From Twitter

LEVELS OF DATABASE SECURITY

As is true for any other technology, the security of database management systems depends on many other systems. These primarily include the operating system, the applications that use the DBMS, services that interact with the DBMS, the web server that makes the application available to end users, etc. However, please note that most importantly, DBMS security depends on us, the-users.

Common Database Security Failures :Database security is of paramount importance for an organisation, but many organisations do not take this fact into consideration, till an eventual problem occurs. The common pitfalls that threaten database security are 
  • Weak User Account Settings: Many of the database user accounts do not contain the user settings that may be found in operating system environments. For example, the user accounts name and passwords, which are commonly known, are not disabled or modified to prevent access.          The user account settings allow limited capabilities for security, without password controls on dictionary checks or account controls supporting expiration of user account. 
  • Insufficient Segregation of Duties:No established security administrator role is defined in the database management of the organisation. This results in database administrators (DBAs) performing both the functions of the administrator (for users accounts), as well as the performance and operations expert. This may result in management inefficiencies 
  • Inadequate Audit Trails:The auditing capabilities of databases since it require keeping track of additional requirements, are often ignored for enhanced performance or disk space. Inadequate auditing results in reduced accountability. It also reduces the effectiveness of data history analysis. The audit trails records information about the actions taken on certain critical of data. They log events directly associated with the data, thus, they are essential for monitoring the access and the activities on a database system. 
  • Unused DBMS Security Features: The security of an individual application is usually independent of the security of the DBMS. Please note that security measures that are built into an application apply to users of the client software only. The DBMS itself and many other tools or utilities that can connect to the database directly through ODBC or any other protocol, may bypass this application level security completely. Thus, you must try to use security restrictions that are reliable, for instance, try using security mechanism that are defined within the database.

Basically database security can be broken down into the following levels:
• Server Security
• Database Connections
• Table Access Control
• Restricting Database Access.
  1.  Server Security   Server security is the process of controlling access to the database server. This is the most important aspect of security and should be carefully planned. The basic idea here is “You cannot access what you do not see”.  For security purposes, you should never let your database server be visible to the world. If a database server is supplying information to a web server then it should be configured in such a manner that it is allowed connections from that web server only. Such a connection would require a trusted IP address. 
  2. Trusted IP Addresses To connect to a server through a client machine, you would need to configure the server to allow access to only trusted IP addresses. You should know exactly who should be allowed to access your database server. For example, if it is the back end of a web server, then only that web server address should be allowed access to the database server. If the database server is the back end of a local application that is running on the internal network, then it should only talk to addresses from within the internal network. 
  3. Database Connections With the ever-increasing number of Dynamic Applications, an application may allow immediate unauthenticated updates to some database. If you are going to allow users make updates to some database via a web page, please ensure that you validate all such updates. This will ensure that all updates are desirable and safe. For example, you may remove any possible SQL code from a user-supplied input. If a normal 
  4. Table Access Control  Table access control is probably one of the most overlooked but one of the very strong forms of database security because of the difficulty in applying it. Using a table access control properly would require the collaboration of both the system administrator as well as the database developer. In practise, however such “collaboration” is relatively difficult to find. 
  5. Restricting Database Access  By now we have defined some of the basic issues of database security, let us now look into the specifics of server security, from the point of view of network access of the system. Internet based databases have been the most recent targets of security attacks. All web-enabled applications listen to a number of ports. Cyber criminals often perform a simple “port scan” to look for ports that are open from the popular default ports used by database systems. How can we address this problem? We can address this problem “by default”, that is, we can change the default ports a database service would listen into. Thus, this is a very simple way to protect the DBMS from such criminals.
There are many ways of preventing open access from the Internet. Each DBMS and OS has its own set of unique features for the same. Let us discuss some general methods of preventing open access from the Internet.

Trusted IP addresses : UNIX servers are configured to answer ping requests only from a list of trusted hosts. In UNIX, this can be accomplished by configuring the rhosts file. Thus, it restricts server access to a list of specific users only.

Server Account Disabling : It may be a good idea to suspend the server ID after three failed password attempts. This may thwart attackers. If such a scheme is not implemented, then an attacker can run a brute force program that generates millions of passwords. Such a program ultimately would break the combination of the user ID and password.

Special Tools : Some customised tools, for example, Real Secure, send an alert when an external server is attempting to breach your system security. There are many such similar products available for the protecting of the DBMS from unauthorised Internet access.
Posted by Labels: , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Labels

(MCS-031 (6) 2011 (5) 4nf (1) 5nf (1) ACCESS CONTROL In Relational Database (1) ALGORITHMICS (5) assignment 2014 2015 (1) AVAILABLE TOOLS & ALGORITHMS (5) BCA (1) BINARY SEARCH (1) Block Nested Loop Join (1) Build and Fix Model (1) BUILDING BLOCKS OF ALGORITHMS (1) CHARACTERISTICS OF AN ALGORITHM (2) Core Java (1) Data Communication Network Security (1) DATABASE SECURITY (1) EER tool (1) ELEMEMTARY ALGORITHMICS (2) ENHANCED ER TOOLS (1) EVOLUTION (1) EXAMPLE OF AN ALGORITHM (2) Indexed Nested-Loop Join (1) install servelet engine (1) INTRODUCTION (1) Iterative Enhancement Model (1) Java Server Pages (1) JDBC (1) JSP (2) LEVELS OF DATABASE SECURITY (1) MCA (9) MCA 051 (1) MCA 3rd Semester (8) MCA 4th Semester (1) MCA 5 sem (1) MCS-031 (7) MCS-031 : DESIGN AND ANALYSIS OF ALGORITHM (14) MCS-032 (1) MCS-033 (1) MCS-034 (2) MCS-035 (1) mcs-041 (2) MCS-042 (1) mcs-043 (2) mcs-052 solved assignment (1) MCSL-036 (2) Nested loop join (1) OBJECTIVES (1) Operating System (2) OUTLINE OF ALGORITHMICS (1) Principles of Management and Information Systems (1) PROBLEMS (1) QUERY PROCESSING AND EVALUATION (1) Query processing Optimisation (1) Question Papers (8) Related Topic (9) relational Database (1) SELECT OPERATION Query Processing (1) Servlet (1) Servlet Programme (1) Servlet Programming (1) SOFTWARE DEVELOPMENT MODELS (4) SOFTWARE ENGINEERING (4) Solution (7) Solved Assignment 2013 2014 (6) SOME PRE-REQUISITES AND Asymptotic Bounds ASYMPTOTIC BOUNDS INTRODUCTION (1) STATISTICAL DATABASE SECURITY (1) structure (1) SUMMARY (1) Waterfall Model (1) Write a C program to print the following triangle (1)