SlideShare una empresa de Scribd logo

Database modeling and security

Descargar como PPTX, PDF
Neeharika Nidadavolu
Neeharika Nidadavolu
EducaciónTecnologíaEmpresariales
1 de 46
DATABASE MODELING AND SECURITY
WHAT IS DATA MODELING?  Data modeling is the act of exploring data-oriented structures.  Define key data modeling terms  Entity type  Attribute  Multivalued attribute  Relationship  Degree  Cardinality  Business Rule  Associative entity  Trigger  Supertype  Subtype
THE DATA MODELING PROCESS
HOW ARE DATA MODELS USED IN PRACTICE?  Conceptual data models- These are often created as part of initial requirements envisioning efforts to explore the high-level static business structures and concepts.  Logical data models-used to explore the domain concepts, and their relationships, of problem domain.  Physical data models (PDMs)-PDMs are used to design the internal schema of a database, depicting the data tables, the data columns of those tables, and the relationships between the tables.
A SIMPLE LOGICAL DATA MODEL.
A SIMPLE PHYSICAL DATA MODEL
WHAT ABOUT CONCEPTUAL MODELS?  Object-Role models(ORM’s) are preferably created for conceptual models.
COMMON DATA MODELING NOTATIONS
CONT.
CONT.
HOW TO MODEL DATA  The following tasks are performed in an iterative manner  Identify entity types  Identify attributes  Apply naming conventions  Identify relationships  Apply data model patterns  Assign keys  Normalize to reduce data redundancy  Denormalize to improve performance
 1.Identify Entity Types  Entity - a class of real world objects having common characteristics and properties about which we wish to record information.An entity can be of normal type or weak type.  2.Identify Attributes  Attribute - a characteristic of an entity or relationship  * Identifier - uniquely determines an instance of an entity  * Identity dependence - when a portion of an identifier is inherited from another entity  * Multi-valued - same attribute having many values for one entity  * Surrogate - system created and controlled unique key
 3. Apply Data Naming Conventions- Every organization should have standards and guidelines applicable to data modeling, something we should be able to obtain from your enterprise administrator.  Identify Relationships  Re lat ionship - an association among two or more entities  * occurrence - instance of a relationship is the collective instances of the related entities  * degree - number of entities associated in the relationship (binary, ternary, other n-ary)  * connectivity - one-to-one, one-to-many, many-to-many  * existence dependency (constraint) - optional/mandatory
A LOGICAL DATA MODEL
5.APPLY DATA MODEL PATTERNS
 6.Assign keys-
7. NORMALIZE TO REDUCE DATA REDUNDANCY  The goal of data normalization is to reduce and even eliminate data redundancy.  Table 2. Data Normalization Rules.  First normal form (1NF)-An entity type is in 1NF when it contains no repeating groups of data.  Second normal form (2NF)-An entity type is in 2NF when it is in 1NF and when all of its non-key attributes are fully dependent on its primary key.  Third normal form (3NF)-An entity type is in 3NF when it is in 2NF and when all of its attributes are directly dependent on the primary key.
8. DENORMALIZE TO IMPROVE PERFORMANCE  The rules of data normalization focus on reducing data redundancy, not on improving performance of data access. An important part of data modeling is to denormalize portions of your data schema to improve database access times.
DATABASE SECURITY
CONTENTS  Definitions  Countermeasures  Security Controls  Data Protection and Privacy  Statistical Databases  Web Database Security Issues and Solutions  SQL Injection
DATABASE SECURITY DEFINITION  Definition :  The protection of the database against intentional or unintentional threats using computer-based or non-computer-based controls  Areas in which to reduce risk:  theft and fraud  loss of confidentiality  loss of privacy  loss of integrity  loss of availability
COUNTERMEASURES  Ways to reduce risk  Include  Computer Based Controls  Non-computer Based Controls
COMPUTER BASED CONTROLS  Security of a DBMS is only as good as the OS  Computer based Security controls available:  authorization and authentication  views  backup and recovery  Integrity  Encryption ▪ within database and data transport  RAID – for fault tolerance  associated procedures ▪ e.g. backup, auditing, testing, upgrading, virus checking
NON-COMPUTER BASED CONTROLS  Include:  Security policy and contingency plan  personnel controls  secure positioning of equipment  escrow agreements  maintenance agreements  physical access controls  Both internal and external
DATA SECURITY  Two(original) broad approaches to data security:  Discretionary access control  a given user has different access rights (privileges) on different objects  flexible, but limited to which rights users can have on an object  privileges can be passed on at user’s discretion  Mandatory access control  each data object is labelled with a certain classification level  each user is given a certain clearance level  rigid, hierarchic
ROLE BASED ACCESS CONTROL A specific function within an organisation  Authorizations are granted to the roles  Instead of users  Users are made members of roles  Privileges can not be passed on to other users  Simplifies authorization management  Supported in SQL
SYSTEM R AUTHORIZATION MODEL  One of the first authorization model for RDBMS  As part of System R RDBMS  Based on concept of ‘Protection Objects’  Tables and views  Access modes  SELECT  INSERT  DELETE  UPDATE  Not all applicable for views
SYSTEM R AUTHORIZATION MODEL  Userscan give access to other users through use of  GRANT and REVOKE  Removing REVOKE is recursive  System R has a closed world policy  If no authorization then access is denied  However authorization can be granted later  Negative authorization  Denials are expressed  Denials take precedence
SQL FACILITIES  SQL supports discretionary access control using view mechanism and authorization system  e.g. CREATE VIEW S_NINE_TO_FIVE AS SELECT S.S#, S.SNAME, S.STATUS, S.CITY FROM S WHERE to_char(SYSDATE, 'HH24:MI:SS‘) >= ‘09:00:00’ AND to_char(SYSDATE, 'HH24:MI:SS‘) <= ‘17:00:00’; GRANT SELECT, UPDATE (STATUS) ON S_NINE_TO_FIVE TO Purchasing;  parameterised view  Also referential and entity integrity
ORACLE SECURITY  Oracle supports 2 types of privileges  System privileges  Rights to perform action on schema objects  e.g. create table spaces, create and delete users  Object priviliges  Rights to perform actions on database objects  e.g. create/delete tables, views, indexes, functions  Priviliges can be granted to users or roles
ORACLE OBJECT PRIVILEGES  Table Privileges  ALTER, DELETE, INDEX, INSERT, REFERENC ES, SELECT, UPDATE  View Privileges  DELETE, INSERT, SELECT, UPDATE  Privileges can be granted to users or roles, e.g. CREATE ROLE admin; GRANT INSERT ON my_table TO admin; GRANT admin TO fred;  To revoke/remove roles: REVOKE admin FROM barney; DROP ROLE admin;
ORACLE VIRTUAL PRIVATE DATABASES  Fine-grained access control based on tuple-level access  Uses dynamic query modification  Users are given a specific policy  The policy returns a specific WHERE clause in the query depending on the policy  SELECT * FROM prop_for_rent  Becomes  SELECT * FROM prop_for_rent WHERE prop_type = ‘F’
DATA PROTECTION AND PRIVACY  Privacy  concerns the right of an individual not to have personal information collected, stored and disclosed either willfully or indiscriminately  Data Protection Act  the protection of personal data from unlawful acquisition, storage and disclosure, and the provision of the necessary safeguards to avoid the destruction or corruption of the legitimate data held  New Freedom of Information Act
STATISTICAL DATABASES A database that permits queries that derive aggregated information (e.g. sums, averages)  but not queries that derive individual information  Tracking  possible to make inferences from legal queries to deduce answers to illegal ones  SELECT COUNT(*) FROM STATS X WHERE X.SEX=‘M’ AND X.OCCUPATION = ‘Programmer’  SELECT SUM(X.SALARY) FROM STATS X WHERE X.SEX=‘M’ AND X.OCCUPATION = ‘Programmer’
SIMPLE EXAMPLE  The following warehouse relation contains information about a number of drivers, and the points they have stored in races.  The only queries allowed are those which utilise aggregate operators, e.g. using count to find out a driver’s total earnings in any one year.  However using this table, statistical tracking is possible.  Explain why? DriverId Race PointsScored PrizeMoney 1 Monaco 10 50000 1 Imola 4 25000 2 Monaco 6 30000 3 Monaco 8 40000 3 Silverstone 10 50000
STATISTICAL DATABASES  Various strategies can be used to minimize problems  prevent queries from operating on only a few database entries  swap attribute values among tuples  randomly add in additional entries  use only a random sample  maintain history of query results and reject queries that use a high number of records identical to previous queries
WEB DATABASE SECURITY ISSUES  Internet is an open network  traffic can easily be monitored, e.g. credit card numbers  Challengeis to ensure that information conforms to:  privacy, integrity, authenticity, non- fabrication, non-repudiation  Information also needs protected on web server  Also need to protect from executable content
WEB DATABASE SECURITY SOLUTIONS  Various methods can be used  proxy servers  improve performance and filter requests  firewalls  prevents unauthorised access to/from a private network  digital certificates  electronic message attachments to verify that user is authentic  Kerberos  centralised security server for all data and resources on network
WEB DATABASE SECURITY SOLUTIONS  Secure Sockets Layer and Secure HTTP ▪ SSL - secure connection between client and server ▪ S-HTTP - individual messages transmitted securely  Secure Electronic Transactions ▪ certificates which splits transactions so that only relevant information is provided to each user  Java - Java Virtual Machine (JVM) ▪ class loader - checks applications do not violate system integrity by checking class hierarchies ▪ bytecode verifier - verify that code will not crash or violate system integrity  ActiveX - ▪ uses digital signatures, user is responsible for security
SQL INJECTION  ‘a technique used to take advantage of non- validated input vulnerabilities to pass SQL commands through a Web application for execution by a backend database’1  Can chain SQL commands  Embed SQL commands in a string  Ability to execute arbitrary SQL queries
SQL INJECTION: EXAMPLE 1  Form asking for username and password  Original Query:  SQLQuery = “SELECT count(*) FROM users WHERE username = „” + $usename + “„ AND password = „” + $password + “„;”  Specify usename and password = ‘ OR “ 1=1 ‘  SELECT count(*) FROM users WHERE username = ‘’ OR 1 = 1 AND password = ‘’ OR 1 = 1;
SQL INJECTION : EXAMPLE 2  SQLQuery = “SELECT * FROM staff WHERE staff_no = ” + $name + “;”  Enter staff_no: 100 OR 1 = 1  Will give the query:  SELECT * FROM staff WHERE staff_no = 100 OR 1 = 1;  Even worse:  Enter staff_no: 100; DROP TABLE staff; SELECT * FROM sys.user_tables  Enter staff_no: 100 UNION SELECT SELECT Username, Password FROM Users
SQL INJECTION : REMEDIES  Can include:  Strip quotation marks and other spurious characters from strings  Use stored procedures  Limit field lengths or even don’t allow text entries  Restrict UNION
THE END

Recomendados

Codds rule
Codds ruleCodds rule
Codds rule
Alvina Verghis
 
security and privacy in dbms and in sql database
security and privacy in dbms and in sql databasesecurity and privacy in dbms and in sql database
security and privacy in dbms and in sql database
gourav kottawar
 
Introduction to database & sql
Introduction to database & sqlIntroduction to database & sql
Introduction to database & sql
zahid6
 
Object Oriented Database Management System
Object Oriented Database Management SystemObject Oriented Database Management System
Object Oriented Database Management System
Ajay Jha
 
Bases de Datos No Relacionales (NoSQL): Cassandra, CouchDB, MongoDB y Neo4j
Bases de Datos No Relacionales (NoSQL): Cassandra, CouchDB, MongoDB y Neo4jBases de Datos No Relacionales (NoSQL): Cassandra, CouchDB, MongoDB y Neo4j
Bases de Datos No Relacionales (NoSQL): Cassandra, CouchDB, MongoDB y Neo4j
Diego López-de-Ipiña González-de-Artaza
 
Distributed database
Distributed databaseDistributed database
Distributed database
ReachLocal Services India
 
Database security
Database securityDatabase security
Database security
CAS
 
Database administration and security
Database administration and securityDatabase administration and security
Database administration and security
Dhani Ahmad
 

Recomendados

Codds rule
Codds ruleCodds rule
Codds rule
Alvina Verghis
 
security and privacy in dbms and in sql database
security and privacy in dbms and in sql databasesecurity and privacy in dbms and in sql database
security and privacy in dbms and in sql database
gourav kottawar
 
Introduction to database & sql
Introduction to database & sqlIntroduction to database & sql
Introduction to database & sql
zahid6
 
Object Oriented Database Management System
Object Oriented Database Management SystemObject Oriented Database Management System
Object Oriented Database Management System
Ajay Jha
 
Bases de Datos No Relacionales (NoSQL): Cassandra, CouchDB, MongoDB y Neo4j
Bases de Datos No Relacionales (NoSQL): Cassandra, CouchDB, MongoDB y Neo4jBases de Datos No Relacionales (NoSQL): Cassandra, CouchDB, MongoDB y Neo4j
Bases de Datos No Relacionales (NoSQL): Cassandra, CouchDB, MongoDB y Neo4j
Diego López-de-Ipiña González-de-Artaza
 
Distributed database
Distributed databaseDistributed database
Distributed database
ReachLocal Services India
 
Database security
Database securityDatabase security
Database security
CAS
 
Database administration and security
Database administration and securityDatabase administration and security
Database administration and security
Dhani Ahmad
 
Codd's rules
Codd's rulesCodd's rules
Codd's rules
Mohd Arif
 
bases de datos distribuidas
bases de datos distribuidasbases de datos distribuidas
bases de datos distribuidas
Bofo Cid
 
Object relational database management system
Object relational database management systemObject relational database management system
Object relational database management system
Saibee Alam
 
Database basics
Database basicsDatabase basics
Database basics
prachin514
 
DBMS Practical File
DBMS Practical FileDBMS Practical File
DBMS Practical File
Dushmanta Nath
 
Introduction: Databases and Database Users
Introduction: Databases and Database UsersIntroduction: Databases and Database Users
Introduction: Databases and Database Users
sontumax
 
Eleccion del un sistema operativo
Eleccion del un sistema operativoEleccion del un sistema operativo
Eleccion del un sistema operativo
kentveger
 
Database System Architecture
Database System ArchitectureDatabase System Architecture
Database System Architecture
University of Potsdam
 
Dbms and rdbms ppt
Dbms and rdbms pptDbms and rdbms ppt
Dbms and rdbms ppt
rahul kapoliya
 
Database security
Database securityDatabase security
Database security
keerthusandeepreddy
 
Tutorial de como configurar y instalar Cassandra
Tutorial de como configurar y instalar Cassandra Tutorial de como configurar y instalar Cassandra
Tutorial de como configurar y instalar Cassandra
Kevin Hinojosa
 
Dbms
DbmsDbms
Dbms
Sachin Yadav
 
Dbms and rdbms
Dbms and rdbmsDbms and rdbms
Dbms and rdbms
Umair Shakir
 
Database Management System
Database Management SystemDatabase Management System
Database Management System
Nishant Munjal
 
Diseño
DiseñoDiseño
Diseño
elylupita
 
Database design process
Database design processDatabase design process
Database design process
Tayyab Hameed
 
MySql:Introduction
MySql:IntroductionMySql:Introduction
MySql:Introduction
DataminingTools Inc
 
Adbms 17 object query language
Adbms 17 object query languageAdbms 17 object query language
Adbms 17 object query language
Vaibhav Khanna
 
Dbms presentaion
Dbms presentaionDbms presentaion
Dbms presentaion
sai kumar rachakonda
 
Distributed database management system
Distributed database management systemDistributed database management system
Distributed database management system
Pooja Dixit
 
Application security models
Application security modelsApplication security models
Application security models
ERSHUBHAM TIWARI
 
SECURE AND EFFICIENT DATA TRANSMISSION FOR CLUSTER-BASED WIRELESS SENSOR NETW...
SECURE AND EFFICIENT DATA TRANSMISSION FOR CLUSTER-BASED WIRELESS SENSOR NETW...SECURE AND EFFICIENT DATA TRANSMISSION FOR CLUSTER-BASED WIRELESS SENSOR NETW...
SECURE AND EFFICIENT DATA TRANSMISSION FOR CLUSTER-BASED WIRELESS SENSOR NETW...
Roshith S Pai
 

Más contenido relacionado

La actualidad más candente

Codd's rules
Codd's rulesCodd's rules
Codd's rules
Mohd Arif
 
bases de datos distribuidas
bases de datos distribuidasbases de datos distribuidas
bases de datos distribuidas
Bofo Cid
 
Eleccion del un sistema operativo
Eleccion del un sistema operativoEleccion del un sistema operativo
Eleccion del un sistema operativo
kentveger
 

La actualidad más candente (20)

Codd's rules
Codd's rulesCodd's rules
Codd's rules
 
bases de datos distribuidas
bases de datos distribuidasbases de datos distribuidas
bases de datos distribuidas
 
Object relational database management system
Object relational database management systemObject relational database management system
Object relational database management system
 
Database basics
Database basicsDatabase basics
Database basics
 
DBMS Practical File
DBMS Practical FileDBMS Practical File
DBMS Practical File
 
Introduction: Databases and Database Users
Introduction: Databases and Database UsersIntroduction: Databases and Database Users
Introduction: Databases and Database Users
 
Eleccion del un sistema operativo
Eleccion del un sistema operativoEleccion del un sistema operativo
Eleccion del un sistema operativo
 
Database System Architecture
Database System ArchitectureDatabase System Architecture
Database System Architecture
 
Dbms and rdbms ppt
Dbms and rdbms pptDbms and rdbms ppt
Dbms and rdbms ppt
 
Database security
Database securityDatabase security
Database security
 
Tutorial de como configurar y instalar Cassandra
Tutorial de como configurar y instalar Cassandra Tutorial de como configurar y instalar Cassandra
Tutorial de como configurar y instalar Cassandra
 
Dbms
DbmsDbms
Dbms
 
Dbms and rdbms
Dbms and rdbmsDbms and rdbms
Dbms and rdbms
 
Database Management System
Database Management SystemDatabase Management System
Database Management System
 
Diseño
DiseñoDiseño
Diseño
 
Database design process
Database design processDatabase design process
Database design process
 
MySql:Introduction
MySql:IntroductionMySql:Introduction
MySql:Introduction
 
Adbms 17 object query language
Adbms 17 object query languageAdbms 17 object query language
Adbms 17 object query language
 
Dbms presentaion
Dbms presentaionDbms presentaion
Dbms presentaion
 
Distributed database management system
Distributed database management systemDistributed database management system
Distributed database management system
 

Destacado

Pengenalan sistem database
Pengenalan sistem databasePengenalan sistem database
Pengenalan sistem database
Fajar Zain
 
Data Modelling
Data ModellingData Modelling
Data Modelling
Armina Nur
 
Trends in Data Modeling
Trends in Data ModelingTrends in Data Modeling
Trends in Data Modeling
DATAVERSITY
 
Object oriented database model
Object oriented database modelObject oriented database model
Object oriented database model
PAQUIAAIZEL
 
9. Object Relational Databases in DBMS
9. Object Relational Databases in DBMS9. Object Relational Databases in DBMS
9. Object Relational Databases in DBMS
koolkampus
 

Destacado (20)

Application security models
Application security modelsApplication security models
Application security models
 
SECURE AND EFFICIENT DATA TRANSMISSION FOR CLUSTER-BASED WIRELESS SENSOR NETW...
SECURE AND EFFICIENT DATA TRANSMISSION FOR CLUSTER-BASED WIRELESS SENSOR NETW...SECURE AND EFFICIENT DATA TRANSMISSION FOR CLUSTER-BASED WIRELESS SENSOR NETW...
SECURE AND EFFICIENT DATA TRANSMISSION FOR CLUSTER-BASED WIRELESS SENSOR NETW...
 
Object-Relational Database Systems(ORDBMSs)
Object-Relational Database Systems(ORDBMSs)Object-Relational Database Systems(ORDBMSs)
Object-Relational Database Systems(ORDBMSs)
 
Secure Data Transmission
Secure Data TransmissionSecure Data Transmission
Secure Data Transmission
 
Pengenalan dasar sistem basisdata
Pengenalan dasar sistem basisdataPengenalan dasar sistem basisdata
Pengenalan dasar sistem basisdata
 
Metodologías de Desarrollo de Aplicaciones Web Seguras
Metodologías de Desarrollo de Aplicaciones Web SegurasMetodologías de Desarrollo de Aplicaciones Web Seguras
Metodologías de Desarrollo de Aplicaciones Web Seguras
 
Pengenalan sistem database
Pengenalan sistem databasePengenalan sistem database
Pengenalan sistem database
 
Data Modelling
Data ModellingData Modelling
Data Modelling
 
Trends in Data Modeling
Trends in Data ModelingTrends in Data Modeling
Trends in Data Modeling
 
Secure and Efficient Data Transmission for Cluster-Based Wireless Sensor Net...
Secure and Efficient Data Transmission for Cluster-Based Wireless Sensor Net...Secure and Efficient Data Transmission for Cluster-Based Wireless Sensor Net...
Secure and Efficient Data Transmission for Cluster-Based Wireless Sensor Net...
 
Database Security
Database SecurityDatabase Security
Database Security
 
Database Security
Database SecurityDatabase Security
Database Security
 
Database security
Database securityDatabase security
Database security
 
Database security
Database securityDatabase security
Database security
 
Object oriented database model
Object oriented database modelObject oriented database model
Object oriented database model
 
Why Your Healthcare Business Intelligence Strategy Can't Win
Why Your Healthcare Business Intelligence Strategy Can't WinWhy Your Healthcare Business Intelligence Strategy Can't Win
Why Your Healthcare Business Intelligence Strategy Can't Win
 
9. Object Relational Databases in DBMS
9. Object Relational Databases in DBMS9. Object Relational Databases in DBMS
9. Object Relational Databases in DBMS
 
Юрий Ветров — Алгоритмический дизайн
Юрий Ветров — Алгоритмический дизайнЮрий Ветров — Алгоритмический дизайн
Юрий Ветров — Алгоритмический дизайн
 
Dbms models
Dbms modelsDbms models
Dbms models
 
DATA WAREHOUSING
DATA WAREHOUSINGDATA WAREHOUSING
DATA WAREHOUSING
 

Similar a Database modeling and security

Iaetsd database intrusion detection using
Iaetsd database intrusion detection usingIaetsd database intrusion detection using
Iaetsd database intrusion detection using
Iaetsd Iaetsd
 
Security Issues Surrounding Data Manipulation in a Relational Database
Security Issues Surrounding Data Manipulation in a Relational DatabaseSecurity Issues Surrounding Data Manipulation in a Relational Database
Security Issues Surrounding Data Manipulation in a Relational Database
David Murphy
 
DBMS-material for b.tech students to learn
DBMS-material for b.tech students to learnDBMS-material for b.tech students to learn
DBMS-material for b.tech students to learn
Rajasekhar364622
 
Visible Governance: How to set up data governance using Visible Analyst Comme...
Visible Governance: How to set up data governance using Visible Analyst Comme...Visible Governance: How to set up data governance using Visible Analyst Comme...
Visible Governance: How to set up data governance using Visible Analyst Comme...
Michael Cesino
 

Similar a Database modeling and security (20)

Database concepts
Database conceptsDatabase concepts
Database concepts
 
Iaetsd database intrusion detection using
Iaetsd database intrusion detection usingIaetsd database intrusion detection using
Iaetsd database intrusion detection using
 
Database security and security in networks
Database security and security in networksDatabase security and security in networks
Database security and security in networks
 
Row-level security and Dynamic Data Masking
Row-level security and Dynamic Data MaskingRow-level security and Dynamic Data Masking
Row-level security and Dynamic Data Masking
 
Data base Access Control a look at Fine grain Access method
Data base Access Control a look at Fine grain Access methodData base Access Control a look at Fine grain Access method
Data base Access Control a look at Fine grain Access method
 
How to Build and Promote a Successful MDM Solution on a Shoestring
How to Build and Promote a Successful MDM Solution on a ShoestringHow to Build and Promote a Successful MDM Solution on a Shoestring
How to Build and Promote a Successful MDM Solution on a Shoestring
 
Security Issues Surrounding Data Manipulation in a Relational Database
Security Issues Surrounding Data Manipulation in a Relational DatabaseSecurity Issues Surrounding Data Manipulation in a Relational Database
Security Issues Surrounding Data Manipulation in a Relational Database
 
Oracle Database Vault
Oracle Database VaultOracle Database Vault
Oracle Database Vault
 
Data Redaction - OTN TOUR LA 2015
Data Redaction - OTN TOUR LA 2015 Data Redaction - OTN TOUR LA 2015
Data Redaction - OTN TOUR LA 2015
 
DBMS-material for b.tech students to learn
DBMS-material for b.tech students to learnDBMS-material for b.tech students to learn
DBMS-material for b.tech students to learn
 
Chapter23
Chapter23Chapter23
Chapter23
 
Oracle Data Redaction
Oracle Data RedactionOracle Data Redaction
Oracle Data Redaction
 
Database Security Methods, DAC, MAC,View
Database Security Methods, DAC, MAC,ViewDatabase Security Methods, DAC, MAC,View
Database Security Methods, DAC, MAC,View
 
Visible Governance: How to set up data governance using Visible Analyst Comme...
Visible Governance: How to set up data governance using Visible Analyst Comme...Visible Governance: How to set up data governance using Visible Analyst Comme...
Visible Governance: How to set up data governance using Visible Analyst Comme...
 
UNIT 3- DATABASE INTEGRITY AND SECURITY CONCEPTS (1).pdf
UNIT 3- DATABASE INTEGRITY AND SECURITY CONCEPTS (1).pdfUNIT 3- DATABASE INTEGRITY AND SECURITY CONCEPTS (1).pdf
UNIT 3- DATABASE INTEGRITY AND SECURITY CONCEPTS (1).pdf
 
Database management systems
Database management systemsDatabase management systems
Database management systems
 
Chapter Five Physical Database Design.pptx
Chapter Five Physical Database Design.pptxChapter Five Physical Database Design.pptx
Chapter Five Physical Database Design.pptx
 
11 Database Concepts
11 Database Concepts11 Database Concepts
11 Database Concepts
 
Week 2 Characteristics & Benefits of a Database & Types of Data Models
Week 2 Characteristics & Benefits of a Database & Types of Data ModelsWeek 2 Characteristics & Benefits of a Database & Types of Data Models
Week 2 Characteristics & Benefits of a Database & Types of Data Models
 
Database Security - IG
Database Security - IGDatabase Security - IG
Database Security - IG
 

Último

1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
QucHHunhnh
 
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in DelhiRussian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
kauryashika82
 

Último (20)

Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
 
Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
 
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activity
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introduction
 
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in DelhiRussian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
 
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxBasic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
 
Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdf
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdf
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104
 
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
 
SECOND SEMESTER TOPIC COVERAGE SY 2023-2024 Trends, Networks, and Critical Th...
SECOND SEMESTER TOPIC COVERAGE SY 2023-2024 Trends, Networks, and Critical Th...SECOND SEMESTER TOPIC COVERAGE SY 2023-2024 Trends, Networks, and Critical Th...
SECOND SEMESTER TOPIC COVERAGE SY 2023-2024 Trends, Networks, and Critical Th...
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and Mode
 
Class 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdfClass 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdf
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across Sectors
 
Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024
 

Database modeling and security

  • 2. WHAT IS DATA MODELING?  Data modeling is the act of exploring data-oriented structures.  Define key data modeling terms  Entity type  Attribute  Multivalued attribute  Relationship  Degree  Cardinality  Business Rule  Associative entity  Trigger  Supertype  Subtype
  • 4. HOW ARE DATA MODELS USED IN PRACTICE?  Conceptual data models- These are often created as part of initial requirements envisioning efforts to explore the high-level static business structures and concepts.  Logical data models-used to explore the domain concepts, and their relationships, of problem domain.  Physical data models (PDMs)-PDMs are used to design the internal schema of a database, depicting the data tables, the data columns of those tables, and the relationships between the tables.
  • 5. A SIMPLE LOGICAL DATA MODEL.
  • 6. A SIMPLE PHYSICAL DATA MODEL
  • 7. WHAT ABOUT CONCEPTUAL MODELS?  Object-Role models(ORM’s) are preferably created for conceptual models.
  • 10. CONT.
  • 11. HOW TO MODEL DATA  The following tasks are performed in an iterative manner  Identify entity types  Identify attributes  Apply naming conventions  Identify relationships  Apply data model patterns  Assign keys  Normalize to reduce data redundancy  Denormalize to improve performance
  • 12. 1.Identify Entity Types  Entity - a class of real world objects having common characteristics and properties about which we wish to record information.An entity can be of normal type or weak type.  2.Identify Attributes  Attribute - a characteristic of an entity or relationship  * Identifier - uniquely determines an instance of an entity  * Identity dependence - when a portion of an identifier is inherited from another entity  * Multi-valued - same attribute having many values for one entity  * Surrogate - system created and controlled unique key
  • 13. 3. Apply Data Naming Conventions- Every organization should have standards and guidelines applicable to data modeling, something we should be able to obtain from your enterprise administrator.  Identify Relationships  Re lat ionship - an association among two or more entities  * occurrence - instance of a relationship is the collective instances of the related entities  * degree - number of entities associated in the relationship (binary, ternary, other n-ary)  * connectivity - one-to-one, one-to-many, many-to-many  * existence dependency (constraint) - optional/mandatory
  • 14. A LOGICAL DATA MODEL
  • 15. 5.APPLY DATA MODEL PATTERNS
  • 16. 6.Assign keys-
  • 17. 7. NORMALIZE TO REDUCE DATA REDUNDANCY  The goal of data normalization is to reduce and even eliminate data redundancy.  Table 2. Data Normalization Rules.  First normal form (1NF)-An entity type is in 1NF when it contains no repeating groups of data.  Second normal form (2NF)-An entity type is in 2NF when it is in 1NF and when all of its non-key attributes are fully dependent on its primary key.  Third normal form (3NF)-An entity type is in 3NF when it is in 2NF and when all of its attributes are directly dependent on the primary key.
  • 18.
  • 19.
  • 20. 8. DENORMALIZE TO IMPROVE PERFORMANCE  The rules of data normalization focus on reducing data redundancy, not on improving performance of data access. An important part of data modeling is to denormalize portions of your data schema to improve database access times.
  • 22. CONTENTS  Definitions  Countermeasures  Security Controls  Data Protection and Privacy  Statistical Databases  Web Database Security Issues and Solutions  SQL Injection
  • 23. DATABASE SECURITY DEFINITION  Definition :  The protection of the database against intentional or unintentional threats using computer-based or non-computer-based controls  Areas in which to reduce risk:  theft and fraud  loss of confidentiality  loss of privacy  loss of integrity  loss of availability
  • 24. COUNTERMEASURES  Ways to reduce risk  Include  Computer Based Controls  Non-computer Based Controls
  • 25. COMPUTER BASED CONTROLS  Security of a DBMS is only as good as the OS  Computer based Security controls available:  authorization and authentication  views  backup and recovery  Integrity  Encryption ▪ within database and data transport  RAID – for fault tolerance  associated procedures ▪ e.g. backup, auditing, testing, upgrading, virus checking
  • 26. NON-COMPUTER BASED CONTROLS  Include:  Security policy and contingency plan  personnel controls  secure positioning of equipment  escrow agreements  maintenance agreements  physical access controls  Both internal and external
  • 27. DATA SECURITY  Two(original) broad approaches to data security:  Discretionary access control  a given user has different access rights (privileges) on different objects  flexible, but limited to which rights users can have on an object  privileges can be passed on at user’s discretion  Mandatory access control  each data object is labelled with a certain classification level  each user is given a certain clearance level  rigid, hierarchic
  • 28. ROLE BASED ACCESS CONTROL A specific function within an organisation  Authorizations are granted to the roles  Instead of users  Users are made members of roles  Privileges can not be passed on to other users  Simplifies authorization management  Supported in SQL
  • 29. SYSTEM R AUTHORIZATION MODEL  One of the first authorization model for RDBMS  As part of System R RDBMS  Based on concept of ‘Protection Objects’  Tables and views  Access modes  SELECT  INSERT  DELETE  UPDATE  Not all applicable for views
  • 30. SYSTEM R AUTHORIZATION MODEL  Userscan give access to other users through use of  GRANT and REVOKE  Removing REVOKE is recursive  System R has a closed world policy  If no authorization then access is denied  However authorization can be granted later  Negative authorization  Denials are expressed  Denials take precedence
  • 31. SQL FACILITIES  SQL supports discretionary access control using view mechanism and authorization system  e.g. CREATE VIEW S_NINE_TO_FIVE AS SELECT S.S#, S.SNAME, S.STATUS, S.CITY FROM S WHERE to_char(SYSDATE, 'HH24:MI:SS‘) >= ‘09:00:00’ AND to_char(SYSDATE, 'HH24:MI:SS‘) <= ‘17:00:00’; GRANT SELECT, UPDATE (STATUS) ON S_NINE_TO_FIVE TO Purchasing;  parameterised view  Also referential and entity integrity
  • 32. ORACLE SECURITY  Oracle supports 2 types of privileges  System privileges  Rights to perform action on schema objects  e.g. create table spaces, create and delete users  Object priviliges  Rights to perform actions on database objects  e.g. create/delete tables, views, indexes, functions  Priviliges can be granted to users or roles
  • 33. ORACLE OBJECT PRIVILEGES  Table Privileges  ALTER, DELETE, INDEX, INSERT, REFERENC ES, SELECT, UPDATE  View Privileges  DELETE, INSERT, SELECT, UPDATE  Privileges can be granted to users or roles, e.g. CREATE ROLE admin; GRANT INSERT ON my_table TO admin; GRANT admin TO fred;  To revoke/remove roles: REVOKE admin FROM barney; DROP ROLE admin;
  • 34. ORACLE VIRTUAL PRIVATE DATABASES  Fine-grained access control based on tuple-level access  Uses dynamic query modification  Users are given a specific policy  The policy returns a specific WHERE clause in the query depending on the policy  SELECT * FROM prop_for_rent  Becomes  SELECT * FROM prop_for_rent WHERE prop_type = ‘F’
  • 35. DATA PROTECTION AND PRIVACY  Privacy  concerns the right of an individual not to have personal information collected, stored and disclosed either willfully or indiscriminately  Data Protection Act  the protection of personal data from unlawful acquisition, storage and disclosure, and the provision of the necessary safeguards to avoid the destruction or corruption of the legitimate data held  New Freedom of Information Act
  • 36. STATISTICAL DATABASES A database that permits queries that derive aggregated information (e.g. sums, averages)  but not queries that derive individual information  Tracking  possible to make inferences from legal queries to deduce answers to illegal ones  SELECT COUNT(*) FROM STATS X WHERE X.SEX=‘M’ AND X.OCCUPATION = ‘Programmer’  SELECT SUM(X.SALARY) FROM STATS X WHERE X.SEX=‘M’ AND X.OCCUPATION = ‘Programmer’
  • 37. SIMPLE EXAMPLE  The following warehouse relation contains information about a number of drivers, and the points they have stored in races.  The only queries allowed are those which utilise aggregate operators, e.g. using count to find out a driver’s total earnings in any one year.  However using this table, statistical tracking is possible.  Explain why? DriverId Race PointsScored PrizeMoney 1 Monaco 10 50000 1 Imola 4 25000 2 Monaco 6 30000 3 Monaco 8 40000 3 Silverstone 10 50000
  • 38. STATISTICAL DATABASES  Various strategies can be used to minimize problems  prevent queries from operating on only a few database entries  swap attribute values among tuples  randomly add in additional entries  use only a random sample  maintain history of query results and reject queries that use a high number of records identical to previous queries
  • 39. WEB DATABASE SECURITY ISSUES  Internet is an open network  traffic can easily be monitored, e.g. credit card numbers  Challengeis to ensure that information conforms to:  privacy, integrity, authenticity, non- fabrication, non-repudiation  Information also needs protected on web server  Also need to protect from executable content
  • 40. WEB DATABASE SECURITY SOLUTIONS  Various methods can be used  proxy servers  improve performance and filter requests  firewalls  prevents unauthorised access to/from a private network  digital certificates  electronic message attachments to verify that user is authentic  Kerberos  centralised security server for all data and resources on network
  • 41. WEB DATABASE SECURITY SOLUTIONS  Secure Sockets Layer and Secure HTTP ▪ SSL - secure connection between client and server ▪ S-HTTP - individual messages transmitted securely  Secure Electronic Transactions ▪ certificates which splits transactions so that only relevant information is provided to each user  Java - Java Virtual Machine (JVM) ▪ class loader - checks applications do not violate system integrity by checking class hierarchies ▪ bytecode verifier - verify that code will not crash or violate system integrity  ActiveX - ▪ uses digital signatures, user is responsible for security
  • 42. SQL INJECTION  ‘a technique used to take advantage of non- validated input vulnerabilities to pass SQL commands through a Web application for execution by a backend database’1  Can chain SQL commands  Embed SQL commands in a string  Ability to execute arbitrary SQL queries
  • 43. SQL INJECTION: EXAMPLE 1  Form asking for username and password  Original Query:  SQLQuery = “SELECT count(*) FROM users WHERE username = „” + $usename + “„ AND password = „” + $password + “„;”  Specify usename and password = ‘ OR “ 1=1 ‘  SELECT count(*) FROM users WHERE username = ‘’ OR 1 = 1 AND password = ‘’ OR 1 = 1;
  • 44. SQL INJECTION : EXAMPLE 2  SQLQuery = “SELECT * FROM staff WHERE staff_no = ” + $name + “;”  Enter staff_no: 100 OR 1 = 1  Will give the query:  SELECT * FROM staff WHERE staff_no = 100 OR 1 = 1;  Even worse:  Enter staff_no: 100; DROP TABLE staff; SELECT * FROM sys.user_tables  Enter staff_no: 100 UNION SELECT SELECT Username, Password FROM Users
  • 45. SQL INJECTION : REMEDIES  Can include:  Strip quotation marks and other spurious characters from strings  Use stored procedures  Limit field lengths or even don’t allow text entries  Restrict UNION