CHAPTER- 6

DATABASE SECURITY

1
 Objectives of the Chapter

At the end of the chapter 6 : the student able to understand :-

 Database Security Issues and Threats to Database

 DB Control Measures

 Discretionary Access Control Based on Granting /Revoking of Privileges

 Mandatory Access Control for Multilevel Security

 Role Based Access Control

2
 Database Security
 Database security is the mechanisms that protect the database against intentional or
accidental threats.
 A threat means any situation or event whether intentional or accidental that may
adversely affect the organization.
 Threat can be either a negative "intentional" event (i.e. hacking: an individual cracker
or a criminal organization) or an "accidental" negative event (e.g. the possibility of a
computer malfunctioning, or the possibility of a natural disaster event such as an
3
earthquake, a fire).
 Database Security Issues
 There are four Database Security Issues :-

 Legal and Ethical Issues:- regarding the right to access certain information.
 For example, some information may be considered to be private and cannot be accessed
legally by unauthorized organizations or persons.

 Policy Issues:- at the governmental, institutional, or corporate level makes sure

what kinds of information should not be made publicly available and what
to be made available.
 For example, personal medical records, bank account statement etc.. 4
 Database Security Issues

 System Related Issues: such as the system levels at which various security
functions should be enforced
 For example, whether a security function should be handled at the physical hardware
level, the operating system level, or the DBMS level.

 Identify Multiple Security Levels to categorize the data and users based on
these classifications
 For example, top secret, secret, confidential, and unclassified. The security policy of the
organization with respect to permitting access to various classifications of data must be
5
 Threats to Databases

Loss of Integrity
 Database integrity refers to the requirement that information be protected from improper
modification.
 Loss of integrity means that data or an IT system has been modified or destroyed by an
unauthorized entity. This could be the modification of a file, or the change in the configuration to a
system.
 Integrity is lost if unauthorized changes are made to the data by either intentional or accidental
acts.
 If the loss of system or data integrity is not corrected, continued use of the contaminated system or
corrupted data could result in inaccuracy, fraud, or erroneous decisions. 6
 Threats to Databases

 Loss of Availability:
 Database availability refers to making objects(Files) available to a human user or a
program to which they have a legitimate right.
 Data should be available timely whenever is needed for legitimate right.
 Loss of availability is the database objects is not available to legitimate/authorized users.

 Loss of Confidentiality:
 Database confidentiality refers to the protection of data from unauthorized disclosure.
 And also it is the protection of information in the system so that an unauthorized person
cannot access it.
 Unauthorized disclosure could result in loss of public confidence, embarrassment.
7
 Control Measures

 To protect databases against the different types of threats, it is

common to implement four kinds of control measures:
 Access control
 Inference control
 Flow control
 Encryption
8
 1. Access Control

 Access control is security feature that control how user and system
communicate ,initiate one on other.

 It is also controlling access of who gets in and out of system and who uses what
resource and in what amount.

 The security mechanism of a DBMS must include provisions for restricting access
to the database system as a whole.

 It is handled by creating user accounts and passwords to control the login

process by the DBMS. 9
 2. Inference Control

 It is the security problem associated with controlling the access to a statistical database.

 Statistical databases are used mainly to produce statistics about various populations. (A
population is a set of tuples of a relation (table) that satisfy some selection condition.)

 Statistical users are not allowed to retrieve individual data, such as the income of a specific
person.

 Statistical users are permitted to retrieve statistical information about the populations, such as
averages, sums, counts, maximums, minimums, and standard deviations.

10
 3. Flow Control

 It prevents information from flowing in such a way that it reaches unauthorized

users.

 A flow policy specifies the channels along which information is allowed to move.
 The simplest flow policy specifies just two classes of information:
 confidential (C) and non-confidential (N)
 And allows all flows except those from class C to class N.

 Covert channels are pathways for information to flow implicitly in ways that
violate the security policy of an organization. 11
 4. Data Encryption

 It is used to protect sensitive data (such as credit card numbers) that is being
transmitted via some type communication network.
 The data is encoded using some encoding algorithm.

 An unauthorized user who access encoded data will have difficulty

deciphering it,
 But authorized users are given decoding or decrypting algorithms (or keys) to
decipher data.
12
 Cont’d
Terminology
 Plain text (or clear text): Intelligible data that has meaning and can be read or
acted upon without the application of decryption.
 Cipher text: Encrypted (enciphered) data.

 Encryption: The process of transforming plaintext into cipher text.

 Decryption: The process of transforming cipher text back into plaintext.

13
 Cont’d

1. Symmetric Key Encryption Algorithms:

 A symmetric key is one key that is used for both encryption and
decryption.
 A message encrypted with a secret key can be decrypted only with the
same secret key.

14
 Cont’d
2. Public Key Encryption Algorithms:
 In public key algorithm, two keys are used for encryption/decryption those are
public key and private key.
 The public key can be transmitted in a non-secure way, whereas the private key
is not transmitted at all.
 a public key and a private key are used to perform complementary operations
(encryption and decryption)
 This algorithm also known as asymmetric key encryption algorithms.

15
 Database Security and the Database Administrator (DBA)

 The Database Administrator (DBA) is the central authority for managing a

database system.
 The DBA is responsible for the overall security of the database system.

 The DBA has a DBA account in the DBMS, sometimes called a system or
super user account, which provides powerful capabilities that are not made
available to regular database accounts and users.
16
 Cont’d

 DBA-privileged commands include commands for performing the

following types of actions:
 Action 1: Account creation. This action creates a new account and
password for a user or a group of users to enable access to the DBMS.
 Action 2: Privilege granting. This action permits the DBA to grant certain
privileges to certain accounts.

17
 Cont’d

 Action 3: Privilege revocation. This action permits the DBA to revoke

(cancel) certain privileges that were previously given to certain accounts.
 Action 4: Security level assignment. This action consists of assigning user
accounts to the appropriate security clearance level.

18
 Database Audits
 DBA Reviewing the system log to examine all accesses and operations applied to the
database during a certain time period or it shows who/when/what has accessed on DB.

 When an illegal or unauthorized operation is found, the DBA can determine the account
number used to perform the operation.

 Database audits are particularly important for sensitive databases that are updated by
many transactions and users, such as a banking database which is updated by many bank
tellers.

 A database log that is used mainly for security purposes is sometimes called an audit trail.
19
 Authorization Subsystem

 There are 3 different authorization subsystems.

1. Discretionary Access Control

2. Mandatory Access Control
3. Role Based Access Control

20
 1. Discretionary Access Control Based on Granting and Revoking Privileges

 These are used to grant privileges to users, including the capability to

access specific data files, records, or fields in a specified mode or
operation(such as read, insert, delete, or update).
 The main idea is to include statements in the query language that allow
the DBA and selected users to grant and revoke privileges.

21
 Cont’d

 Informally, there are two levels for assigning privileges to use the database
system:
 The account level :- At this level, the DBA specifies the particular privileges
that each account holds independently of the relations in the database.
 The relation (or table) level :- At this level, the DBA can control the
privilege to access each individual relation or view in the database.

22
 Cont’d

 Access matrix model is an authorization model for discretionary privileges

used to granting and revoking of privileges.

 In access matrix model, where the rows of a matrix M represent subjects (users,
accounts, programs) and the columns represent objects (relations, records, views,
operations).

 Each position M(i, j) in the matrix represents the types of privileges (read, write,
update) that subject i holds on object j.

 The owner of a relation is given all privileges on that relation. 23

 Cont’d

 The owner account holder can pass privileges on any of the owned relations to other users
by granting privileges to their accounts.

 In SQL a GRANT command is it gives user access privilege to DB.

 The mechanism of views is an important discretionary authorization mechanism in its own

right.

 For example, if the owner A of a relation R wants another account B to be able to retrieve
only some fields of R, then A can create a view V of R that includes only those attributes
and then grant SELECT on V to B.
24
 Cont’d

 In some cases it is desirable to grant a privilege to a user temporarily.

 For example, the owner of a relation may want to grant the SELECT privilege to a user
for a specific task and then revoke that privilege once the task is completed.

 In SQL a REVOKE command is included for the purpose of cancelling privileges.

 Whenever the owner A of a relation R grants a privilege on R to another account B, the

privilege can be given to B with or without the GRANT OPTION.

25
 Cont’d

 If the GRANT OPTION is given, this means that B can also grant that privilege on R to
other accounts.

 In this way, privileges on R can propagate to other accounts without the knowledge of the
owner of R.

 If the owner account A now revokes the privilege granted to B, all the privileges that B
propagated based on that privilege should automatically be revoked by the system.

26
 Cont’d
 In SQL GRANT command is it gives user access privilege to the DB.
 Syntax Example

GRANT <Privilege List> GRANT ALL ON Employee TO ABC;

ON <Relation or View Name>

TO <User/Role List>
 In SQL REVOKE command is included cancelling previously granted privileges or denied permission.

 Syntax Example

REVOKE <Privilege List> REVOKE UPDATE ON Employee FROM ABC;

ON <Relation or View Name>

FROM <User/Role List> 27

 Example:

 Assume DBA creates four user accounts: A1, A2, A3, A4.

1. DBA allow A1 to create table /relations.

 GRANT Create Table To A1; (Account Privilege)

 OR GRANT Create ON Employee and Department To A1;

 Assume A1 creates Employee and Department tables and hence has all the privileges on each
of them.

2. Account A1 wants to grant to account A2 the privilege to insert and delete tuples in both of these
relations. However, A1 does not want A2 to be able to propagate these privileges to additional
accounts.
 GRANT INSERT, DELETE ON EMPLOYEE, DEPARTMENT TO A2; 28
 Example:

3. A1 wants to allow account A3 to retrieve information from either of the two

tables and also to be able to propagate the SELECT privilege to other accounts.
 GRANT SELECT ON EMPLOYEE, DEPARTMENT TO A3 WITH GRANT OPTION;

4. A3 want to grant the SELECT privilege on the EMPLOYEE relation to A4.

 GRANT SELECT ON EMPLOYEE TO A4;

 Here A4 cannot propagate the SELECT privilege to other accounts.

29
 Example:

5. A1 want to revoke the SELECT privilege on the EMPLOYEE relation from

A3;
 REVOKE SELECT ON EMPLOYEE FROM A3;

 Here DBMS now revoke the SELECT privilege on EMPLOYEE from A3,
and it also automatically revokes the SELECT privilege on EMPLOYEE
from A4.

30
 Example:

6. Suppose that A1 wants to give to A3 a limited capability to SELECT only the Name,
Bdate, and Address attributes and only for the tuples with Dno = 5 from the EMPLOYEE
relation and wants to allow A3 to be able to propagate the privilege. Concept of view also
can be used.

 A1 then can create the following view:

 CREATE VIEW A3 EMPLOYEE AS

 SELECT Name, Bdate, Address

 FROM EMPLOYEE

 WHERE Dno = 5;
31
 Example:

 After the view is created, A1 can grant SELECT on the view A3EMPLOYEE to A3 as
follows:

 GRANT SELECT ON A3EMPLOYEE TO A3 WITH GRANT OPTION;

7. A1 wants to allow A4 to update only the Salary attribute of EMPLOYEE;

 GRANT UPDATE ON EMPLOYEE (Salary) TO A4;

32
 2. Mandatory Access Control

 Mandatory access control is a security mechanism used to classifies data and users based
on security classes.

 This approach would typically be combined with the discretionary access control
mechanisms.

 Typical security classes are top secret (TS), secret (S), confidential (C), and unclassified
(U), where TS is the highest level and U the lowest.

 For simplicity, TS ≥ S ≥ C ≥ U

33
 Cont’d

 Bell-LaPadula model is a model for multilevel security, it classifies each

subject (user, account, program) and object (relation, tuple, column, view,
operation) into one of the security classifications TS, S, C, or U.
 Classification of a subject S is referred to as class(S) and the classification
of an object O as class(O).

34
 Cont’d

 Based on the subject/object classifications two restrictions are enforced on

data access :

1. A subject S is not allowed read access to an object O unless class(S) ≥

class(O). This is known as the simple security property.

2. A subject S is not allowed to write an object O unless class(S) ≤ class(O).

This is known as the star property (or * property).

35
 Example

 Consider the instance of the Boats table shown below Users with S
and TS clearance get both rows in the answer when they ask to see all rows in
Boats.
 A user with C clearance gets only the second row, and a user with U
clearance gets no rows.
Boat Table
BID BName Bcolor Security class

101 salsa black S

102 pinto brown C

36
Example

37
 Cont’d

 Assume that the Name attribute is the apparent key, and consider the query SELECT * FROM
EMPLOYEE.

 A user with security clearance S would see the same relation shown in fig(a) since all tuple
classifications are less than or equal to S.

 A user with security clearance C would not be allowed to see the values for Salary of ‘Brown’ and
Job_performance of ‘Smith’, since they have higher classification. The tuples would be filtered to
appear as shown in Figure (b) with Salary and Job_performance appearing as null.

 For a user with security clearance U, the filtering allows only the Name attribute of ‘Smith’ to
appear, with all the other attributes appearing as null Thus, filtering introduces null values for
attribute values whose security classification is higher than the user’s security clearance. 38
 3. Role-Based Access Control

 Role: is a named group of related privileges that can be granted to the user.

 This method makes it easier to revoke and maintain privileges.

 A user can have access to several roles, and several users can be assigned the same role.

 Its basic notion is that privileges and other permissions are associated with organizational
roles, rather than individual users.

 Roles can be created using the CREATE ROLE and removed by DROP ROLE commands.

 The GRANT and REVOKE commands can then be used to assign and revoke(cancel)
privileges from roles, as well as for individual users when needed.
39
 Creating and Assigning Role:

 First the DBA must create the role. Then the DBA can assign privileges and assign the role
to users.
 Syntax : CREATE ROLE role_name;

 Example:

 To create a role: CREATE ROLE MANAGER;

 Grant privileges to role : GRANT CREATE TABLE, CREATE VIEW TO MANAGER;

 Grant role to users : GRANT MANAGER TO TOM (if TOM is a user)

40
 Database Survivability

 A DBMS, in addition to making every effort to prevent an attack and detecting one in the event
of occurrence, should be able to do the following:
 Confinement: Take immediate action to eliminate the attacker’s access to the system and to
prevent further spread.
 Damage assessment: Determine the extent of the problem, including failed functions and
corrupted data.
 Reconfiguration: Reconfigure to allow operation to continue in a degraded mode while
recovery proceeds.
 Repair: Recover corrupted or lost data and repair or reinstall failed system functions to re-
establish a normal level of operation.
 Fault treatment: To the extent possible, identify the weaknesses exploited in the attack and
41
take steps to prevent a recurrence.
Thank You!

42