Database Security and Auditing PDF

Summary

This document provides an overview of database security and auditing, including information systems. It details the important components and concepts related to securing data and information systems, making wise decisions. This presentation also covers security methodologies.

Full Transcript

Database Security and
Auditing

Chapter 1
Security Architecture
 Objectives

Define security
Describe an information system and its
components
Define database management system
functionalities
Outline the concept of information security

Database Security and Auditing 2
 Objectives (continued)

Identify the major components of information
security architecture
Define database security
List types of information assets and their values
Describe security methods

Database Security and Auditing 3
 Security

Database security: the degree to which data is
fully protected from tampering or unauthorized
acts
Includes information system and information
security concepts

Database Security and Auditing 4
 Information Systems

Wise decisions require:
– Accurate and timely information
– Information integrity
Information system: included of components
working together to produce and generate
accurate information
Categorized based on usage

Database Security and Auditing 5
 Information Systems (continued)

Database Security and Auditing 6
 Information Systems (continued)

Database Security and Auditing 7
 Information Systems (continued)

Database Security and Auditing 8
 Information Systems (continued)

Information system components include:
– Data
– Procedures
– Hardware
– Software
– Network
– People

Database Security and Auditing 9
 Information Systems (continued)

Database Security and Auditing 10
 Database Management

Essential to the success of information system
DBMS functionalities:
– Organize data
– Store and retrieve data efficiently
– Manipulate data (update and delete)
– Enforce referential integrity and consistency
– Enforce and implement data security policies
and procedures
– Back up, recover, and restore data
Database Security and Auditing 11
 Database Management (continued)

DBMS components include:
– Data
– Hardware
– Software
– Networks
– Procedures
– Database servers

Database Security and Auditing 12
 Database Management (continued)

Database Security and Auditing 13
 Information Security

Information is one of an organization’s most
valuable assets
Information security: consists of procedures and
measures taken to protect information systems
components
C.I.A. triangle: confidentiality, integrity,
availability
Security policies must be balanced according to
the C.I.A. triangle
Database Security and Auditing 14
 Information Security (continued)

Database Security and Auditing 15
 Confidentiality

Addresses two aspects of security:
– Prevention of unauthorized access
– Information disclosure based on classification
Classify company information into levels:
– Each level has its own security measures
– Usually based on the degree of confidentiality
necessary to protect information

Database Security and Auditing 16
 Confidentiality (continued)

Database Security and Auditing 17
 Integrity

Consistent and valid data, processed correctly,
yields accurate information
Information has integrity if:
– It is accurate
– It has not been tampered with
Read consistency: each user sees only his
changes and those committed by other users

Database Security and Auditing 18
 Integrity (continued)

Database Security and Auditing 19
 Integrity (continued)

Database Security and Auditing 20
 Availability

Systems must be always available to
authorized users
Systems determine what a user can do with the
information

Database Security and Auditing 21
 Availability (continued)

Reasons for a system to become unavailable:
– External attacks and lack of system protection
– System failure with no disaster recovery strategy
– Overly stringent and obscure security policies
– Bad implementation of authentication processes

Database Security and Auditing 22
 Information Security Architecture

Protects data and information produced from
the data
Is the overall design of a company’s
implementation of C.I.A. triangle

Database Security and Auditing 23
 Information Security Architecture
(continued)

Components include:
– Policies and procedures
– Security staff and administrators
– Detection equipment
– Security programs
– Monitoring equipment
– Monitoring applications
– Auditing procedures and tools

Database Security and Auditing 24
 Database Security

Enforce security at all database levels
Security access point: the place where
database security must be protected and
applied.
Data requires the highest level of protection;
data access points must be small.

Database Security and Auditing 25
 Database Security (continued)

Database Security and Auditing 26
 Database Security (continued)

Reducing access point size reduces security
risks
Security gaps: points at which security is
missing
Vulnerabilities: kinks in the system that can
become threats
Threat: security risk that can become a system
breach

Database Security and Auditing 27
 Database Security (continued)

Database Security and Auditing 28
 Database Security (continued)

Database Security and Auditing 29
 Database Security Levels

Relational database: a collection of related
data files
Data file: a collection of related tables
Table: a collection of related rows (records)
Row: a collection of related columns (fields)

Database Security and Auditing 30
 Database Security Levels (continued)

Database Security and Auditing 31
 Menaces (Threats ) to Databases
Security vulnerability: a weakness in any information system component

Database Security and Auditing 32
 Menaces to Databases (continued)

Security threat: a security violation or attack
that can happen at any time because of a
security vulnerability

Database Security and Auditing 33
 Menaces to Databases (continued)

Database Security and Auditing 34
 Menaces to Databases (continued)

Security risk: a known security gap intentionally
left open

Database Security and Auditing 35
 Menaces to Databases (continued)

Database Security and Auditing 36
 Menaces to Databases (continued)

Database Security and Auditing 37
 Asset Types and Their Value

Security measures are based on the value of
each asset
Types of assets include:
– Physical
– Logical
– Intangible
– Human

Database Security and Auditing 38
 Security Methods

Database Security and Auditing 39
 Security Methods (continued)

Database Security and Auditing 40
 Database Security Methodology

Database Security and Auditing 41
 Summary

Security: level and degree of being free from
danger and threats
Database security: degree to which data is fully
protected from unauthorized tampering
Information systems: backbone of day-to-day
company operations

Database Security and Auditing 42
 Summary (continued)

DBMS: programs to manage a database
C.I.A triangle:
– Confidentiality
– Integrity
– Availability
Secure access points
Security vulnerabilities, threats and risks

Database Security and Auditing 43
 Summary (continued)

Information security architecture
– Model for protecting logical and physical assets
– Company’s implementation of a C.I.A. triangle
Enforce security at all levels of the database

Database Security and Auditing 44