This the 21st century, where everything is done in computers whether paying bills or storing information about something. Manual work has totally wiped out. In computers all information is kept in database. Therefore, in general terms database is a place where the information’s are stored in composed order so that it can be easily used, stored, controlled and revised. Database also helps us to protect the details of the clients, information regarding finance, details of human resource etc in business. So, our database needs to be protected and in order to protect our database, we can use certain techniques to ensure the availability and integrity of the data. Data base security helps us to keep our information confidential. Hence, database security is concerned with ensuring the secrecy, integrity, and availability of data stored in a database.
Application Security:-
Often the biggest source of insecurity is applications
Database security cannot be seen as a lonely problem because it has the chance to get affected by other components of a computerized system as well. For databases, security requirements can be classified into the following categories:
1. Identification, Authentication
Usually before admission to a database, the computer system needs identification of the user. At log-in time verification of the identity of a user is required. The most common identification method is the password but now more advanced techniques are also available like badge readers, biometric recognition techniques, or signature analysis devices.
2. Authorization, Access Controls
There is specific set of rules which helps to specify who has which type of authorization to what information. Policy related to authorization therefore governs the leakage and alternation of information. Admittance controls are the procedures that are designed to control authorizations. Authorized users can only access to stored data.
3. Integrity, Consistency
During database operation an integrity policy helps to define the correct states of the database as integrity policy has certain set of rules and therefore can secure database against the malicious or accidental modification of information. Concurrency control and recovery are closely related to the issues of integrity and consistence. Concurrency control policies are needed to secure the integrity of the database in the presence of concurrent transactions. Recovery techniques are used to reconstruct correct or valid database state, if the transactions do not finish normally due to system crashes or security violations.
4. Auditing
A user can issue relevant actions to keep all records of necessity secured is called auditing. Audit results are recorded on the basis of further reviews and examinations in order to test the adequacy of system controls and to suggest any changes in the security policy.
Most sources of threats to database security come from outside the computing system. If most importance is given to authorization, the users and processes operating on behalf of the users must be subject to security control. An active database process may be operating on behalf of an authorized user who has legitimate access or may be active on behalf of a person who succeeded in penetrating the system. In addition, an authorized database user may act as an ‘information channel’ by passing restricted information to unauthorized users. This may be intentionally or without knowledge of the authorized user. Some of the most successful database penetration methods are:
1. Misuses of authority
Improper acquisition of resources, theft of programs or storage media, modification or destruction of data.
2. Logical Inference and Aggregation
Both deal with users authorized to use the database. Logical inference arises whenever sensitive information can be inferred from combining less sensitive data. This may also involve certain knowledge from outside the database system. Tightly related to logical inference is the aggregation problem, wherein individual data items are not sensitive but a large enough collection of individual values taken together is considered sensitive.
3. Masquerade
A penetrator may gain unauthorized access by masquerading as a different person.
4. Bypassing Controls
This might be password attacks and exploitation of system trapdoors that avoid intended access control mechanisms. Trapdoors are security flaws that were built in the source code of a program by the original programmer.
5. Browsing
A penetrator circumvents the protection and searches directory or dictionary information, trying to locate privileged information. Unless strict need-to-know access controls are implemented the browsing problem is a major flaw of database security.
6. Trojan Horses
A Trojan horse is hidden software that tricks a legitimate user without his knowledge to perform certain actions he is not aware of. For example, a Trojan horse may be hidden into a sort routine and be designed to release certain data to unauthorized users. Whenever a user activates the sort routine, for example for sorting the result of a database query, the Trojan horse will act with the users’ identity and thus will have all privileges of the user.
7. Covert Channels
Usually information stored in a database is retrieved by means of legitimate information channels. In contrast to legitimate channels covert channels are paths that are not normally intended for information transfer. Such hidden paths may either be storage channels like shared memory or temporary files that could be used for communication purposes or timing channels like a degradation of overall system performance.
8. Hardware, Media Attacks
Physical attacks on equipment and storage media.
Database security depends not only on the choice of a particular DBMS product or on the support of a certain security model, but also on the operating environment, and the people involved. Although it is expected that changing technology will introduce new vulnerabilities to database security. Data security is critical.It requires security at different levels so several technical solutions and human training are essential.