Please enable JavaScript.
Coggle requires JavaScript to display documents.
DB Security, Data Management & Data Quality, Countermeasure, SQL…
DB Security
Why is Database Security Important
Strategic: delivery services, financial services, transportation companies, accommodation providers
Sensitive and confidential data: banks and tax dept
National security data: defence contractors and military units
Mechanisms that protect the database against accidental or intentional threats
Also consider breaches of security that affect other parts of the system and then affect the database
Common Threats
Theft and Fraud (intentional)
Improper access of the data
Accidental losses
Loss of data integrity
Loss of availability
Why secure Database
Legal/policy compliance
Ethical responsibilities
Technical necessity
Goals
Confidentiality
Protecting data against unauthorized access
Loss of confidentiality: Unauthorized disclosure of confidential information
Integrity
Keeping data consistent and free of errors or anomalies
Loss of Integrity: Improper modification of information
Availability
Accessibility of data whenever required by authorized users and for authorized purposes
Loss of Availability: Legitimate user cannot access data objects
Countermeasures
eliminating or preventing the treat
minimising the harm it can cause
discovering and reporting it, so that
corrective action can be taken
Data Management & Data Quality
Data Management
Development, execution, and supervision of plans, policies, programs, and practices that deliver, control, protect, and enhance the value of data and information assets, through their life cycle
Focuses on ensuring that the data itself is usable and trustworthy
Technology Management
Focuses on technology, technological processes, people who build applications, and tools they use to do so
Focuses on building and maintaining infrastructure, systems, and applications
Data Monetization Approaches
Improving
uses data to create efficiencies in work from better, cheaper, or faster operations
Wrapping
uses data to enhance products such that customers want to buy more or are willing to pay more
Selling
the exchange of an information solution for some form of money
Data Monetization Capabilities
Data management capability
the ability to produce data assets that people can find, use, and trust
Data platform capability
the ability to capture, transform, and disseminate data assets securely and efficiently
Data science capability
the ability to use scientific methods, processes, algorithms, and statistics to extract meaning and insights from data assets
Customer understanding capability
the ability to gather accurate and actionable knowledge about customer needs and behaviors
Acceptable data use
ability to gather, store, and use data assets which are compliant with laws and regulations and consistent with organizational and stakeholder values
Issues That Affect Data Management
Inventory of how much data is in an organization
Defining data ownership and accountability
Protecting against the misuse of data
Managing risks associated with data
Defining and enforcing quality standards for data
Data Management Challenge
Data can be classified by the function it serves
Data can be classified by the content
Data can be classified by format or level of protection the data requires or by how and where it is stored or accessed
Countermeasure
Views (subschemas)
a virtual table that does not actually exist in the database
a named query
built to show only the data the user requires
Backup
Process of periodically taking a copy of the database and log file (and possibly programs) to offline storage media
Recovery/Journaling
Process of keeping and maintaining a log file (or journal) of all changes made to database to enable effective recovery in event of failure
Integrity
Prevents data from becoming invalid and giving misleading or incorrect results
Data Encryption
Security mechanisms (such as views and grants) can be ineffective if people can access the data or other database objects directly i.e. without using the database management system
SQL Injection
Risks of SQL Injection Attacks
Denial of service
Attackers use SQL injection to crash the database or overload it with requests, denying service to legitimate users
Bypassing authentication
Attackers gain unauthorized access to the system by exploiting weak login forms to bypass authentication controls
Executing remote commands
enable attackers to execute dangerous commands remotely, beyond just the database. This could affect the underlying server or connected systems
Performing privilege escalation
enable attackers to upgrade their access level, moving from
regular user permissions to administrative privileges
Protection Techniques
Using parameterized statements
White List input validation
Principle of Least Privilege
An injection attack takes advantage of parameterized queries to make unauthorized queries
The attacker creates or alters existing SQL commands
The application takes the attacker’s input and combines it to build an unintended SQL query
Access Control Mechanisms
Authentication
a mechanism that determines whether a user is who they claim to be
Authorization
the granting of a right or privilege to a user to execute the transaction they are attempting
GRANT
Defines a user’s privileges
GRANT <privilege> ON <object> TO <user>
REVOKE
Removes privileges
EVOKE <privilege> ON <object> FROM <user>
Data Cleaning
Criteria for Measuring Data Quality
Uniqueness
Accuracy
Consistency
Completeness
Timeliness
Currency
Conformity
Referential Integrity
Five errors and inconsistencies in operational data
Misspelled names and addresses
Impossible or erroneous dates of birth
Fields used for purposes in which they were never intended
Mismatched addresses and area codes
Missing data