3130703

Database Management
Systems

Unit-8
Database Security
 Topics to be covered
• Introduction
• Authentication and Authorization
• Data encryption
• Access control
• DAC (Discretionary access control)
• MAC (Mandatory access control)
• RBAC models
• Intrusion detection
• SQL injection
Unit – 8: Database Security 2
 Data Security

Unit – 8: Database Security 3

 What is data security?
 Data security is the protection of the data from unauthorized
users.
 Only the authorized users are allowed to access the data.
 Most of the users are allowed to access a part of database i.e.,
the data that is related to them or related to their department.

Unit – 8: Database Security 4

 Security v/s Integrity
Security Integrity
Data security deals with protection of data. Data integrity deals with the validity of data.
Data security is making sure that only the Data integrity is making sure that the data is
people who should have access to the data correct and not corrupt.
are the only ones who can access the data.

Data security avoids from unauthorized Data integrity avoids from human errors,
access of data. when data is entered.
Data security is implemented through user Data integrity is implemented through
account (passwords). constraints such as Primary key, Foreign key,
Check constraints etc.

Unit – 8: Database Security 5

 Authentication v/s Authorization
Authentication Authorization
It is the process of validating a user on the It is the process of verifying whether access
credentials (username and password). is allowed or not.
Logging on to a PC or some website or app Accessing a file (data) from hard disk or
with username and password is some database is authorization.
authentication.

It is the process of verifying who you are. It is the process of verifying  what you are
authorized to do or not to do.
It is providing integrity control and security It is protecting the data to ensure privacy
to the data. and access control of data.

Unit – 8: Database Security 6

 Audit Trail

Unit – 8: Database Security 7

 What is audit trail (audit log)?
 An audit trail (audit log) is a record which will be generated for
each and every transactions.
 It will keep certain information about the transaction.
 An audit trail (audit log) records
1. Who (user or the application program and a transaction number)
2. When (date and time)
3. From Where (location of the user and/or terminal)
4. What (identification of the data affected, as well as a before-and-after the
database that was affected by the update operation)

Unit – 8: Database Security 8

 Data Encryption

Unit – 8: Database Security 9

 What is data encryption?
• Encryption is a security
method in which
information is encoded in
such a way that only
authorized user can read
(understand) it.
• It uses encryption
algorithm to generate
ciphertext that can only be
read if decrypted.

Unit – 8: Database Security 10

 Data encryption method (process)
Sender Unauthorized Receiver

Hello Plaintext Plaintext Hello

Encryption Decryption

Khoor Ciphertext Ciphertext Khoor

Should not
access

Unit – 8: Database Security 11

 What is data encryption?
 Data encryption is the process of encoding (translating) a
message or information in such a way that only authorized
persons can access it and those who are not authorized cannot.
 Encryption is the process of translating plaintext data (plaintext)
into something that appears to be meaningless (ciphertext).
 Decryption is the process of converting ciphertext back to
plaintext.

Unit – 8: Database Security 12

 Types of Encryption
Symmetric key encryption
• Encryption and decryption keys are the same.
• The same key is used by the sender to encrypt the data, and again by the
receiver to decrypt the data.
• Symmetric key encryption is fast in execution.
 Asymmetric key encryption
• Encryption and decryption keys are the different (Public Key and Private
Key).
• Messages are encrypted by sender with one key (Public Key) and can be
decrypted by receiver only by the other key (Private Key). 
• Asymmetric key encryption is slow in execution due to the high
computational burden.

Unit – 8: Database Security 13

 Access Control Methods

Unit – 8: Database Security 14

 Access control methods of data security

 There are two different methods of data access control:

1. Discretionary access control
2. Mandatory access control
3. Role based access control

Unit – 8: Database Security 15

 Discretionary access control [DAC]
 DAC is an identity based access control model that provides users
a certain amount of control over their data.
 Data owners can define access permissions for specific users or
groups of users
DAC model works like this:
• User 1 creates a file and becomes its
owner or obtains access rights to an
existing file.
• User 2 requests access to this file.
• User 1 grants access at their own
discretion. However, user 1 can’t grant
access rights that exceed their own. For
example, if user 1 can only read a
document, they can’t allow user 2 to edit
it.
Unit – 8: Database Security 16
 Discretionary access control [DAC]
 SQL support discretionary access control through the GRANT and
REVOKE commands.

 GRANT
• This command gives rights to user for an object.
• Syntax:- GRANT privilege ON object TO user [WITH GRANT OPTION]
 REVOKE
• This command takes back rights from user for an object.
• Syntax:- REVOKE privilege ON object FROM user {RESTRICT/CASCADE}

 Discretionary access control is quite a popular model because it allows

a lot of freedom for users and doesn’t cause administrative overhead.

Unit – 8: Database Security 17

 Mandatory access control
 MAC is considered the most secure access control models. Access
rules are manually defined by system administrators and strictly
enforced by the operating system.
 In this method individual user cannot get rights.
 But all the users are classified into different categories.
 Each user is assigned a clearance level
 A user can access object only if he has proper clearance level.
 The DBMS (system) determines whether the given user can read
or write a given object based on some rules.
 This rule makes sure that sensitive data can never be passed to a
user without necessary clearance.

Unit – 8: Database Security 18

 Mandatory access control rules
 A user can access data by following two rules
1. Security property:-
• Security property states that an object may not read at a higher security
level.
2. Star (*) security property:-
• Star (*) property states that a an object may not write at a lower security
level.

Unit – 8: Database Security 19

 Role based access control (RBAC) rules
 Role-based access control (RBAC) restricts network access based
on a person's role within an organization.
 Employees are only allowed to access the information necessary
to effectively perform their job duties.
 Access can be based on several factors, such as higher authority,
responsibility, and job competency.
 Lower-level employees usually do not have access to sensitive
data if they do not need it to fulfil their responsibilities.
 Using RBAC will help in securing your company’s sensitive data
and important applications.

Unit – 8: Database Security 20

 Intrusion detection

Unit – 8: Database Security 21

 Intrusion detection
 An Intrusion Detection System (IDS) is a system or software
application that monitors network traffic and issues alerts
when such activity is discovered.
 It is a software application that scans a network or a system
for harmful activity.
 Any malicious activity is normally reported either to an
administrator or collected centrally using a security
information and event management (SIEM) system.

Unit – 8: Database Security 22

 Intrusion detection

Unit – 8: Database Security 23

 SQL injection

Unit – 8: Database Security 24

 SQL injection
 SQL injection, also known as SQLI, is a
common attack vector that uses malicious
SQL code for backend database
manipulation to access information that
was not intended to be displayed.
 This information may include any number
of items, including sensitive company data,
user lists or private customer details.
 A successful attack may result in the
unauthorized viewing of user lists, the
deletion of entire tables, gaining
administrative rights to a database, all of
which are highly detrimental to a business.

Unit – 8: Database Security 25

 SQL injection

Unit – 8: Database Security 26

 Questions asked in GTU
1. Describe GRANT and REVOKE commands with suitable example.
2. What is difference between authorization and authentication?
Explain the use of audit trail.
3. Explain data encryption with its types.
4. Differentiate discretionary access control and mandatory access
control.
5. What is the difference between data security and data integrity?

Unit – 8: Database Security 27

Database Management Systems
(DBMS)
GTU # 3130703

Thank
You