SECURITY

    avatar
    Created by
    tiana okane

    Cards (24)

    • Database security
      Protection of sensitive information, maintaining availability
      View source
    • If database information is compromised, it can have severe consequences including financial loss, reputational damage, and legal issues
      View source
    • It is not enough to just capture data in a database, it is also important to store it in a way that is conducive to security
      View source
    • Database security overview

      • Availability
      • Authenticity
      • Integrity
      • Confidentiality
      View source
    • Availability
      Data needs to be available at all necessary times to appropriate users, ability to track access
      View source
    • Authenticity
      Ensure data has been edited by authorized source, confirm users accessing the system, verify report requests and outbound data
      View source
    • Integrity
      Verify external data formatting and metadata, ensure input data accuracy and compliance with workflow rules, report on all data changes and authors
      View source
    • Confidentiality
      Ensure confidential data is only available to correct people, secure database from external and internal breaches, provide reporting on data access
      View source
    • Security models

      • Considerations: who can access the database (DB administrators vs individuals), what data they can access (varies across applications, departments, individuals)
      • Need authentication (confirming identity) and authorisation (being allowed access)
      View source
    • Authentication
      The process of confirming a user attempting to log in is authorized to do so
      View source
    • Authentication examples

      • "We know you are Bob because you have entered Bob's password"
      • "We know you're REMOTE_PROCESS_X because you connect from IP address Z"
      • "We know you're a PUBLIC user because you haven't entered any password"
      • "We know you're MobileAPP Y because you have used the correct credentials"
      View source
    • Authorisation
      A user is accorded the rights to perform activities they have been authorized to do
      View source
    • Authorisation examples

      • Bob can save files here
      • Jane can read files here but not write them
      • Adam can SELECT from this table
      • Sarah can SELECT and INSERT on any table in this database
      • WEBAPP X can SELECT from this table and INSERT into that table
      View source
    • Security = Authentication + Authorisation
      View source
    • Maintaining data integrity involves creating users and granting them permissions to control access and limit their ability to read, change, add or delete data
      View source
    • Local host account

      Extra feature not present on the remote server
      View source
    • Creating a new user

      CREATE USER user_name @localhost IDENTIFIED BY 'password'
      View source
    • Granting privileges

      GRANT Privilege ON database.table_name TO user_name@localhost IDENTIFIED BY password
      View source
    • Checking privileges

      1. SHOW GRANTS
      2. SHOW GRANTS FOR 'user'@'localhost'
      View source
    • My PC localhost root user account has all privileges granted to all tables of all databases
      View source
    • The EEECS web hosting account user typically has the GRANT USAGE ON *.* privilege, which means they can't create new databases or view other users' databases
      View source
    • App security

      The app connects to the database as a user and performs queries as that user, so access control is provided by the app rather than executing specific SQL statements
      View source
    • App-level security is crucial as it allows only authorised users to access specific data, a feature not directly provided by a database's GRANT system
      View source
    • Specifying row-level access requires app-level enforcement, typically through queries with conditions
      View source