Database Security Overview

Blake MiddletonCSE 7330 – Fall 2009

Protecting a Critical Resource

Banking/Financial RecordsMedical Records

InventoryCustomer Information

Personnel RecordsStudent Records

Threats to Data

CopyDestroyModify

“Securing the Database may be the single biggest action an organization can take to protect its

assets.” – David Knox

Results of an “Incident”

Loss of reputationLoss of $$$

Lawsuits (more loss of $)

TJX – 45M credit/debit cards,$256M as of 8/2007

-Boston Globe Online

General Security Goals - CIAA

ConfidentialityIntegrity

AvailabilityAuthentication

Threat Sources

• External• fame or gain

• Internal• gain or revenge

Big Picture

• Physical security• Network security• Operating System Security• Application Security• DBMS (yes, these have vulnerabilities too)

Access Control

Data Control Language – DCL

GRANT priv ON object TO user [WITH GRANT OPTION]

REVOKE priv ON object FROM user

Examples

Table Level Privileges:

GRANT INSERT, UPDATE ON Students TO fred

GRANT DELETE ON Students TO sam WITH GRANT OPTION

GRANT ALL ON Students TO barney

REVOKE INSERT ON Students FROM fred

Examples

Column Level: (Select and Update)

GRANT UPDATE ON Students (address) TO fred

Examples

Object privileges:

GRANT CREATE table TO fred

Oracle Virtual Private Database (VPD)

Provides row-level security

Presents partial view of tables based on policies

VPD - Examples

Restrict user to only see courses from CSE

User:SELECT * FROM Courses;

Executed:SELECT * FROM CoursesWHERE department = ‘CSE’;

source – Oracle Database 10g Top 20 DBA Features

VPD – Examples – Selective Columns

Restrict user to only see students with GPA above 3.0

SELECT * FROM Students; --Will return rows 1 and 3

SELECT COUNT(*) FROM Students; --Will return 2

source – Oracle Database 10g Top 20 DBA Features

ID Name GPA

100 Jones 3.1

101 Smith 2.6

102 Smart 4.0

VPD – Examples – Column Masking

Restrict user to only see GPA values above 3.0

SELECT * FROM Students;

source – Oracle Database 10g Top 20 DBA Features

ID Name GPA100 Jones 3.1101 Smith 2.6102 Smart 4.0

ID Name GPA

100 Jones 3.1

101 Smith <null>

102 Smart 4.0

Oracle Label Security

Access based on:data sensitivity labels

user label authorizations

Provides multi-level security capability

Oracle Label Security

Data Sensitivity Labels have 3 components

Level – required

Compartment – optional

Group - optional

A policy can have up to 999 levels and 9,999 groups and compartments-Source Oracle Label Security Best Practices White Paper

Oracle Label Security - Example

-Source Oracle Label Security Best Practices White Paper

ID SSN DL_Num Lname Pol1_sec_lab

100 123-45-6789 09234554 Miller Sensitive:PII:HR

101 234-56-6887 10854834 Arnold Private:PII:HR

Inference

Simple example (from Viega & McGraw)

SELECT AVG(income) FROM customersWHERE state = “VA” OR (city = “Reno” AND state = “NV” AND age = 72);

Followed by:SELECT AVG(income) FROM customersWHERE state = “VA”;

Good Practices

Use viewsUse stored procedures

Keep up to date on patchesLimit privileges

Have a security policy and follow itEncrypt sensitive data

Do audits/monitor employeesRegular security assessments

Enforce strong passwords

Future

• More data to protect

• More sophisticated attacks

• More emphasis on security education (hopefully)

Bibliography

• Alapati, S. R., & Kim, C. (2007). Oracle Database 11g: New Features for DBAs and Developers. Apress.

• Bauer, M. D. (2005). Linux Server Security (2nd ed.). O'Reilly Media, Inc.• Defense Information Systems Agency. (2007, Sep. 19). Security Technical Implementation

Guides. Retrieved Oct 26, 2009, from http://iase.disa.mil/stigs/stig/database-stig-v8r1.zip• Knox, D. (2004). Effective Oracle Database 10g Security by Design. McGraw-Hill.• Litchfield, D., Anley, C., Heasman, J., & Grindlay, B. (2005). The Database Hacker's

Handbook: Defending Database Servers. Wiley.• Mullins, C. S. (2002). Database Administration: The Complete Guide to Practices and

Procedures. Addison-Wesley Professional.• Needham, P. (2008). Oracle Label Security Best Practices. Oracle.• Oracle. (n.d.). Oracle Database 10g Top 20 DBA Features. Retrieved 10 26, 2009, from

http://www.oracle.com/technology/pub/articles/10gdba/week14_10gdba.html• Pfluger, C. P., & Lawrence, S. (2006). Security in Computing (4th ed.). Prentice Hall.• Viega, J., & McGraw, G. (2002). Building Secure Software. Addison-Wesley Professional.