recovery • Backup - The process of periodically taking a copy of the database and log file on to offline storage media. • Journaling - The process of keeping and maintaining a log file (or journal) of all changes made to the database to enable recovery to be undertaken effectively in the event of a failure. 1/14/2014 11
- 12. RAID Implementation RAID i.e. Redundant Array of Inexpensive Disks, is a category of disk drives that employ two or more drives in combination for fault tolerance and Performance. This Array of Disks have levels as follows, • Level 0: Provides data striping (spreading out blocks of each file across multiple disks) but no redundancy. This improves performance but does not deliver fault tolerance. • Level 1: Provides disk mirroring. • Level 2: Error correcting Codes by using Parity Check. • Level 3: Same as Level 0, but also reserves one dedicated disk for error correction data. It provides good performance and some level of fault tolerance. • Level 4: Uses Block level Stripping which keeps Parity block on a separate disk. • Level 5: Provides data striping at the byte level and also stripe error correction information. This results in excellent performance and good fault tolerance. • Level 6: P+Q Redundancy Scheme i.e. Stores extra redundant information in case of disk failures. 1/14/2014 12
- 13. Views • A view is the dynamic result of one or more relational operations operating on the base relations to produce another relation. A view is a virtual relation that does not actually exist in the database, but is produced upon request by a particular user, at the time of request. • The view mechanism provides a powerful and flexible security mechanism by hiding parts of the database from certain users. 1/14/2014 13
- 14. Message Digest Algorithms and Digital Signatures • Message digest algorithm is the one-way hash function that produces a fixed-length string (hash) from an arbitrary-sized message. It’s computationally infeasible that there is another message with the same digest, the digest does not reveal anything about the message. • Digital signature consist of two parts: a string of bits that is computed from the message and the private key of organization. • Digital signature is used to verify that the message comes from this organization. 1/14/2014 14
- 15. Security in Microsoft Access and Oracle DBMS Microsoft Access • System level security - password. • User-level security - identification as a member of groups (Administrators and Users), permissions are granted (Open/Run, Read, Update, Delete, etc). Oracle DBMS • System level security - name, password. • User-level security is based on a privilege, i.e a right to execute a particular type of SQL statements or to access another user’s object. • System privileges and object privileges. 1/14/2014 15 End of the Presentation