Академический Документы
Профессиональный Документы
Культура Документы
Database Security
Database Management
McFadden & Hoffer, Chapter 9
Database Systems
Connolly, Begg & Strachan, Chapter 16
Overview
• Definition
– Reasons for security
– Issues
• Types of security
– Effective security
– System Requirements
• Database Security
– Questions to ask when considering security
– Database-independent measures
– Database-dependent measures
– Security in SQL
2
Database Security
• Definition
– “Security protects data from intentional or
accidental misuse or destruction, by controlling
access to the data.”
• Stamper & Price
– “Database security is concerned with the ability of
the system to enforce a security policy governing
the disclosure, modification or destruction of
information.”
• Pangalos
Moral/Ethical
There may be moral reasons for controlling who has access to
information. For example, medical records are confidential because
of people’s right to privacy.
Legal Requirements
The Data Protection Act requires companies to register personal data
with the data protection registrar. The act imposes constraints on how
information may be used and who may have access to it. Information
about individuals must be correct, up-to-date and available for
inspection by the individuals concerned.
Commercial Security
Information held by companies is a valuable resource which may be
useful to competitors. For example, a list of customers who have
bought insurance policies may be valuable to other insurance
companies.
Fraud/Sabotage
Information may be misused, for example, insider dealing, or used to
mislead.
Mistakes
Many problems are not malicious but are caused by users accidentally
changing the data.
Issues
• Confidentiality
– information is only disclosed to authorised users
• Integrity
– information is only modified by authorised users
• Availability
– information is accessible by authorised users
Types of Security
• Authorisation Policies
– Disclosure and modification of data
• Data Consistency Policies
– Consistency and correctness of data
• Availability Policies
– Availability of information to users
• Identification/Authentication/Audit Policies
– Authorising users to access data
System Requirements
• S/W and H/W around the database
– All aspects of the system must be considered
• Data Integrity
– All data must be correct and consistent
– User must trust database content
• Data Availability
– Fault tolerance, redundancy, etc
• Auditing
– Useful but not excessive
8
Constraints
• Security constraints
– Authorisation controls
– Stored in the data dictionary
– DBMS monitors constraints
• Integrity constraints
– Consistent controls
– Stored in the data dictionary
– DBMS monitors integrity
Security Questions
• How valuable is the data?
• Which data must be secured?
• What will illegal access to the data cost?
• What are the implications of changed/destroyed
data?
• Will security measures affect the proper
functioning of the database?
• How can unauthorised access occur?
10
We ask a set of questions about the database when we are selecting the type
of security to impose.
How valuable is the data?
Different types of data need different levels of security.
Publicly available data, for example, stock prices, do not
require the same level of security as private data, for example,
employee salaries.
What will illegal access to the data cost?
If a piece of data has a high value, for example, information
about the performance of a company, then illegal access may
be very costly. The cost of ‘losing’ the data determines how
much security is required.
What are implications of changed/destroyed data?
If losing a piece of data has disastrous consequences then the
security must be higher. For example, if a sales person builds
up a customer list over many years then losing the list to a
competitor could be very costly.
Will security measures affect the proper functioning of the database?
If security stops legitimate individuals from accessing the
data, then it may not be suitable.
11
• Controlling access
– Users and roles
• Username/password
• Groups
– Schemas
• Set of tables, etc. owned by a user
• Controlling behaviour
– Privileges
• Rights to access the DBMS
• Controlling integrity
– Integrity constraints 12
Controlling Access
• Discretionary Access Control
– Users
• A name that can connect and access objects in the
database
• Users log in using a name (and password)
– Schema
• A collection of objects associated with a user
– e.g. tables, views, indexes, procedures, etc.
• Access to a schema is granted at the discretion of the user
Controlling Behaviour
• Privileges
– “the right to execute a particular SQL statement or
to access another user’s object”
• Oracle Concepts Manual
• Types
– Connecting to the DBMS
– Creating objects
• Tables, views, etc.
– Accessing/changing data
– Executing procedures
• We can give users the right to access data in the database by allocating
privileges to the user. There are many different types of privileges that
can be given to a user. For example, most users must be given the
privilege to connect to the database and to create tables in the database.
Privileges - SQL
• GRANT command
– Provides privileges to access data
– Format
GRANT {SELECT, INSERT, UPDATE, DELETE}
ON tablename TO username
– Example
• Grant privileges to Smith to select or insert in dept
15
Privileges - SQL
• REVOKE command
– Removes privileges to access a table
– Format
REVOKE {SELECT, INSERT, UPDATE, DELETE}
ON tablename FROM username
– Example
• Remove privileges from Smith to insert or delete from emp
Managing Privileges
• Problem
– Large numbers of users
• Each with many privileges
– Cannot add privileges to every individual
• Roles
– Named groups of related privileges that are granted
to users
– Allocate roles to users
• Example
– role BBIT2A allows users to create tables, add data
– role BBIT4A allows users to create create procedures
Roles
Controlling Integrity
• Integrity Constraints
– Keys
– Value checks
• e.g. salary < 50000
• Declaring Primary/Foreign Keys
CREATE TABLE employee ( empno NUMBER,
ename CHAR(20),
salary NUMBER,
deptno NUMBER
PRIMARY KEY ( empno )
FOREIGN KEY ( deptno ) REFERENCES department
);
19
• In Oracle one of the major constraints we can declare are primary keys
and foreign keys.
• The primary key declaration requires that each tuple in a relation is
uniquely identifiable by the declared primary key. That is, all rows in the
table must have a unique primary key. Oracle enforces this constraint and
will produce an error if an attempt is made to add a record with a primary
key value which already exists.
• The foreign key declaration requires that each value of the foreign key
attribute must exist in the primary key of another table. In the above
example, employees can only belong to departments which already exist
in the department table.
20
Views
• Create a table that is derived from another table
– Views do not exist
– Database executes a query when a view is accessed
• Why?
– Restrict the rows that are visible
– Reduce the number of columns
– Simplify the database
• Create calculated fields
• Hide complex joins
– Simplify complete queries
21
Views - Example
CREATE VIEW staff (empno, ename, job, mgr, deptno)
AS
SELECT empno, ename, job, mgr, deptno FROM emp;
Synonyms
• An alias for a table or view
– Give the table or view another name
• Use
– Hide the owner of the table
• Users do not have to know who owns the data
– Hide the location of the data
• Allows data to be physically moved
• Synonyms are aliases that can be used to give a new name to a table in the
database.
• It is common for data in a database to be owned by many different users
and accessing the data may involve remembering all the user’s names.
Synonyms allow us to give tables simple names so that we do not have to
remember where the data is stored.
• Synonyms also help to provide physical independence because they can
be used to hide where the data is actually stored.
Synonyms - Example
• Table emp is owned by scott
– Should query it as:
• SELECT * FROM scott.emp;
– If emp was stored in another database:
• SELECT * FROM scott.emp@anotherdatabase.com;
• Hiding owner/location of emp
– Create a public synonym
• CREATE PUBLIC SYNONYM emp
FOR scott.emp@anotherdatabase.com;
– Query synonym
• SELECT * FROM emp;
• Tables that are belong to another user or are stored in another location
(database) can be made easier to access by creating synonyms that give
the table a simpler name.
• In the above example, the synonym emp actually points to the table
scott.emp but we can simply use the name emp. If we move the data to
another user then we only need to change the synonym and not all the
queries that access the table.
33
34
Exemptions
• Personal data held by an individual for personal,
family or recreational purposes
• Personal data held for calculating wages, pensions,
accounts, orders.
• Personal data used for distributing information (eg
name and address).
– Must ask individual if they object.
• Personal data held by unincorporated members club
• Personal data required by law to be public
• Personal data required by national security
35
36
37
Rights of Disclosure
• The Act does not stop disclosure of
personal data.
– Disclosures must be registered
– But individuals cannot stop disclosure
38
References
• Database Security
– “A Tutorial on Secure Database
Systems”, Pangalos
• Data Protection Act
– http://www.open.gov.uk/dpr/guide.htm
39