Database securityDatabase security concerns the use of a broad range of information security controls to protect databases (potentially including the data, the database applications or stored functions, the database systems, the database servers and the associated network links) against compromises of their confidentiality, integrity and availability. It involves various types or categories of controls, such as technical, procedural/administrative and physical. Database security is a specialist within realms of computer security, information security and management, also incorporates a wide array of security topics, notwithstanding, physical security, network security, encryption and authentication. Database security is built upon a framework encompassing three constructs: confidentiality, integrity and availability. Confidentiality or secrecy refers to the protection of data against unauthorized disclosure. Integrity refers to the prevention of unauthorized and improper data modification, and availability refers to the prevention and recovery from hardware and software errors as well as from malicious data access resulting in the denial of data availability.Mapping to these three constructs, a database security component in any course needs to cover access control, application access, vulnerability, inference, and auditing mechanismsSecurity risks to database systems include, for example:

Unauthorized or unintended activity or misuse by authorized database users, database administrators, or network/systems managers, or by unauthorized users or hackers (e.g. inappropriate access to sensitive data, metadata or functions within databases, or inappropriate changes to the database programs, structures or security configurations);

Malware infections causing incidents such as unauthorized access, leakage or disclosure of personal or proprietary data, deletion of or damage to the data or programs, interruption or denial of authorized access to the database, attacks on other systems and the unanticipated failure of database services;

Overloads, performance constraints and capacity issues resulting in the inability of authorized users to use databases as intended;

Physical damage to database servers caused by computer room fires or floods, overheating, lightning, accidental liquid spills, static discharge, electronic breakdowns/equipment failures and obsolescence;

Design flaws and programming bugs in databases and the associated programs and systems, creating various security vulnerabilities (e.g. unauthorized privilege escalation), data loss/corruption, performance degradation etc.;

Data corruption and/or loss caused by the entry of invalid data or commands, mistakes in database or system administration processes, sabotage/criminal damage etc.To protect the database,several levels of security measures must be taken;

Physical-Sites containing the computer systems must be physically secured against intruders or unauthorized users.

Human-Users must be authorized to reduce access by intruders. Operating system-weak DB system may serve as means of unauthorized access

to the database. Network-all database aallow remote access through terminals or networks and

security within the network is important. Database system-some data base system users may be authorized to access

only a limited portion of the database.these resitrictions are important in database security.

Many layers and types of information security control are appropriate to databases, including:

Access control

Auditing Authentication Encryption Integrity controls Backups Application security

Vulnerability Assessments and Compliance Evaluating database security involves performing vulnerability assessments or penetration tests against the database. Testers attempt to find security vulnerabilities that could be used to defeat or bypass security controls, break into the database, compromise the system etc. Database administrators or information security administrators may use automated vulnerability scans to search out misconfiguration of controls within the layers mentioned above along with known vulnerabilities within the database software. The results of such scans are used to harden the database (improve the security controls) and close off the specific vulnerabilities identified. A program of continual monitoring for compliance with database security standards is another important task for mission critical database environments. Two crucial aspects of database security compliance include patch management and the review and management of permissions (especially public) granted to objects within the database. The primary objectives of database security are to prevent unauthorized access to data, prevent unauthorized tampering or modification of data, and to insure that data remains available when needed. Application Access AssessmentMost users do not access a database by directly logging into the database system. Instead theyaccess the database through an application program.The primary method used to protect data is limiting access to the data. This can be done throughauthentication, authorization, and access control. These three mechanisms are distinctly differentbut usually used in combination with a focus on access control for granularity in assigning rightsto specific objects and users. For instance, most database systems use some form of authentication, such as username and password, to restrict access to the system. Further, most users are authorized or assigned defined privileges to specific resources. Access control further refines the process by assigning rights and privileges to specific data objects and data sets. Within a database, these objects usually include tables, views, rows, and columnsAccess control – Grant/revoke Access control limits actions on objects to specific users. In database security, objects pertain to data objects such as tables and columns as well as SQL objects such as views and stored procedures. Data actions include read (select), insert, update, and delete or execute for stored procedures. For instance a faculty member, Dr. Smith, maybe given read privileges to the Student table.Generally, access control is defined in three ways: Mandatory Access Control (MAC), DiscretionaryAccess Control (DAC), and Role Based Access Control (RBAC). MAC and DAC provideprivileges to specified users or groups to which users are assigned. MAC rules are system appliedand considered static and more secureDatabase Vulnerability

Security breaches are an increasing phenomenon. As more and more databases are made accessible via the Internet and web-based applications, their exposure to security threats will rise. The objective is to reduce susceptibility to these threats. The most publicized database application vulnerability has been the SQL injection. SQL injections provide excellent examples for discussing security as they embody one of the most important database security issues, risks inherent to non-validated user input. The threat occurs when users enter malicious code that ‘tricks’ the database into executing unintended commands. The vulnerability occurs because of the features of the SQL language that allow such things as embedding comments using double hyphens.AbstractionApplication level authentication and authorization mechanisms should be considered as an effective means of providing abstraction from the database layer. The benefit of abstraction is that of a single sign-on capability across multiple databases and database platforms. A Single sign-on system should store the database user's credentials (login id and password), and authenticate to the database on behalf of the user.AuditingDatabase auditing is used to track database access and user activity. Auditing can be used to identify who accessed database objects, what actions were performed, and what data was changed.Database auditing does not prevent security breaches, but it does provide a way to identify ifbreaches have occurred. Common categories of database auditing include monitoring databaseaccess attempts, Data Control Language (DCL) activities, Data Definition Language (DDL) activities, and Data Manipulation Language (DML) activities. Monitoring access attemptsincludes retaining information on successful and unsuccessful logon and logoff attempts. Process and ProceduresA database security program should include the regular review of permissions granted to individually owned accounts and accounts used by automated processes. The accounts used by automated processes should have appropriate controls around password storage such as sufficient encryption and access controls to reduce the risk of compromise. For individual accounts, a two-factor authentication system should be considered in a database environment where the risk is commensurate with the expenditure for such an authentication system.In conjunction with a sound database security program, an appropriate disaster recovery program should exist to ensure that service is not interrupted during a security incident or any other incident that results in an outage of the primary database environment eg.replication for the primary databases to sites located in different geographical regions.After an incident occurs, the usage of database forensics should be employed to determine the scope of the breach, and to identify appropriate changes to systems and/or processes to prevent similar incidents in the future.Secure Database Security ProductsDatabase activity monitoring (DAM) Security layer of a more sophisticated nature includes real-time database activity monitoring, either by analyzing protocol traffic (SQL) over the network, or by observing local database activity on each server using software agents. Use of agents or native logging is required to capture activities executed on the database server, which include the activities of the database administrator. Agents

allow this information to be captured in a fashion that cannot be disabled by the database administrator, who has the ability to disable or modify native audit logs.Analysis can be performed to identify known exploits or policy breaches, or baselines can be captured over time to build a normal pattern used for detection of anomalous activity that could be indicative of intrusion. These systems can provide a comprehensive Database audit trail in addition to the intrusion detection mechanisms, and some systems can also provide protection by terminating user sessions and/or quarantining users demonstrating suspicious behavior. Some systems are designed to support separation of duties (SOD), which is a typical requirement of auditors. SOD requires that the database administrators, who are typically monitored as part of the DAM, not be able to disable or alter the DAM functionality. This requires the DAM audit trail to be securely stored in a separate system not administered by the database administration group.Database Firewall (DBF)Provides real-time database protection against internal and external threats by alerting or blocking attacks and abnormal access requests. Secure Sphere provides ‘virtual patching’ for database software vulnerabilities reducing the window of exposure and impact of long patch cycles. DBF includes the auditing and analytics capabilities offered by DAM. User Rights Management for Databases (URMD)Enables automatic aggregation and review of user access rights. Secure Sphere helps identify excessive rights and dormant users based on organizational context and actual data usage. Using URMD organizations can demonstrate compliance with regulations such as SOX, PCI 7, and PCI 8.5 and reduce the risk of data breach. Discovery and Assessment Server (DAS)Provides vulnerability assessment and configuration audits allowing users to measure compliance with industry standards and best practices. Data discovery and classification enable organizations to accurately scope security and compliance projects. With a combined analysis of sensitive data and vulnerabilities, Secure Sphere helps prioritize and better manage risk mitigation efforts. Secure Sphere Database AgentsSecure Sphere database security solutions utilize host-based agents to monitor and audit database activity, and eliminate monitoring blind spots. Agents can be configured for monitoring local privileged activity exclusively, or for monitoring all database activity. Combined with network activity monitoring, the agents enable an optimized deployment with minimal overhead. Database Security Problems and How to Avoid ThemA database security manager is the most important asset to maintaining and securing sensitive data within an organization. Database security managers are required to multitask and juggle a variety of headaches that accompany the maintenance of a secure database.It is important to understand some of the database security problems that occur within an organization and how to avoid them. If you understand the how, where, and why of database security you can prevent future problems from occurring.Database Security Issues

Daily Maintenance: Database audit logs require daily review to make certain that there has been no data misuse. This requires overseeing database privileges and then consistently updating user access accounts. A database security manager also provides different types of access control for different users and assesses new programs that are performing with the database. If these tasks are performed on a daily basis, you can avoid a lot of problems with users that may pose a threat to the security of the database.

Varied Security Methods for Applications:Applications developers will vary the methods of security for different applications that are being utilized within the database. This can create difficulty with creating policies for accessing the applications. The database must also possess the proper access controls for regulating the varying methods of security otherwise sensitive data is at risk.

Post-Upgrade Evaluation: When a database is upgraded it is necessary for the administrator to perform a post-upgrade evaluation to ensure that security is consistent across all programs. Failure to perform this operation opens up the database to attack.

Split the Position: Sometimes organizations fail to split the duties between the IT administrator and the database security manager. Instead the company tries to cut costs by having the IT administrator do everything. This action can significantly compromise the security of the data due to the responsibilities involved with both positions. The IT administrator should manage the database while the security manager performs all of the daily security processes.

Application Spoofing: Hackers are capable of creating applications that resemble the existing applications connected to the database. These unauthorized applications are often difficult to identify and allow hackers access to the database via the application in disguise.

Manage User Passwords: Sometimes IT database security managers will forget to remove IDs and access privileges of former users which leads to password vulnerabilities in the database. Password rules and maintenance needs to be strictly enforced to avoid opening up the database to unauthorized users.

Windows OS Flaws: Windows operating systems are not effective when it comes to database security. Often theft of passwords is prevalent as well as denial of service issues. database security manager can take precautions through routine daily maintenance The checks.

These are just a few of the database security problems that exist within organizations. The best way to avoid a lot of these problems is to employ qualified personnel and separate the security responsibilities from the daily database maintenance responsibilities.Why Data Security is of ImportanceData security is critical for most businesses and even home computer users. Client information, payment information, personal files, bank account details - all of this information can be hard to replace and potentially dangerous if it falls into the wrong hands. Data lost due to disasters such as a flood or fire is crushing, but losing it to hackers or a malware infection can have much greater consequences.Risk AssessmentThorough data security begins with an overall strategy and risk assessment. This will enable you to identify the risks you are faced with and what could happen if valuable data is lost through theft, malware infection or a system crash. Other potential threats you want to identify include the following:· Physical threats such as a fire, power outage, theft or malicious damage· Human error such as the mistaken processing of information, unintended disposal of data or input errors. Exploits from corporate espionage and other malicious activityYou can then identify areas of vulnerability and develop strategies for securing your data and information systems. Here are several aspects that need to be considered:· Just who has access to what data?· Who uses the internet, email systems and how they access it· Who will be allowed access and who will be restricted· Whether or not to use passwords and how they will be maintained· What type of firewalls and anti-malware solutions to put in place

· Properly training the staff and enforcing data security.After the above analysis, you can then prioritize specific data along with your more critical systems and determine those that require additional security measures. It is also a good idea to layout a BCP (Business Continuity Plan) so that your staff is still able to work effectively if the systems happen to fail. Company risks and security implementations should be reviewed frequently to support changes such as the growth of your business and other circumstances.Securing DataOnce you draw up a plan and assess your risks, it is time to put your data security system into action. the best security against misuse or theft involves a combination of technical measures, physical security and a well educated staff. You should implement clearly defined polices into your infrastructure and effectively present them to the staff. Here are things that you may do:· Protect your office or data center with alarms and monitoring systems· Keep computers and associated components out of public view· Enforce restrictions on internet access· Ensure that your anti-malware solution is up to date· Ensure that your operating system is up to date· Fight off hacking attacks with intrusion detection technology· Utilize a protected power supply and backup energy sourcesMobile Data SecurityHand-held devices and laptop computers have become popular in the business environment. However, mobile computers are at a much greater risk of data loss through damage and theft. For this reason, different safeguards need to implement in addition to the security measures listed above.· Regularly backup data on removable media and safely store multiple copies· Activate password protection whenever the device is left alone· Never leave the device alone and visible in a vehicle· Protect the device from physical damage by transporting it in protective casing.By backing up your files--personal documents, financial records, and digital pictures--you can ensure that you will never lose your precious and irreplaceable information.There are many ways one can back up a computer: special equipment or online programs, which are becoming increasingly popular, can help you to create a sort of 'insurance policy' for the protection of all of your computer-based day Reference;Database system concepts;Third edition;Abraham silberschatz henry f.korth’s.sudarshan;mcgraw-hill ;china machine press.Baker,W. H., Hutton, A., Hylender, C. D., Novak, C., Porter, C., Sartin, B., Tippett, P., & Valentine, J. A(2009).The 2009 data breach investigations report. Verizon Business. Retrieved,from http://www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdfBertino, E., Byun, J., & Kamra, A. (2007). Database security. In M. Petkovic & W. Jonker (Eds.), security,privacy, and trust in modern data management (Data-centric systems and applications) (pp. 87-102).New York: Springer-Verlag.Bertino, E., & Sandhu, R. (2005). Database security—concepts, approaches, and challenges. IEEE Transactionson Dependable and Secure Computing, 2(1), 2-18.Journal of Information Technology Education: Volume 9, 2010Innovations in PracticeEditor: Anthony ScimeMeg Coffin MurrayKennesaw State University, Kennesaw, GA, USA