Department of Computer Science and Engineering (CSE)

Database
Management
System

Course Outcome Will be covered in

CO Title Level this lecture
Numbe
r
CO1 To perceive the significance and Remember
implementation of a commercial
relational database system (Oracle)
by writing SQL using the system.
CO2 To understand the relational database Understand
theory, and be able to write
relational algebra expressions for
queries

CO3 To identify the basic issues of Analysis and

transaction processing and application
concurrency control and find out its
solutions.
2
University Institute of Engineering (UIE)
 Department
Department of Computer
of Computer Scienceand
Science andEngineering
Engineering (CSE)
(CSE)

Contents of the Syllabus

UNIT-I [10h]
Overview of Databases: Database concepts, DBMS, Data Base System Architecture (Three
Level ANSI-SPARC Architecture), Advantages and Disadvantages of DBMS, Data Independence,
DBA and Responsibilities of DBA, Relational Data Structure, Keys, Relations, Attributes, Schema and
Instances, Referential integrity, Entity integrity.
Data Models: Relational Model, Network Model, Hierarchical Model, ER Model: Design,
issues, Mapping constraints, ER diagram, Comparison of Models.

Relational Algebra & Relational Calculus: Introduction, Syntax, Semantics, Additional

operators, Grouping and Ungrouping, Relational comparisons, Tuple Calculus, Domain Calculus,
Calculus Vs Algebra, Computational capabilities.

UNIT-II [10h]
Functional dependencies and Normalization: Functional dependencies, Decomposition, Full
Functional Dependency (FFD), Transitive Dependency (TD), Join Dependency (JD), Multi-valued
Dependency (MVD), Normal Forms (1NF, 2NF, 3NF, BCNF), De-normalization.
Database Security: Introduction, Threats, Counter Measures.
Control Structures: Introduction to conditional control, Iterative control and sequential control
statements, Cursors, Views.

3
University Institute of Engineering (UIE)
 Department
Department of Computer
of Computer Scienceand
Science andEngineering
Engineering (CSE)
(CSE)

Contents of the Syllabus

UNIT-III [10h]
Package, Procedures and Triggers: Parts of procedures, Parameter modes, Advantages of
procedures, Syntax for creating triggers, Types of triggers, package specification and package body,
developing a package, Bodiless package, Advantages of packages.
Transaction Management and Concurrency Control: Introduction to Transaction Processing,
Properties of Transactions, Serializability and Recoverability, Need for Concurrency Control, Locking
Techniques, Time Stamping Methods, Optimistic Techniques and Granularity of Data items.

Database Recovery of database: Introduction, Need for Recovery, Types of errors, Recovery
Techniques.

4
University Institute of Engineering (UIE)
 Department of Computer Science and Engineering (CSE)

Chapter 2.2

(Database Security)
Database Security: Introduction, Threats, Counter Measures.

University Institute of Engineering (UIE)

 Department of Computer Science and Engineering (CSE)

Learning objective
• Database Security
• Threats
• Counter Measures.

University Institute of Engineering (UIE)

 Department of Computer Science and Engineering (CSE)

Learning Outcomes
• Understanding the concept of database security and its
issues.
• Discuss threats
• Discuss various level of security
• Understanding various Counter measures

University Institute of Engineering (UIE)

 Department of Computer Science and Engineering (CSE)

Threats
Threat is any intentional or accidental event that may adversely affect the
system.
Examples of threats:
- Using another person’s log-in name to access data
- Unauthorized copying data
- Program/Data alteration
- Illegal entry by hacker
- Viruses
- Etc.

University Institute of Engineering (UIE)

 Department of Computer Science and Engineering (CSE)

QUESTION

Data security threats include :

1. privacy invasion
2. hardware protection
3. fraudulent manipulation od data
4. all of the above

University Institute of Engineering (UIE)

 Department of Computer Science and Engineering (CSE)

Security Layers in DBMS

• Authorization

• Authentication

University Institute of Engineering (UIE)

 Department of Computer Science and Engineering (CSE)

Security Layers in DBMS

• Authorization
Authorization means allowing access to the system.
• Authentication
Authentication means confirmation of your identity.

University Institute of Engineering (UIE)

 Department of Computer Science and Engineering (CSE)

Authentication
Authentication is regarding credentials.
For example,
Username and Password for identity verification.
Here, the system checks whether you are what you say you are
through your credentials. Whether you’re using public or
private networks, the system authenticates users’ identity
through login details, namely, username and password.
However, there are other methods for Authentication, but this is
the most basic one, which is used almost by everyone.

University Institute of Engineering (UIE)

 Department of Computer Science and Engineering (CSE)

Authorization
Authorization comes into picture once your identity
successfully gets authenticated by the system. Due to which
you get access to resources like files, funds, databases, sensitive
information, and so on.
Though Authorization is needed to verify your rights for
granting you access to resources once your access rights are
determined, in other words, Authorization is the process that is
used for determining whether the user who’s authenticated
has access right for the particular resources.
For example, once the employee User ID and password get
authenticated, the next thing will be to decide which employee
will get access to which floor, and it’s done using Authorization.

University Institute of Engineering (UIE)

 Department of Computer Science and Engineering (CSE)

Differences between Authentication and Authorization.

Authentication Authorization
It helps decide whether users are what they claim they It helps to decide which user is allowed to access what.
are.
User identity has to be verified via a username and It verifies whether the given access is allowed by
password or answering a security question. following rules and policies.
Typically this process takes place before Authorization. It takes place once Authentication is completed.

Different ways of Authentication are: Other forms of Authorization are:

Captcha test Permissions – Read & Write access to files and allowing
Biometric Authentication access to the database.
Passwords Deciding the roles of users for accessing data

It’s controlled through the server for finding out who’s The server helps to decide that client has the authority
accessing what data or site. to access a resource or not.
Example: Employees authenticating through the network Example: Once an employee is authenticated, the
before opening the company mails. different system decides which information will be
accessed by which employee.

University Institute of Engineering (UIE)

 Department of Computer Science and Engineering (CSE)

QUESTION

Authentication refers to :

1. methods of restricting user access to system

2. controlling access to portions of database
3. controlling the operation on the data
4. all of the above

University Institute of Engineering (UIE)

 Department of Computer Science and Engineering (CSE)

Threats in Database
1. Availability Loss: Authorized users should be able to
access data whenever they need to do so
2. Integrity Loss: Only the authorized person can do
changes and update. Data should be maintained in a
correct state and nobody should be able to improperly
modify it, either accidentally or maliciously
3. Confidentiality Loss: This occur due to unauthorized or
unintentional disclosure of information.
Only authorized users and processes should be able to
access or modify data

University Institute of Engineering (UIE)

 Department of Computer Science and Engineering (CSE)

EXAMPLE

Consider the example of a bank ATM, which can offer users

access to bank balances and other information. An ATM has tools
that cover all three principles of the triad:
1. It provides confidentiality by requiring
two-factor authentication (both a physical card and a PIN code)
before allowing access to data
2. The ATM and bank software enforce data integrity by ensuring
that any transfers or withdrawals made via the machine are
reflected in the accounting for the user's bank account
3. The machine provides availability because it's in a public place
and is accessible even when the bank branch is closed

University Institute of Engineering (UIE)

 Department of Computer Science and Engineering (CSE)

QUESTION

Prevention of access to the database by unauthorized users

is referred to as :

1. Integrity
2. Productivity
3. Security
4. Reliability

University Institute of Engineering (UIE)

 Department of Computer Science and Engineering (CSE)

QUESTION

Data integrity means :

1. providing first access to stored data

2. ensuring correctness and consistency of data
3. providing data sharing
4. none of the above

University Institute of Engineering (UIE)

 Department of Computer Science and Engineering (CSE)

Database Security Issues

Types of Security
– Legal and ethical issues
– Policy issues
– System-related issues (firewalls)
– The need to identify multiple security levels

University Institute of Engineering (UIE)

 Department of Computer Science and Engineering (CSE)

Database Security Issues

• Threats to databases
– Loss of integrity
– Loss of availability
– Loss of confidentiality

• To protect databases against these types of threats following kinds of

counter measures can be implemented:
– Access control
– Inference control
– Flow control
– Encryption
– RAID Technology

University Institute of Engineering (UIE)

 Department of Computer Science and Engineering (CSE)

Database Security Issues

• The security mechanism of a DBMS must include provisions for
restricting access to the database as a whole
– This function is called access control and is handled by creating user
accounts and passwords to control login process by the DBMS.

• The security problem associated with databases is that of controlling the

access to a statistical database, which is used to provide statistical
information or summaries of values based on various criteria.
– The countermeasures to statistical database security problem is
called inference control measures.

University Institute of Engineering (UIE)

 Department of Computer Science and Engineering (CSE)

Database Security Issues

• Another security is that of flow control, which prevents information from
flowing in such a way that it not reaches to unauthorized users.
• Channels that are pathways for information to flow implicitly in ways that
violate the security policy of an organization are called covert channels.
• A final security issue is data encryption, which is used to protect sensitive
data (such as credit card numbers) that is being transmitted via some type
communication network.
• The data is encoded using some encoding algorithm.
– An unauthorized user who access encoded data will have difficulty
deciphering it, but authorized users are given decoding or decrypting
algorithms (or keys) to decipher data.

University Institute of Engineering (UIE)

 Department of Computer Science and Engineering (CSE)

RAID
Redundant Array of Independent Disks
The hardware that the DBMS is running on must be fault-tolerant, meaning
that the DBMS should continue to operate even if one of the hardware
components fails.

One solution is the use of RAID technology.

RAID works on having a large disk array comprising an arrangement of

several independent disks that are organized to improve reliability and at the
same time increase performance.

University Institute of Engineering (UIE)

 Department of Computer Science and Engineering (CSE)

Database Security and DBA

• The database administrator (DBA) is the central authority for managing
a database system.
– The DBA’s responsibilities include
• granting privileges to users who need to use the system
• classifying users and data in accordance with the policy of the
organization
• The DBA is responsible for the overall security of the database system.

University Institute of Engineering (UIE)

 Department of Computer Science and Engineering (CSE)

Database Security and DBA

• The DBA has a DBA account in the DBMS
– Sometimes these are called a system or superuser account
– These accounts provide powerful capabilities such as:
• 1. Account creation
• 2. Privilege granting
• 3. Privilege revocation
• 4. Security level assignment
– Action 1 is access control, whereas 2 and 3 are discretionary and 4 is
used to control mandatory authorization

University Institute of Engineering (UIE)

 Department of Computer Science and Engineering (CSE)

Database Security and DBA

• Whenever a person or group of persons need to access a database
system, the individual or group must first apply for a user account.
– The DBA will then create a new account id and password for the
user if he/she deems there is a legitimate need to access the database
• The user must log in to the DBMS by entering account id and password
whenever database access is needed.
• The database system must also keep track of all operations on the
database that are applied by a certain user throughout each login session.

University Institute of Engineering (UIE) Slide 23- 27

 Department of Computer Science and Engineering (CSE)

Levels of Data Security

• Human level: Corrupt/careless User
• Network/User Interface
• Database application program
• Database system
• Operating System
• Physical level

28
University
DatabaseInstitute of Engineering
and Application (UIE)
Security, Nov
 Department of Computer Science and Engineering (CSE)

Physical/OS Security
• Physical level
– Traditional lock-and-key security
– Protection from floods, fire, etc.
• E.g. WTC (9/11), fires in IITM, WWW conf website, etc.
– Protection from administrator error
• E.g. delete critical files
– Solution
• Remote backup for disaster recovery
• Plus archival backup (e.g. DVDs/tapes)
• Operating system level
– Protection from virus/worm attacks critical

University Institute of Engineering (UIE)

 Department of Computer Science and Engineering (CSE)

Database Encryption
• E.g. What if a laptop/disk/USB key with critical data is lost?
• Partial solution: encrypt the database at storage level, transparent to
application
– Main issue: key management
• E.g. user provides decryption key (password) when database is
started up
– Supported by many database systems
• Standard practice now to encrypt credit card information, and other
sensitive information

University Institute of Engineering (UIE)

 Database/Application Program
• Authentication and authorization
mechanisms to allow specific
users access only to required data
• Authentication:
– who are you? Prove it!
• Authorization:
– what you are allowed to do

University Institute of Engineering (UIE)

 Department of Computer Science and Engineering (CSE)

•
Network Security
Network level: must use encryption to prevent
– Eavesdropping: unauthorized reading of messages
– Masquerading:
• pretending to be an authorized user or legitimate site, or
• sending messages supposedly from authorized users
– Handled by secure http - https://

• Must prevent person-in-the-middle attacks

– E.g. someone impersonates seller or bank/credit card company and
fools buyer into revealing information

University Institute of Engineering (UIE)

 Department of Computer Science and Engineering (CSE)

Human level /User Authentication

• Password
– Most users abuse passwords. For e.g.
• Easy to guess password
• Share passwords with others
• Smartcards
– Need smartcard Bill Gates

– + a PIN or password

University Institute of Engineering (UIE)

 Department of Computer Science and Engineering (CSE)

Database Security Issues

• A DBMS typically includes a database security and authorization
subsystem that is responsible for ensuring the security portions of a
database against unauthorized access.

• Two types of database security mechanisms:

– Discretionary security mechanisms
– Mandatory security mechanisms

University Institute of Engineering (UIE)

 Department of Computer Science and Engineering (CSE)

Discretionary Access Control

• The typical method of enforcing discretionary access control in a
database system is based on the granting and revoking privileges.

University Institute of Engineering (UIE)

 Department of Computer Science and Engineering (CSE)

Authorization
Forms of authorization on (parts of) the database:
• Read authorization - allows reading, but not modification of data.
• Insert authorization - allows insertion of new data, but not
modification of existing data.
• Update authorization - allows modification, but not deletion of data.
• Delete authorization - allows deletion of data

University Institute of Engineering (UIE)

 Department of Computer Science and Engineering (CSE)

Security Specification in SQL

• The grant statement is used to confer authorization
grant <privilege list>
on <relation name or view name> to <user list>
• <user list> is:
– a user-id
– public, which allows all valid users the privilege granted
– A role
• Granting a privilege on a view does not imply granting any privileges
on the underlying relations.
• The grantor of the privilege must already hold the privilege on the
specified item (or be the database administrator).

University Institute of Engineering (UIE)

 Department of Computer Science and Engineering (CSE)

Privileges in SQL
• select: allows read access to relation,or the ability to query using the
view
– Example: grant users U1, U2, and U3 select authorization on the
branch relation:
grant select on branch to U1, U2, U3
• insert: the ability to insert tuples
• update: the ability to update using the SQL update statement
• delete: the ability to delete tuples.
• references: ability to declare foreign keys when creating relations.
• usage: In SQL-92; authorizes a user to use a specified domain
• all privileges: used as a short form for all the allowable privileges

University Institute of Engineering (UIE)

 Department of Computer Science and Engineering (CSE)

Revoking Authorization in SQL

• The revoke statement is used to revoke authorization.
revoke<privilege list>
on <relation name or view name> from <user list> [restrict|cascade]
• Example:
revoke select on branch from U1, U2, U3 cascade
• Revocation of a privilege from a user may cause other users also to lose
that privilege; referred to as cascading of the revoke.
• We can prevent cascading by specifying restrict:
revoke select on branch from U1, U2, U3 restrict
With restrict, the revoke command fails if cascading revokes are
required.

University Institute of Engineering (UIE)

 Department of Computer Science and Engineering (CSE)

Mandatory Access Control for

Multilevel Security
• The discretionary access control techniques of granting and revoking
privileges on relations has traditionally been the main security
mechanism for relational database systems.
• This is an all-or-nothing method:
– A user either has or does not have a certain privilege.
• In many applications, and additional security policy is needed that
classifies data and users based on security classes.
– This approach as mandatory access control, would typically be
combined with the discretionary access control mechanisms.

University Institute of Engineering (UIE)

 Department of Computer Science and Engineering (CSE)

Mandatory Access Control for

Multilevel Security
• Typical security classes are top secret (TS), secret (S), confidential (C),
and unclassified (U), where TS is the highest level and U the lowest: TS
≥S≥C≥U

• The commonly used model for multilevel security, known as the Bell-
LaPadula model, classifies each subject (user, account, program) and
object (relation, tuple, column, view, operation) into one of the security
classifications, T, S, C, or U:
– Clearance (classification) of a subject S as class(S) and to the
classification of an object O as class(O).

University Institute of Engineering (UIE)

 Department of Computer Science and Engineering (CSE)

When we update any tuple in the relation which

Authorization on a relation allows a user to?
A. select authorization
B. update authorization
C. grant authorization
D. define authorization
E. All of these
F. None of these

University Institute of Engineering (UIE)

 Department of Computer Science and Engineering (CSE)

which statement is used to revoke an authorization,

A. Revoke
B. Modify
C. Alter
D. Define
E. All of these
F. None of these

University Institute of Engineering (UIE)

44 Department of Computer Science and Engineering (CSE)

HOME WORK

1. What is used for database security ?

a. data encryption
b. view
c. finger print
d. all of the above

2. Data integrity means :

e. providing first access to stored data
f. ensuring correctness and consistency of data
g. providing data sharing
h. none of the above

Answers:1.d, 2.b

University Institute of Engineering (UIE)

 Department of Computer Science and Engineering (CSE)

FAQ
• What do you understand by database security?
• What are threats in DBMS?
• What is RAID?
• What is revoke authentication in SQL?
• Explain privilege in SQL.

University Institute of Engineering (UIE)

 Department of Computer Science and Engineering (CSE)

References
Other References
• Database Security (w3schools.in)
• Database Security (DS) Pdf Notes - Free Download 2020 | SW (sma
rtzworld.com)
• https://docs.oracle.com/
• Database Security (oracle.com)
• https://www.datasunrise.com/blog/potential-db-threats/database-
security-threats-and-countermeasures/

Suggested Book References

• Ramez Elmasri and Shamkant B. Navathe,“Fundamentals of
Database System”, The Benjamin / Cummings Publishing Co.
• Korth and Silberschatz Abraham, “Database SystemConcepts”,
McGraw Hall.
• Pratt,”DBMS”, Cengage Learning.
University Institute of Engineering (UIE)
 Department of Computer Science and Engineering (CSE)

Database
Management
System

Course Outcome Will be covered in

CO Title Level this lecture
Numbe
r
CO1 To perceive the significance and Remember
implementation of a commercial
relational database system (Oracle)
by writing SQL using the system.
CO2 To understand the relational database Understand
theory, and be able to write
relational algebra expressions for
queries

CO3 To identify the basic issues of Analysis and

transaction processing and application
concurrency control and find out its
solutions.
47
University Institute of Engineering (UIE)
 Department
Department of Computer
of Computer Scienceand
Science andEngineering
Engineering (CSE)
(CSE)

Contents of the Syllabus

UNIT-I [10h]
Overview of Databases: Database concepts, DBMS, Data Base System Architecture (Three
Level ANSI-SPARC Architecture), Advantages and Disadvantages of DBMS, Data Independence,
DBA and Responsibilities of DBA, Relational Data Structure, Keys, Relations, Attributes, Schema and
Instances, Referential integrity, Entity integrity.
Data Models: Relational Model, Network Model, Hierarchical Model, ER Model: Design,
issues, Mapping constraints, ER diagram, Comparison of Models.

Relational Algebra & Relational Calculus: Introduction, Syntax, Semantics, Additional

operators, Grouping and Ungrouping, Relational comparisons, Tuple Calculus, Domain Calculus,
Calculus Vs Algebra, Computational capabilities.

UNIT-II [10h]
Functional dependencies and Normalization: Functional dependencies, Decomposition, Full
Functional Dependency (FFD), Transitive Dependency (TD), Join Dependency (JD), Multi-valued
Dependency (MVD), Normal Forms (1NF, 2NF, 3NF, BCNF), De-normalization.
Database Security: Introduction, Threats, Counter Measures.
Control Structures: Introduction to conditional control, Iterative control and sequential control
statements, Cursors, Views.

48
University Institute of Engineering (UIE)
 Department
Department of Computer
of Computer Scienceand
Science andEngineering
Engineering (CSE)
(CSE)

Contents of the Syllabus

UNIT-III [10h]
Package, Procedures and Triggers: Parts of procedures, Parameter modes, Advantages of
procedures, Syntax for creating triggers, Types of triggers, package specification and package body,
developing a package, Bodiless package, Advantages of packages.
Transaction Management and Concurrency Control: Introduction to Transaction Processing,
Properties of Transactions, Serializability and Recoverability, Need for Concurrency Control, Locking
Techniques, Time Stamping Methods, Optimistic Techniques and Granularity of Data items.

Database Recovery of database: Introduction, Need for Recovery, Types of errors, Recovery
Techniques.

49
University Institute of Engineering (UIE)
 Department of Computer Science and Engineering (CSE)

Chapter 2.2

(Database Security)
Database Security: Introduction, Threats, Counter Measures.

University Institute of Engineering (UIE)

 Department of Computer Science and Engineering (CSE)

Learning objective
• Database Security
• Threats
• Counter Measures.

University Institute of Engineering (UIE)

 Department of Computer Science and Engineering (CSE)

Learning Outcomes
• Understanding the concept of database security and its
issues.
• Discuss threats
• Discuss various level of security
• Understanding various Counter measures

University Institute of Engineering (UIE)

 Department of Computer Science and Engineering (CSE)

Database Security
• Database Security - protection from malicious attempts to steal (view)
or modify data.

University
DatabaseInstitute of Engineering
and Application (UIE)
Security, Nov
 Department of Computer Science and Engineering (CSE)

Database Security Issues

Types of Security
– Legal and ethical issues
– Policy issues
– System-related issues
– The need to identify multiple security levels

University Institute of Engineering (UIE)

 Department of Computer Science and Engineering (CSE)

Threats
Threat is any intentional or accidental event that may adversely affect the
system.
Examples of threats:
- Using another person’s log-in name to access data
- Unauthorized copying data
- Program/Data alteration
- Illegal entry by hacker
- Viruses
- Etc.

University Institute of Engineering (UIE)

 Department of Computer Science and Engineering (CSE)

Database Security Issues

• Threats to databases
– Loss of integrity
– Loss of availability
– Loss of confidentiality

• To protect databases against these types of threats four kinds of

countermeasures can be implemented:
– Access control
– Inference control
– Flow control
– Encryption
– RAID Technology

University Institute of Engineering (UIE) Slide 23- 56

 Department of Computer Science and Engineering (CSE)

Database Security Issues

• The security mechanism of a DBMS must include provisions for
restricting access to the database as a whole
– This function is called access control and is handled by creating user
accounts and passwords to control login process by the DBMS.

• The security problem associated with databases is that of controlling the

access to a statistical database, which is used to provide statistical
information or summaries of values based on various criteria.
– The countermeasures to statistical database security problem is
called inference control measures.

University Institute of Engineering (UIE)

 Department of Computer Science and Engineering (CSE)

Database Security Issues

• Another security is that of flow control, which prevents information
from flowing in such a way that it reaches unauthorized users.
• Channels that are pathways for information to flow implicitly in ways
that violate the security policy of an organization are called covert
channels.
• A final security issue is data encryption, which is used to protect
sensitive data (such as credit card numbers) that is being transmitted via
some type communication network.
• The data is encoded using some encoding algorithm.
– An unauthorized user who access encoded data will have difficulty
deciphering it, but authorized users are given decoding or decrypting
algorithms (or keys) to decipher data.

University Institute of Engineering (UIE)

 Department of Computer Science and Engineering (CSE)

RAID
Redundant Array of Independent Disks
The hardware that the DBMS is running on must be fault-tolerant, meaning
that the DBMS should continue to operate even if one of the hardware
components fails.

One solution is the use of RAID technology.

RAID works on having a large disk array comprising an arrangement of

several independent disks that are organized to improve reliability and at the
same time increase performance.

University Institute of Engineering (UIE)

 Department of Computer Science and Engineering (CSE)

Database Security and DBA

• The database administrator (DBA) is the central authority for managing
a database system.
– The DBA’s responsibilities include
• granting privileges to users who need to use the system
• classifying users and data in accordance with the policy of the
organization
• The DBA is responsible for the overall security of the database system.

University Institute of Engineering (UIE)

 Department of Computer Science and Engineering (CSE)

Database Security and DBA

• The DBA has a DBA account in the DBMS
– Sometimes these are called a system or superuser account
– These accounts provide powerful capabilities such as:
• 1. Account creation
• 2. Privilege granting
• 3. Privilege revocation
• 4. Security level assignment
– Action 1 is access control, whereas 2 and 3 are discretionarym and 4
is used to control mandatory authorization

University Institute of Engineering (UIE)

 Department of Computer Science and Engineering (CSE)

Database Security and DBA

• Whenever a person or group of person s need to access a database
system, the individual or group must first apply for a user account.
– The DBA will then create a new account id and password for the
user if he/she deems there is a legitimate need to access the database
• The user must log in to the DBMS by entering account id and password
whenever database access is needed.

University Institute of Engineering (UIE) Slide 23- 62

 Department of Computer Science and Engineering (CSE)

Levels of Data Security

• Human level: Corrupt/careless User
• Network/User Interface
• Database application program
• Database system
• Operating System
• Physical level

63
University
DatabaseInstitute of Engineering
and Application (UIE)
Security, Nov
 Department of Computer Science and Engineering (CSE)

Physical/OS Security
• Physical level
– Traditional lock-and-key security
– Protection from floods, fire, etc.
• E.g. WTC (9/11), fires in IITM, WWW conf website, etc.
– Protection from administrator error
• E.g. delete critical files
– Solution
• Remote backup for disaster recovery
• Plus archival backup (e.g. DVDs/tapes)
• Operating system level
– Protection from virus/worm attacks critical

University Institute of Engineering (UIE)

 Department of Computer Science and Engineering (CSE)

Database Encryption
• E.g. What if a laptop/disk/USB key with critical data is lost?
• Partial solution: encrypt the database at storage level, transparent to
application
– Main issue: key management
• E.g. user provides decryption key (password) when database is
started up
– Supported by many database systems
• Standard practice now to encrypt credit card information, and other
sensitive information

University Institute of Engineering (UIE)

 Database/Application Program
• Authentication and authorization
mechanisms to allow specific
users access only to required data
• Authentication:
– who are you? Prove it!
• Authorization:
– what you are allowed to do

University Institute of Engineering (UIE)

 Department of Computer Science and Engineering (CSE)

•
Network Security
Network level: must use encryption to prevent
– Eavesdropping: unauthorized reading of messages
– Masquerading:
• pretending to be an authorized user or legitimate site, or
• sending messages supposedly from authorized users
– Handled by secure http - https://

• Must prevent person-in-the-middle attacks

– E.g. someone impersonates seller or bank/credit card company and
fools buyer into revealing information

University Institute of Engineering (UIE)

 Department of Computer Science and Engineering (CSE)

Human level /User Authentication

• Password
– Most users abuse passwords. For e.g.
• Easy to guess password
• Share passwords with others
• Smartcards
– Need smartcard Bill Gates

– + a PIN or password

University Institute of Engineering (UIE)

 Department of Computer Science and Engineering (CSE)

Database Security Issues

• A DBMS typically includes a database security and authorization
subsystem that is responsible for ensuring the security portions of a
database against unauthorized access.

• Two types of database security mechanisms:

– Discretionary security mechanisms
– Mandatory security mechanisms

University Institute of Engineering (UIE)

 Department of Computer Science and Engineering (CSE)

Discretionary Access Control

• The typical method of enforcing discretionary access control in a
database system is based on the granting and revoking privileges.

University Institute of Engineering (UIE)

 Department of Computer Science and Engineering (CSE)

Authorization
Forms of authorization on (parts of) the database:
• Read authorization - allows reading, but not modification of data.
• Insert authorization - allows insertion of new data, but not
modification of existing data.
• Update authorization - allows modification, but not deletion of data.
• Delete authorization - allows deletion of data

University Institute of Engineering (UIE)

 Department of Computer Science and Engineering (CSE)

Security Specification in SQL

• The grant statement is used to confer authorization
grant <privilege list>
on <relation name or view name> to <user list>
• <user list> is:
– a user-id
– public, which allows all valid users the privilege granted
– A role (more on this later)
• Granting a privilege on a view does not imply granting any privileges
on the underlying relations.
• The grantor of the privilege must already hold the privilege on the
specified item (or be the database administrator).

University Institute of Engineering (UIE)

 Department of Computer Science and Engineering (CSE)

Privileges in SQL
• select: allows read access to relation,or the ability to query using the
view
– Example: grant users U1, U2, and U3 select authorization on the
branch relation:
grant select on branch to U1, U2, U3
• insert: the ability to insert tuples
• update: the ability to update using the SQL update statement
• delete: the ability to delete tuples.
• references: ability to declare foreign keys when creating relations.
• usage: In SQL-92; authorizes a user to use a specified domain
• all privileges: used as a short form for all the allowable privileges

University Institute of Engineering (UIE)

 Department of Computer Science and Engineering (CSE)

Revoking Authorization in SQL

• The revoke statement is used to revoke authorization.
revoke<privilege list>
on <relation name or view name> from <user list> [restrict|cascade]
• Example:
revoke select on branch from U1, U2, U3 cascade
• Revocation of a privilege from a user may cause other users also to lose
that privilege; referred to as cascading of the revoke.
• We can prevent cascading by specifying restrict:
revoke select on branch from U1, U2, U3 restrict
With restrict, the revoke command fails if cascading revokes are
required.

University Institute of Engineering (UIE)

 Department of Computer Science and Engineering (CSE)

Mandatory Access Control for

Multilevel Security
• The discretionary access control techniques of granting and revoking
privileges on relations has traditionally been the main security
mechanism for relational database systems.
• This is an all-or-nothing method:
– A user either has or does not have a certain privilege.
• In many applications, and additional security policy is needed that
classifies data and users based on security classes.
– This approach as mandatory access control, would typically be
combined with the discretionary access control mechanisms.

University Institute of Engineering (UIE)

 Department of Computer Science and Engineering (CSE)

Mandatory Access Control for

Multilevel Security
• Typical security classes are top secret (TS), secret (S), confidential (C),
and unclassified (U), where TS is the highest level and U the lowest: TS
≥S≥C≥U

• The commonly used model for multilevel security, known as the Bell-
LaPadula model, classifies each subject (user, account, program) and
object (relation, tuple, column, view, operation) into one of the security
classifications, T, S, C, or U:
– Clearance (classification) of a subject S as class(S) and to the
classification of an object O as class(O).

University Institute of Engineering (UIE)

77 Department of Computer Science and Engineering (CSE)

HOME WORK

1. What is used for database security ?

a. data encryption
b. view
c. finger print
d. all of the above

2. Data integrity means :

e. providing first access to stored data
f. ensuring correctness and consistency of data
g. providing data sharing
h. none of the above

Answers:1.d, 2.b

University Institute of Engineering (UIE)

 Department of Computer Science and Engineering (CSE)

FAQ
• What do you understand by database security?
• What are threats in DBMS?
• What is RAID?
• What is revoke authentication in SQL?
• Explain privilege in SQL.

University Institute of Engineering (UIE)

 Department of Computer Science and Engineering (CSE)

References
Other References
• Database Security (w3schools.in)
• Database Security (DS) Pdf Notes - Free Download 2020 | S
W (smartzworld.com)
• https://docs.oracle.com/
• Database Security (oracle.com)

Suggested Book References

• Ramez Elmasri and Shamkant B. Navathe,“Fundamentals of
Database System”, The Benjamin / Cummings Publishing Co.
• Korth and Silberschatz Abraham, “Database
SystemConcepts”, McGraw Hall.
• Pratt,”DBMS”, Cengage Learning.
University Institute of Engineering (UIE)