ScholarQuill logoScholarQuillUniversity Notes
  • Notes
  • Past Papers
  • Blogs
  • Todo
Login
ScholarQuill logoScholarQuillUniversity Notes
Login
NotesPast PapersBlogsTodo
More
SubjectsDiscussionCGPA CalculatorGPA CalculatorStudent PortalCourse Outline
About
About usPrivacy PolicyReportContact
Notes
Past Papers
Blogs
Todo
Analytics
    Current Subject
    🧩
    Database Systems
    CSI-308
    Progress0 / 22 topics
    Topics
    1. Basic Database Concepts2. Entity Relationship Modelling3. Relational Data Model and Algebra4. Structured Query Language (SQL)5. RDBMS6. Database Design7. Functional Dependencies8. Normal Forms9. Transaction Processing10. Optimization Concepts11. Concurrency Control12. Recovery Techniques13. Database Security and Authorization14. Small Group Project Implementing a Database15. Physical Database Design16. Storage and File Structure17. Indexed Files18. B-Trees19. Files with Dense Index20. Files with Variable Length Records21. Database Efficiency22. Database Tuning
    CSI-308›Database Security and Authorization
    Database SystemsTopic 13 of 22

    Database Security and Authorization

    9 minread
    1,463words
    Intermediatelevel

    Database Security and Authorization

    Database security refers to the measures and mechanisms used to protect a database from unauthorized access, data breaches, corruption, or loss. It encompasses a broad set of practices that aim to ensure the confidentiality, integrity, availability, and privacy of the data stored in a database system. The goal of database security is to protect data from threats, both external (such as hackers) and internal (such as disgruntled employees), and ensure that only authorized users can perform allowed operations on the database.

    Authorization is a key part of database security. It involves determining who has permission to access or modify particular data and what actions they are allowed to perform. Proper authorization ensures that only users with the right credentials can execute certain database operations (like querying, updating, deleting data, or changing the structure of the database).

    Key Concepts in Database Security

    1. Confidentiality: Ensuring that sensitive data is only accessible to those with the proper authorization. This is achieved through encryption, access control, and proper user permissions.

    2. Integrity: Ensuring that the data in the database remains accurate and unaltered unless modified by authorized transactions. This involves mechanisms to prevent unauthorized users from altering data.

    3. Availability: Ensuring that the database is available and operational for authorized users whenever needed. This involves backup mechanisms, disaster recovery plans, and proper system maintenance.

    4. Accountability: Ensuring that there is a mechanism in place to track and audit database activities. This helps in identifying who accessed the data and what changes were made, allowing for better detection of unauthorized actions.

    5. Privacy: Ensuring that sensitive personal or organizational information stored in the database is protected from unauthorized disclosure. This includes implementing controls such as encryption and strict access policies.

    Database Security Mechanisms

    Database security mechanisms are designed to provide protection at multiple levels, including physical, network, and application levels. Some of the key security measures include:

    1. Access Control:

      • Access Control refers to limiting and controlling who can interact with the database and what actions they can perform. This is often implemented through user authentication and authorization policies.

      • Authentication: The process of verifying the identity of a user or system. This is typically done through usernames and passwords, biometric data, smart cards, or multi-factor authentication (MFA).

      • Authorization: After authentication, authorization determines the level of access granted to the user. It specifies what operations the user can perform, such as read, write, delete, or modify database records.

      • Access Control Models:

        • Discretionary Access Control (DAC): The owner of a database object (such as a table or a row) can control who has access to it. In this model, users are granted or denied access based on permissions set by the owner.
        • Mandatory Access Control (MAC): Access is determined based on predefined security policies and labels assigned to users and objects. The database enforces strict rules that cannot be altered by individual users.
        • Role-Based Access Control (RBAC): Users are assigned roles (e.g., administrator, manager, user), and each role has specific permissions. This is a common model in databases to simplify the management of user permissions.
        • Attribute-Based Access Control (ABAC): Access is granted based on attributes (e.g., user role, department, data sensitivity level). This provides fine-grained access control based on a user’s attributes and the attributes of the data they are accessing.

    2. Encryption:

      • Encryption is used to protect sensitive data stored in the database from unauthorized access. Data is transformed into an unreadable format, and only users with the correct decryption key can read it.

      • Types of Encryption:

        • Data-at-rest encryption: Encrypts the data stored in the database (on the disk or storage system). This ensures that even if an attacker gains access to the physical storage, the data remains unreadable.
        • Data-in-transit encryption: Protects data while it is being transmitted between the database and client applications. Common protocols used for data-in-transit encryption include TLS/SSL.

    3. Audit Trails and Logging:

      • Audit Trails (also called logs) record all the actions taken by users on the database, such as login attempts, queries executed, and data modifications. This allows for tracking who accessed the database and what actions they performed.

      • Log Management:

        • Logs are crucial for detecting unauthorized access or potential breaches. By keeping an audit trail, administrators can identify patterns of malicious behavior and take corrective action.
        • Logs can also be useful for compliance purposes, as they may be required by regulations (e.g., GDPR, HIPAA).

    4. Backup and Recovery:

      • Backup involves creating copies of the database at regular intervals to protect against data loss due to hardware failure, data corruption, or cyberattacks.

      • Recovery involves restoring the database from a backup in case of failure. It's important to have robust backup and recovery strategies in place to ensure that data is not permanently lost.

      • Types of Backups:

        • Full Backup: A complete copy of the entire database.
        • Incremental Backup: Only the data that has changed since the last backup is saved.
        • Differential Backup: Saves changes made since the last full backup.

    5. Database Firewalls:

      • A database firewall is used to monitor and control database traffic to prevent unauthorized SQL queries and malicious attacks. It acts as a barrier between the database and the outside world, filtering out suspicious activity.
      • Common attacks prevented by a database firewall include SQL injection and cross-site scripting (XSS).

    6. Virtual Private Databases (VPD):

      • A Virtual Private Database (VPD) allows a database to serve different users while maintaining the illusion of isolated databases. VPD applies a security policy that filters data based on user attributes, such as role or department.
      • This ensures that users can only see data that they are authorized to access, even if they run the same query.

    Authorization in Databases

    Authorization defines what an authenticated user is allowed to do within the database system. It ensures that users or applications can only perform actions they are explicitly allowed to perform, based on their permissions.

    1. User Accounts and Roles:

      • A user account is a unique identifier assigned to each person or application that accesses the database. The account is typically associated with authentication credentials (e.g., username and password).
      • A role is a set of permissions associated with a particular job function. A role may be assigned to multiple users. This is an efficient way to manage access because users inherit the permissions associated with the role assigned to them.

    2. Permissions: Permissions are specific rights granted to users or roles that define the operations they can perform on the database objects (such as tables, views, or procedures). Some common types of permissions are:

      • SELECT: Permission to read data from a table or view.
      • INSERT: Permission to add new data to a table.
      • UPDATE: Permission to modify existing data in a table.
      • DELETE: Permission to remove data from a table.
      • ALTER: Permission to modify the structure of a database object (e.g., adding or removing columns from a table).
      • DROP: Permission to delete a database object (e.g., a table or view).
      • EXECUTE: Permission to execute a stored procedure or function.

    3. Granting and Revoking Permissions:

      • GRANT: The GRANT statement is used to assign specific permissions to users or roles.
      • REVOKE: The REVOKE statement is used to remove previously granted permissions from users or roles.

      Example (SQL):

      -- Granting SELECT permission on a table to a user
GRANT SELECT ON employees TO user1;

-- Revoking INSERT permission from a user
REVOKE INSERT ON employees FROM user2;

    4. Fine-Grained Access Control:

      • Some databases implement more granular access control, allowing permissions to be set at a lower level of the database structure. For example, a user may have permission to access only certain rows of a table or certain columns, based on specific criteria.

      Example: A sales manager may have access to the sales data of their own region, but not to other regions’ sales data.

    Common Database Security Attacks

    1. SQL Injection: A type of attack where malicious SQL code is inserted into an input field (e.g., in a login form) and executed on the database, potentially giving the attacker unauthorized access to the data.

      • Prevention: Use parameterized queries and prepared statements to prevent injection attacks.

    2. Privilege Escalation: Attackers gain higher privileges than they should have, often by exploiting system vulnerabilities or misconfigurations.

      • Prevention: Regularly review user privileges and ensure the principle of least privilege is followed.

    3. Denial of Service (DoS): Attackers may flood the database with requests, making it unavailable to legitimate users.

      • Prevention: Use firewalls, intrusion detection systems, and load balancers to mitigate DoS attacks.

    Conclusion

    Database security is a critical aspect of managing a database system, particularly as data breaches and cyberattacks become increasingly common

    Previous topic 12
    Recovery Techniques
    Next topic 14
    Small Group Project Implementing a Database

    Past Papers

    Open this section to load past papers

    Click on Show Past Papers to see past papers.
    On This Page
      Reading Stats
      Est. reading time9 min
      Word count1,463
      Code examples0
      DifficultyIntermediate