Please enable JavaScript.
Coggle requires JavaScript to display documents.
Security policies + databases security (security policies (Terminology…
Security policies + databases security
security policies
What is it ?
statement of desirable behaviour for a computing system
enforced on its general behaviour
reference monitors
security policies constitute the
Rules
Logic
access control
in a operating systems
machine mediating accesses
Hardware resources
By their user processes
and application
Examples
Operating systems
Kernel-mode security reference monitor
Distributed policy management and enforcement
XACML's PEPs and OAuth's authorisation and resource servers
Access control in databases
E.G row-level security
Firewall
mediate network access to an organisations network
Terminology
Objects(passive entities)
filrd,storage, printer
permissions (actions )
read, write..
Subjects (active entities)
users,client processes
Security policies
Set of rules
SQL Injections
Blind SQL injections
when no immediate faya os possible to seek out of the DB
prevention
input validation "before " the command is sent to the DB
Handle error messages from db
principle of least privileges
Detection
auditing
social context, such as customer complaints
Access control lists
Access control lists (ACL)
list where each entry is in a form
)
o
object
ie resources, software, hardware
p
permission
i.e method, operations, application
s
subject
ie users
m,n,k
integer numbers used for indexing
Access control matrices
Role-based Access control policies
based on the idea
users are separate from their roles
permissions should only be assigned to roles
role based access control
most common models used in organisations
built with management of organisational policies in mind
Like ACL but where usernames are roles
Definition
multi-level security policies
controls the behaviour of system
based on assumptions
subjects/objects have sensitivity levels
sentitivity leveles
how much we care about
an object and how priviledged a subject is
a partial order relation
reflexive
Anti-symetric
transitive
Hasse Diagram
Database security
Data commands
DELETE
UPDATE
INSERT
SELECT
DB structure commands
CREATE TABLE
DROP TABLE
ADD COLUMN