Open in app

Sign in

Write

Sign in

Database Security Basics

Kawee Lokuge
3 min readNov 19, 2020

Database security is a must if you are planning to deploy any software application that consumes data. In this post, I’m going to give you a brief idea about what database security is and how it is used to protect data. So, why database security is needed? The answer to this question lies in the fact of who uses your database and for what purpose. Databases are like mini operating systems where there is a multi-user environment. As a result, databases have become highly vulnerable to potential threats.

The objective of database security is to Protect data in the database from unauthorized access, use, disclosure, alteration, or destruction of data.

Database Security vs Integrity

Database Security : Focuses on how to protect data from unauthorized use. Only authorized users should be permitted to access the data. This is carried out through access controls.

Database integrity : Focuses on ensuring the accuracy or validity of data is maintained. e.g. — entity integrity, domain integrity, referential integrity, etc. Database integrity is a whole new topic for another post. Let’s stick with only database security.

Although security and integrity are two different concepts there are a set of common features that applies to both.

  • The database should be aware of certain rules(constraints) that must not be violated
  • These rules should be specified by the database administrator
  • Constraints should be maintained in the system catalog
  • The database management system should monitor the user operations to validate the constrained are enforced.

Concerns to be Considered

Security violation results in technical issues and has a negative impact on the company brand. There are several components involved such as legal, social, ethical, policies, hardware, and software aspects. For example, making sure a person has a legal right to access information, PII (Personal Information Identification) data such as email address, SSN(Social Security Number), DOB(Date of Birth), should not be disclosed, policy schemes must be enforced, physical security of the computer system should be maintained. Unauthorized use of data can either be deliberately or accidentally. Necessary precautions should be taken to secure the data.

Security Implementations

There are two main types.

Authentication

Authentication is identifying a user/verifying the users’ identity. For example, if you have a person at the house door you are going to identify this person and decide whether to let this person in or not.

Methods:

  • What you know — Passwords/PIN
  • What you have — Cards/Security Tokens/RFID tags
  • Who you are — Fingerprint Scan, Retina Scan

In databases we mostly use what you know.

Authorization

Authorization is maintaining levels of access to a set of resources. Let’s think of the same example before. Suppose you let the person enter your home. Your house comprises of different areas such as the lobby, living room, pantry, kitchen, bedrooms, etc. Depending on the person who entered you are going to decide what are areas the person is allowed to go. Similarly depending on the authorization level users can access different database objects. Depending on the security policies scope of ‘data objects’ ranges from the entire database to a particular attribute value within a tuple(row).

Approaches in Database Security

There are two main approaches to database security namely Discretionary access control and mandatory access control. These controls depend on the user and data object type where the access control is enforced.

Discretionary access control

Access control is enforced by assigning varied access rights on different data objects. Since this approach is flexible it is more widely used. Supported by the current SQL standard.

e.g. — Access matrix, security rules

Mandatory access control

Access control is enforced by assigning access levels to various data objects and assigning users to these levels. Hierarchical Structure that comprises of the user and clearance level. This method has a more rigid structure suitable for organizations with strict security policies and access hierarchies.

References:

Advanced Database lecture presentations prepared by Mr. Dinesh Asanka

Database Security
Authorization
Authentication

--

--

Kawee Lokuge

Written by Kawee Lokuge

11 Followers

https://lk.linkedin.com/in/kawee-lokuge-703342192 Developer__Designer__Artist__Traveler

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams