SlideShare une entreprise Scribd logo

The Complete Guide to DBA Practices & Procedures - Database Security - Part 14

Flevy.com Best Practices
Flevy.com Best Practices

This Slideshare presentation is a partial preview of the full business document. To view and download the full document, please go here: http://flevy.com/browse/business-document/the-complete-guide-to-dba-practices-and-procedures-database-security-part-14-585 Part 14 of a multi-part series of presentations on the management discipline of database administration. This section covers the range of activities and practices for securing your databases and data. The entire series can be used to implement an efficient and effective database administration function at your organization. This part covers the following areas: - Data Breaches - Database Security Basics - Granting & Revoking Authority - Authorization Roles & Groups - Other Database Security Mechanisms - Encryption - SQL Injections Attacks - Auditing - External Security - DBMS Fixpacks & Maintenance

Business
1  sur  20
Database Administration: The Complete Guide to Practices and Procedures Chapter 14 Database Security
Data Breaches • Data breaches dominate the IT newscape • According to The Privacy Rights Clearinghouse, more than 544 million records have been breached between January 10, 2005 and early 2012. – Over the course of almost 3,000 separate events. http://www.privacyrights.org/data-breach This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/the-complete-guide-to-dba-practices-and-procedures-database-security-part-14-585
How Prevalent is this Problem? • 68% of companies are losing sensitive data or having it stolen out from under them six times a year • An additional 20% are losing sensitive data 22 times or more per year. Sources: eWeek, March 3, 2007 IT Policy Compliance Group http://www.eweek.com/c/a/Desktops-and-Notebooks/Report-Some-Companies-Lose-Data-Six-Times-a-Year/ This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/the-complete-guide-to-dba-practices-and-procedures-database-security-part-14-585
Who is Responsible for Security? • The DBA typically is responsible for administering database security – Some organizations have transferred this task to a separate security administration function that controls all of the IT security for the company. – However, even in shops where security administration is a separate entity, database security is still handled by the DBA group… • …because database security is handled differently than a typical IT authorization scenario. – When the security administration group handles security policies, this group usually relies on third- party security software This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/the-complete-guide-to-dba-practices-and-procedures-database-security-part-14-585
Login Details When the DBMS controls the addition of logins, the DBA is required to provide certain information about the login when it is created: • Password—the key phrase, word, or character string associated with the new login that must be provided by the user before access to the database is permitted • Default database—the name of the database to which the user will initially be connected during login • Default language—the default language assigned to the login when using the DBMS if multiple languages are supported • Name—the actual full name of the user associated with this login • Additional details—additional details about the user for which the login has been created: e-mail, phone number, office location, business unit, and so on. This is useful for documentation purposes This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/the-complete-guide-to-dba-practices-and-procedures-database-security-part-14-585
login SUID DBMS user Data basename UID Database Users This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/the-complete-guide-to-dba-practices-and-procedures-database-security-part-14-585
Types of Privileges • Table: to control who can access and modify the data within tables • Database object: to control who can create new database objects and drop existing database objects • System: to control who can perform certain types of systemwide activities • Program: to control who can create, modify, and use database programs • Stored procedure: to control who can execute specific functions and stored procedures This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/the-complete-guide-to-dba-practices-and-procedures-database-security-part-14-585
System Privileges • System privileges control which users can use certain DBMS features and execute certain DBMS commands. • The system privileges available will vary from DBMS to DBMS but may include: – The ability to archive database logs – Shut down and restart the database server – Start traces for monitoring – Manage storage – Manage database caches This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/the-complete-guide-to-dba-practices-and-procedures-database-security-part-14-585
Revoking Authority • Revoke is the inverse of Grant • Using Revoke, a DBA can remove privileges from a user that has previously been Granted those privileges • Proceed with caution if WITH GRANT OPTION was used – Cascading revokes can occurThis document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/the-complete-guide-to-dba-practices-and-procedures-database-security-part-14-585
Label Based Access Control (LBAC) • LBAC provides for a more granular security scheme, specifying who can read and modify data in individual rows and/or columns. • For example, you might want to set up an authorization scenario such that employees can see their own data but no one else’s. Or your authorization needs might dictate that each employee’s immediate manager is able to see his payroll information as well as all of his employee’s data, and so on up through the org chart. • Setting up such a security scheme is virtually impossible without LBAC. This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/the-complete-guide-to-dba-practices-and-procedures-database-security-part-14-585
LBAC Example This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/the-complete-guide-to-dba-practices-and-procedures-database-security-part-14-585
Groups • Group-level authority is similar to roles. • Each DBMS provides built-in groups that cannot be changed. The following groups are common among the major DBMSs: – System administrator. Sometimes abbreviated SA or SYSADM, the system administrator group is the most powerful within the DBMS. – Database administrator. Sometimes abbreviated as DBADM or DBA, the database administrator group gives all privileges over a specific database, plus the ability to access, but not modify, data in tables within that database. – Database maintenance. Sometimes abbreviated as DBMAINT, the database maintenance group includes the specific database privileges for maintaining database objects (such as the ability to run utilities and issue commands). – Security administrator. The security administrator role, aka SSO or SECADM, has the privilege-set permitting the granting and revoking of database security across the DBMS. Any database security-related activities can be performed by the security administrator. – Operations control. Sometimes referred to as OPER or SYSOPR, the operations control role has the authority to perform operational database tasks such as backup and recovery, or terminating runaway tasks. This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/the-complete-guide-to-dba-practices-and-procedures-database-security-part-14-585
Using Views for Security • A view can be created that omits sensitive information. – By creating the view without the sensitive columns, users can be granted the SELECT privilege on the view and will be able to access employee information that is deemed appropriate. – For example, this view omits salary details: This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/the-complete-guide-to-dba-practices-and-procedures-database-security-part-14-585
Original Data “Johnson” Encryption Algorithm Encrypted Data “s&1Yu.8” Encryption Key Decryption Algorithm Encryption Encryption transforms data rendering it unreadable to anyone without the decryption key. This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/the-complete-guide-to-dba-practices-and-procedures-database-security-part-14-585
“In Transit” Encryption • Encrypting data in transit is undertaken to prohibit network packet sniffing. – If the data is encrypted before it is sent over the network and decrypted upon reception at its destination, then it is protected along its journey. – Anyone nefariously attempting to access the data en route will receive only encrypted data. – Without the decryption key, the data cannot be read. • Data in transit encryption most commonly is supported using DBMS system parameters and commands or through an add-on encryption product. This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/the-complete-guide-to-dba-practices-and-procedures-database-security-part-14-585
SQL Injection Example • A web-based application using dynamic SQL requires users to login with their e-mail address and a password. • Perhaps the SQL looks something like this: • A savvy hacker can attempt a SQL injection attack by entering: This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/the-complete-guide-to-dba-practices-and-procedures-database-security-part-14-585
SQL Injection Prevention • Using well designed query language interpreters and coding applications appropriately can prevent SQL injection attacks. – When possible use static SQL. – Always validate user input by testing type, length, format, and range. – The program should make absolutely no assumptions about the size, type, or content of the data that is received. – Avoid concatenating user input that has not been validated. – Analyze input and reject anything that contains special characters such as the semi-colon (;), the string delimiter ('), comment delimiters (--, /*…*/), V$ (the beginning of Oracle DBA views), and xp_ (the beginning of SQL Server catalog stored procedures). – For Microsoft SQL Server users, beware of the Transact-SQLprocedure xp_cmdshell. This procedure spawns a Windows command shell and passes in a string for execution. This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/the-complete-guide-to-dba-practices-and-procedures-database-security-part-14-585
Job Scheduling and Security • Most organizations schedules tasks to be run at predetermined times, and when those tasks involve database access, authority must be granted to the scheduler. • It is not a very good idea to grant SYSADM authority to the job scheduler. • Doing so would permit any job to perform any database task—creating potentially severe security problems. • Instead, determine how to grant individual authorization to specific jobs using the facilities of the scheduling package and the DBMS. This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/the-complete-guide-to-dba-practices-and-procedures-database-security-part-14-585
Questions This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/the-complete-guide-to-dba-practices-and-procedures-database-security-part-14-585
1 Flevy (www.flevy.com) is the marketplace for premium documents. These documents can range from Business Frameworks to Financial Models to PowerPoint Templates. Flevy was founded under the principle that companies waste a lot of time and money recreating the same foundational business documents. Our vision is for Flevy to become a comprehensive knowledge base of business documents. All organizations, from startups to large enterprises, can use Flevy— whether it's to jumpstart projects, to find reference or comparison materials, or just to learn. Contact Us Please contact us with any questions you may have about our company. • General Inquiries support@flevy.com • Media/PR press@flevy.com • Billing billing@flevy.com

Recommandé

Dotnet datamining ieee projects 2012 @ Seabirds ( Chennai, Pondicherry, Vello...
Dotnet datamining ieee projects 2012 @ Seabirds ( Chennai, Pondicherry, Vello...Dotnet datamining ieee projects 2012 @ Seabirds ( Chennai, Pondicherry, Vello...
Dotnet datamining ieee projects 2012 @ Seabirds ( Chennai, Pondicherry, Vello...SBGC
 
Database security
Database security Database security
Database security Shivnandan Singh
 
Database & Data Security
Database & Data SecurityDatabase & Data Security
Database & Data SecurityCloudbells.com
 
Data and database security and controls
Data and database security and controlsData and database security and controls
Data and database security and controlsFITSFSd
 
Database management systems cs403 power point slides lecture 04
Database management systems cs403 power point slides lecture 04Database management systems cs403 power point slides lecture 04
Database management systems cs403 power point slides lecture 04Md.Abu Sayed
 
Modern Data Security for the Enterprises – SQL Server & Azure SQL Database
Modern Data Security for the Enterprises – SQL Server & Azure SQL DatabaseModern Data Security for the Enterprises – SQL Server & Azure SQL Database
Modern Data Security for the Enterprises – SQL Server & Azure SQL DatabaseWinWire Technologies Inc
 
Weka project - DataMining
Weka project - DataMiningWeka project - DataMining
Weka project - DataMiningSafiya Najeh
 
Database management systems cs403 power point slides lecture 03
Database management systems cs403 power point slides lecture 03Database management systems cs403 power point slides lecture 03
Database management systems cs403 power point slides lecture 03Md.Abu Sayed
 

Recommandé

Dotnet datamining ieee projects 2012 @ Seabirds ( Chennai, Pondicherry, Vello...
Dotnet datamining ieee projects 2012 @ Seabirds ( Chennai, Pondicherry, Vello...Dotnet datamining ieee projects 2012 @ Seabirds ( Chennai, Pondicherry, Vello...
Dotnet datamining ieee projects 2012 @ Seabirds ( Chennai, Pondicherry, Vello...SBGC
 
Database security
Database security Database security
Database security Shivnandan Singh
 
Database & Data Security
Database & Data SecurityDatabase & Data Security
Database & Data SecurityCloudbells.com
 
Data and database security and controls
Data and database security and controlsData and database security and controls
Data and database security and controlsFITSFSd
 
Database management systems cs403 power point slides lecture 04
Database management systems cs403 power point slides lecture 04Database management systems cs403 power point slides lecture 04
Database management systems cs403 power point slides lecture 04Md.Abu Sayed
 
Modern Data Security for the Enterprises – SQL Server & Azure SQL Database
Modern Data Security for the Enterprises – SQL Server & Azure SQL DatabaseModern Data Security for the Enterprises – SQL Server & Azure SQL Database
Modern Data Security for the Enterprises – SQL Server & Azure SQL DatabaseWinWire Technologies Inc
 
Weka project - DataMining
Weka project - DataMiningWeka project - DataMining
Weka project - DataMiningSafiya Najeh
 
Database management systems cs403 power point slides lecture 03
Database management systems cs403 power point slides lecture 03Database management systems cs403 power point slides lecture 03
Database management systems cs403 power point slides lecture 03Md.Abu Sayed
 
100 Case Studies on Strategy & Transformation.pdf
100 Case Studies on Strategy & Transformation.pdf100 Case Studies on Strategy & Transformation.pdf
100 Case Studies on Strategy & Transformation.pdfFlevy.com Best Practices
 
Project Management for MBA (in French)
Project Management for MBA (in French)Project Management for MBA (in French)
Project Management for MBA (in French)Flevy.com Best Practices
 
4 Stages of Disruption
4 Stages of Disruption4 Stages of Disruption
4 Stages of DisruptionFlevy.com Best Practices
 
Customer-centric Culture
Customer-centric CultureCustomer-centric Culture
Customer-centric CultureFlevy.com Best Practices
 
[Whitepaper] Business Transformation Success Factors
[Whitepaper] Business Transformation Success Factors[Whitepaper] Business Transformation Success Factors
[Whitepaper] Business Transformation Success FactorsFlevy.com Best Practices
 
[Whitepaper] 5 Dimensions of Employee Engagement Scorecard
[Whitepaper] 5 Dimensions of Employee Engagement Scorecard[Whitepaper] 5 Dimensions of Employee Engagement Scorecard
[Whitepaper] 5 Dimensions of Employee Engagement ScorecardFlevy.com Best Practices
 
[Whitepaper] Digital Transformation: Workforce Digitization
[Whitepaper] Digital Transformation: Workforce Digitization[Whitepaper] Digital Transformation: Workforce Digitization
[Whitepaper] Digital Transformation: Workforce DigitizationFlevy.com Best Practices
 
[Whitepaper] Strategic Human Resources: Evolution of Competition
[Whitepaper] Strategic Human Resources: Evolution of Competition[Whitepaper] Strategic Human Resources: Evolution of Competition
[Whitepaper] Strategic Human Resources: Evolution of CompetitionFlevy.com Best Practices
 
[Whitepaper] 8 Key Steps of Data Integration: Restructuring Redeployment Asse...
[Whitepaper] 8 Key Steps of Data Integration: Restructuring Redeployment Asse...[Whitepaper] 8 Key Steps of Data Integration: Restructuring Redeployment Asse...
[Whitepaper] 8 Key Steps of Data Integration: Restructuring Redeployment Asse...Flevy.com Best Practices
 
[Whitepaper] Strategy Classics: Value Disciplines Model
[Whitepaper] Strategy Classics: Value Disciplines Model[Whitepaper] Strategy Classics: Value Disciplines Model
[Whitepaper] Strategy Classics: Value Disciplines ModelFlevy.com Best Practices
 
[Whitepaper] The Definitive Guide to Strategic Planning: Here’s What You Need...
[Whitepaper] The Definitive Guide to Strategic Planning: Here’s What You Need...[Whitepaper] The Definitive Guide to Strategic Planning: Here’s What You Need...
[Whitepaper] The Definitive Guide to Strategic Planning: Here’s What You Need...Flevy.com Best Practices
 
[Whitepaper] The Definitive Introduction to Strategy Development and Strategy...
[Whitepaper] The Definitive Introduction to Strategy Development and Strategy...[Whitepaper] The Definitive Introduction to Strategy Development and Strategy...
[Whitepaper] The Definitive Introduction to Strategy Development and Strategy...Flevy.com Best Practices
 
[Whitepaper] The “Theory of Constraints:” What’s Limiting Your Organization?
[Whitepaper] The “Theory of Constraints:” What’s Limiting Your Organization?[Whitepaper] The “Theory of Constraints:” What’s Limiting Your Organization?
[Whitepaper] The “Theory of Constraints:” What’s Limiting Your Organization?Flevy.com Best Practices
 
[Whitepaper] Transportation Cost Reduction in Supply Chain Management
[Whitepaper] Transportation Cost Reduction in Supply Chain Management[Whitepaper] Transportation Cost Reduction in Supply Chain Management
[Whitepaper] Transportation Cost Reduction in Supply Chain ManagementFlevy.com Best Practices
 
[Whitepaper] A Great Leadership Experience: Dr. Rachid Yazami, Inventor of th...
[Whitepaper] A Great Leadership Experience: Dr. Rachid Yazami, Inventor of th...[Whitepaper] A Great Leadership Experience: Dr. Rachid Yazami, Inventor of th...
[Whitepaper] A Great Leadership Experience: Dr. Rachid Yazami, Inventor of th...Flevy.com Best Practices
 
[Whitepaper] Finding It Hard to Manage Conflict at the Workplace? Use the Tho...
[Whitepaper] Finding It Hard to Manage Conflict at the Workplace? Use the Tho...[Whitepaper] Finding It Hard to Manage Conflict at the Workplace? Use the Tho...
[Whitepaper] Finding It Hard to Manage Conflict at the Workplace? Use the Tho...Flevy.com Best Practices
 
[Whitepaper] Key Account Management: Handling Large Global Accounts the Right...
[Whitepaper] Key Account Management: Handling Large Global Accounts the Right...[Whitepaper] Key Account Management: Handling Large Global Accounts the Right...
[Whitepaper] Key Account Management: Handling Large Global Accounts the Right...Flevy.com Best Practices
 
[Whitepaper] Nudge Theory: An Effective Way to Transform Negative Behaviors
[Whitepaper] Nudge Theory: An Effective Way to Transform Negative Behaviors[Whitepaper] Nudge Theory: An Effective Way to Transform Negative Behaviors
[Whitepaper] Nudge Theory: An Effective Way to Transform Negative BehaviorsFlevy.com Best Practices
 
[Whitepaper] Business Model Innovation: Creation of Scalable Business Models ...
[Whitepaper] Business Model Innovation: Creation of Scalable Business Models ...[Whitepaper] Business Model Innovation: Creation of Scalable Business Models ...
[Whitepaper] Business Model Innovation: Creation of Scalable Business Models ...Flevy.com Best Practices
 
[Whitepaper] Shareholder Value Traps: How to Evade Them and Focus on Value Cr...
[Whitepaper] Shareholder Value Traps: How to Evade Them and Focus on Value Cr...[Whitepaper] Shareholder Value Traps: How to Evade Them and Focus on Value Cr...
[Whitepaper] Shareholder Value Traps: How to Evade Them and Focus on Value Cr...Flevy.com Best Practices
 
Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...
Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...
Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...ssuserf63bd7
 
Chennai Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Av...
Chennai Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Av...Chennai Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Av...
Chennai Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Av...pujan9679
 

Contenu connexe

Plus de Flevy.com Best Practices

100 Case Studies on Strategy & Transformation.pdf
100 Case Studies on Strategy & Transformation.pdf100 Case Studies on Strategy & Transformation.pdf
100 Case Studies on Strategy & Transformation.pdfFlevy.com Best Practices
 
[Whitepaper] Business Transformation Success Factors
[Whitepaper] Business Transformation Success Factors[Whitepaper] Business Transformation Success Factors
[Whitepaper] Business Transformation Success FactorsFlevy.com Best Practices
 
[Whitepaper] 5 Dimensions of Employee Engagement Scorecard
[Whitepaper] 5 Dimensions of Employee Engagement Scorecard[Whitepaper] 5 Dimensions of Employee Engagement Scorecard
[Whitepaper] 5 Dimensions of Employee Engagement ScorecardFlevy.com Best Practices
 
[Whitepaper] Digital Transformation: Workforce Digitization
[Whitepaper] Digital Transformation: Workforce Digitization[Whitepaper] Digital Transformation: Workforce Digitization
[Whitepaper] Digital Transformation: Workforce DigitizationFlevy.com Best Practices
 
[Whitepaper] Strategic Human Resources: Evolution of Competition
[Whitepaper] Strategic Human Resources: Evolution of Competition[Whitepaper] Strategic Human Resources: Evolution of Competition
[Whitepaper] Strategic Human Resources: Evolution of CompetitionFlevy.com Best Practices
 
[Whitepaper] 8 Key Steps of Data Integration: Restructuring Redeployment Asse...
[Whitepaper] 8 Key Steps of Data Integration: Restructuring Redeployment Asse...[Whitepaper] 8 Key Steps of Data Integration: Restructuring Redeployment Asse...
[Whitepaper] 8 Key Steps of Data Integration: Restructuring Redeployment Asse...Flevy.com Best Practices
 
[Whitepaper] Strategy Classics: Value Disciplines Model
[Whitepaper] Strategy Classics: Value Disciplines Model[Whitepaper] Strategy Classics: Value Disciplines Model
[Whitepaper] Strategy Classics: Value Disciplines ModelFlevy.com Best Practices
 
[Whitepaper] The Definitive Guide to Strategic Planning: Here’s What You Need...
[Whitepaper] The Definitive Guide to Strategic Planning: Here’s What You Need...[Whitepaper] The Definitive Guide to Strategic Planning: Here’s What You Need...
[Whitepaper] The Definitive Guide to Strategic Planning: Here’s What You Need...Flevy.com Best Practices
 
[Whitepaper] The Definitive Introduction to Strategy Development and Strategy...
[Whitepaper] The Definitive Introduction to Strategy Development and Strategy...[Whitepaper] The Definitive Introduction to Strategy Development and Strategy...
[Whitepaper] The Definitive Introduction to Strategy Development and Strategy...Flevy.com Best Practices
 
[Whitepaper] The “Theory of Constraints:” What’s Limiting Your Organization?
[Whitepaper] The “Theory of Constraints:” What’s Limiting Your Organization?[Whitepaper] The “Theory of Constraints:” What’s Limiting Your Organization?
[Whitepaper] The “Theory of Constraints:” What’s Limiting Your Organization?Flevy.com Best Practices
 
[Whitepaper] Transportation Cost Reduction in Supply Chain Management
[Whitepaper] Transportation Cost Reduction in Supply Chain Management[Whitepaper] Transportation Cost Reduction in Supply Chain Management
[Whitepaper] Transportation Cost Reduction in Supply Chain ManagementFlevy.com Best Practices
 
[Whitepaper] A Great Leadership Experience: Dr. Rachid Yazami, Inventor of th...
[Whitepaper] A Great Leadership Experience: Dr. Rachid Yazami, Inventor of th...[Whitepaper] A Great Leadership Experience: Dr. Rachid Yazami, Inventor of th...
[Whitepaper] A Great Leadership Experience: Dr. Rachid Yazami, Inventor of th...Flevy.com Best Practices
 
[Whitepaper] Finding It Hard to Manage Conflict at the Workplace? Use the Tho...
[Whitepaper] Finding It Hard to Manage Conflict at the Workplace? Use the Tho...[Whitepaper] Finding It Hard to Manage Conflict at the Workplace? Use the Tho...
[Whitepaper] Finding It Hard to Manage Conflict at the Workplace? Use the Tho...Flevy.com Best Practices
 
[Whitepaper] Key Account Management: Handling Large Global Accounts the Right...
[Whitepaper] Key Account Management: Handling Large Global Accounts the Right...[Whitepaper] Key Account Management: Handling Large Global Accounts the Right...
[Whitepaper] Key Account Management: Handling Large Global Accounts the Right...Flevy.com Best Practices
 
[Whitepaper] Nudge Theory: An Effective Way to Transform Negative Behaviors
[Whitepaper] Nudge Theory: An Effective Way to Transform Negative Behaviors[Whitepaper] Nudge Theory: An Effective Way to Transform Negative Behaviors
[Whitepaper] Nudge Theory: An Effective Way to Transform Negative BehaviorsFlevy.com Best Practices
 
[Whitepaper] Business Model Innovation: Creation of Scalable Business Models ...
[Whitepaper] Business Model Innovation: Creation of Scalable Business Models ...[Whitepaper] Business Model Innovation: Creation of Scalable Business Models ...
[Whitepaper] Business Model Innovation: Creation of Scalable Business Models ...Flevy.com Best Practices
 
[Whitepaper] Shareholder Value Traps: How to Evade Them and Focus on Value Cr...
[Whitepaper] Shareholder Value Traps: How to Evade Them and Focus on Value Cr...[Whitepaper] Shareholder Value Traps: How to Evade Them and Focus on Value Cr...
[Whitepaper] Shareholder Value Traps: How to Evade Them and Focus on Value Cr...Flevy.com Best Practices
 

Plus de Flevy.com Best Practices (20)

100 Case Studies on Strategy & Transformation.pdf
100 Case Studies on Strategy & Transformation.pdf100 Case Studies on Strategy & Transformation.pdf
100 Case Studies on Strategy & Transformation.pdf
 
Project Management for MBA (in French)
Project Management for MBA (in French)Project Management for MBA (in French)
Project Management for MBA (in French)
 
4 Stages of Disruption
4 Stages of Disruption4 Stages of Disruption
4 Stages of Disruption
 
Customer-centric Culture
Customer-centric CultureCustomer-centric Culture
Customer-centric Culture
 
[Whitepaper] Business Transformation Success Factors
[Whitepaper] Business Transformation Success Factors[Whitepaper] Business Transformation Success Factors
[Whitepaper] Business Transformation Success Factors
 
[Whitepaper] 5 Dimensions of Employee Engagement Scorecard
[Whitepaper] 5 Dimensions of Employee Engagement Scorecard[Whitepaper] 5 Dimensions of Employee Engagement Scorecard
[Whitepaper] 5 Dimensions of Employee Engagement Scorecard
 
[Whitepaper] Digital Transformation: Workforce Digitization
[Whitepaper] Digital Transformation: Workforce Digitization[Whitepaper] Digital Transformation: Workforce Digitization
[Whitepaper] Digital Transformation: Workforce Digitization
 
[Whitepaper] Strategic Human Resources: Evolution of Competition
[Whitepaper] Strategic Human Resources: Evolution of Competition[Whitepaper] Strategic Human Resources: Evolution of Competition
[Whitepaper] Strategic Human Resources: Evolution of Competition
 
[Whitepaper] 8 Key Steps of Data Integration: Restructuring Redeployment Asse...
[Whitepaper] 8 Key Steps of Data Integration: Restructuring Redeployment Asse...[Whitepaper] 8 Key Steps of Data Integration: Restructuring Redeployment Asse...
[Whitepaper] 8 Key Steps of Data Integration: Restructuring Redeployment Asse...
 
[Whitepaper] Strategy Classics: Value Disciplines Model
[Whitepaper] Strategy Classics: Value Disciplines Model[Whitepaper] Strategy Classics: Value Disciplines Model
[Whitepaper] Strategy Classics: Value Disciplines Model
 
[Whitepaper] The Definitive Guide to Strategic Planning: Here’s What You Need...
[Whitepaper] The Definitive Guide to Strategic Planning: Here’s What You Need...[Whitepaper] The Definitive Guide to Strategic Planning: Here’s What You Need...
[Whitepaper] The Definitive Guide to Strategic Planning: Here’s What You Need...
 
[Whitepaper] The Definitive Introduction to Strategy Development and Strategy...
[Whitepaper] The Definitive Introduction to Strategy Development and Strategy...[Whitepaper] The Definitive Introduction to Strategy Development and Strategy...
[Whitepaper] The Definitive Introduction to Strategy Development and Strategy...
 
[Whitepaper] The “Theory of Constraints:” What’s Limiting Your Organization?
[Whitepaper] The “Theory of Constraints:” What’s Limiting Your Organization?[Whitepaper] The “Theory of Constraints:” What’s Limiting Your Organization?
[Whitepaper] The “Theory of Constraints:” What’s Limiting Your Organization?
 
[Whitepaper] Transportation Cost Reduction in Supply Chain Management
[Whitepaper] Transportation Cost Reduction in Supply Chain Management[Whitepaper] Transportation Cost Reduction in Supply Chain Management
[Whitepaper] Transportation Cost Reduction in Supply Chain Management
 
[Whitepaper] A Great Leadership Experience: Dr. Rachid Yazami, Inventor of th...
[Whitepaper] A Great Leadership Experience: Dr. Rachid Yazami, Inventor of th...[Whitepaper] A Great Leadership Experience: Dr. Rachid Yazami, Inventor of th...
[Whitepaper] A Great Leadership Experience: Dr. Rachid Yazami, Inventor of th...
 
[Whitepaper] Finding It Hard to Manage Conflict at the Workplace? Use the Tho...
[Whitepaper] Finding It Hard to Manage Conflict at the Workplace? Use the Tho...[Whitepaper] Finding It Hard to Manage Conflict at the Workplace? Use the Tho...
[Whitepaper] Finding It Hard to Manage Conflict at the Workplace? Use the Tho...
 
[Whitepaper] Key Account Management: Handling Large Global Accounts the Right...
[Whitepaper] Key Account Management: Handling Large Global Accounts the Right...[Whitepaper] Key Account Management: Handling Large Global Accounts the Right...
[Whitepaper] Key Account Management: Handling Large Global Accounts the Right...
 
[Whitepaper] Nudge Theory: An Effective Way to Transform Negative Behaviors
[Whitepaper] Nudge Theory: An Effective Way to Transform Negative Behaviors[Whitepaper] Nudge Theory: An Effective Way to Transform Negative Behaviors
[Whitepaper] Nudge Theory: An Effective Way to Transform Negative Behaviors
 
[Whitepaper] Business Model Innovation: Creation of Scalable Business Models ...
[Whitepaper] Business Model Innovation: Creation of Scalable Business Models ...[Whitepaper] Business Model Innovation: Creation of Scalable Business Models ...
[Whitepaper] Business Model Innovation: Creation of Scalable Business Models ...
 
[Whitepaper] Shareholder Value Traps: How to Evade Them and Focus on Value Cr...
[Whitepaper] Shareholder Value Traps: How to Evade Them and Focus on Value Cr...[Whitepaper] Shareholder Value Traps: How to Evade Them and Focus on Value Cr...
[Whitepaper] Shareholder Value Traps: How to Evade Them and Focus on Value Cr...
 

Dernier

Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...
Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...
Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...ssuserf63bd7
 
Chennai Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Av...
Chennai Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Av...Chennai Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Av...
Chennai Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Av...pujan9679
 
Falcon Invoice Discounting: The best investment platform in india for investors
Falcon Invoice Discounting: The best investment platform in india for investorsFalcon Invoice Discounting: The best investment platform in india for investors
Falcon Invoice Discounting: The best investment platform in india for investorsFalcon Invoice Discounting
 
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al MizharAl Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizharallensay1
 
Paradip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
Paradip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDINGParadip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
Paradip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDINGpr788182
 
How to Get Started in Social Media for Art League City
How to Get Started in Social Media for Art League CityHow to Get Started in Social Media for Art League City
How to Get Started in Social Media for Art League CityEric T. Tung
 
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai KuwaitThe Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwaitdaisycvs
 
Falcon Invoice Discounting: Empowering Your Business Growth
Falcon Invoice Discounting: Empowering Your Business GrowthFalcon Invoice Discounting: Empowering Your Business Growth
Falcon Invoice Discounting: Empowering Your Business GrowthFalcon investment
 
Dr. Admir Softic_ presentation_Green Club_ENG.pdf
Dr. Admir Softic_ presentation_Green Club_ENG.pdfDr. Admir Softic_ presentation_Green Club_ENG.pdf
Dr. Admir Softic_ presentation_Green Club_ENG.pdfAdmir Softic
 
PARK STREET 💋 Call Girl 9827461493 Call Girls in Escort service book now
PARK STREET 💋 Call Girl 9827461493 Call Girls in Escort service book nowPARK STREET 💋 Call Girl 9827461493 Call Girls in Escort service book now
PARK STREET 💋 Call Girl 9827461493 Call Girls in Escort service book nowkapoorjyoti4444
 
Mckinsey foundation level Handbook for Viewing
Mckinsey foundation level Handbook for ViewingMckinsey foundation level Handbook for Viewing
Mckinsey foundation level Handbook for ViewingNauman Safdar
 
joint cost.pptx COST ACCOUNTING Sixteenth Edition ...
joint cost.pptx COST ACCOUNTING Sixteenth Edition ...joint cost.pptx COST ACCOUNTING Sixteenth Edition ...
joint cost.pptx COST ACCOUNTING Sixteenth Edition ...NadhimTaha
 
GUWAHATI 💋 Call Girl 9827461493 Call Girls in Escort service book now
GUWAHATI 💋 Call Girl 9827461493 Call Girls in Escort service book nowGUWAHATI 💋 Call Girl 9827461493 Call Girls in Escort service book now
GUWAHATI 💋 Call Girl 9827461493 Call Girls in Escort service book nowkapoorjyoti4444
 
Phases of Negotiation .pptx
Phases of Negotiation .pptx Phases of Negotiation .pptx
Phases of Negotiation .pptxnandhinijagan9867
 
Pre Engineered Building Manufacturers Hyderabad.pptx
Pre Engineered Building Manufacturers Hyderabad.pptxPre Engineered Building Manufacturers Hyderabad.pptx
Pre Engineered Building Manufacturers Hyderabad.pptxRoofing Contractor
 
Ooty Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Avail...
Ooty Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Avail...Ooty Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Avail...
Ooty Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Avail...pujan9679
 
Escorts in Nungambakkam Phone 8250092165 Enjoy 24/7 Escort Service Enjoy Your...
Escorts in Nungambakkam Phone 8250092165 Enjoy 24/7 Escort Service Enjoy Your...Escorts in Nungambakkam Phone 8250092165 Enjoy 24/7 Escort Service Enjoy Your...
Escorts in Nungambakkam Phone 8250092165 Enjoy 24/7 Escort Service Enjoy Your...meghakumariji156
 
SEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 Months
SEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 MonthsSEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 Months
SEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 MonthsIndeedSEO
 
Uneak White's Personal Brand Exploration Presentation
Uneak White's Personal Brand Exploration PresentationUneak White's Personal Brand Exploration Presentation
Uneak White's Personal Brand Exploration Presentationuneakwhite
 

Dernier (20)

Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...
Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...
Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...
 
Chennai Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Av...
Chennai Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Av...Chennai Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Av...
Chennai Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Av...
 
Falcon Invoice Discounting: The best investment platform in india for investors
Falcon Invoice Discounting: The best investment platform in india for investorsFalcon Invoice Discounting: The best investment platform in india for investors
Falcon Invoice Discounting: The best investment platform in india for investors
 
Buy gmail accounts.pdf buy Old Gmail Accounts
Buy gmail accounts.pdf buy Old Gmail AccountsBuy gmail accounts.pdf buy Old Gmail Accounts
Buy gmail accounts.pdf buy Old Gmail Accounts
 
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al MizharAl Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
 
Paradip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
Paradip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDINGParadip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
Paradip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
 
How to Get Started in Social Media for Art League City
How to Get Started in Social Media for Art League CityHow to Get Started in Social Media for Art League City
How to Get Started in Social Media for Art League City
 
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai KuwaitThe Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
 
Falcon Invoice Discounting: Empowering Your Business Growth
Falcon Invoice Discounting: Empowering Your Business GrowthFalcon Invoice Discounting: Empowering Your Business Growth
Falcon Invoice Discounting: Empowering Your Business Growth
 
Dr. Admir Softic_ presentation_Green Club_ENG.pdf
Dr. Admir Softic_ presentation_Green Club_ENG.pdfDr. Admir Softic_ presentation_Green Club_ENG.pdf
Dr. Admir Softic_ presentation_Green Club_ENG.pdf
 
PARK STREET 💋 Call Girl 9827461493 Call Girls in Escort service book now
PARK STREET 💋 Call Girl 9827461493 Call Girls in Escort service book nowPARK STREET 💋 Call Girl 9827461493 Call Girls in Escort service book now
PARK STREET 💋 Call Girl 9827461493 Call Girls in Escort service book now
 
Mckinsey foundation level Handbook for Viewing
Mckinsey foundation level Handbook for ViewingMckinsey foundation level Handbook for Viewing
Mckinsey foundation level Handbook for Viewing
 
joint cost.pptx COST ACCOUNTING Sixteenth Edition ...
joint cost.pptx COST ACCOUNTING Sixteenth Edition ...joint cost.pptx COST ACCOUNTING Sixteenth Edition ...
joint cost.pptx COST ACCOUNTING Sixteenth Edition ...
 
GUWAHATI 💋 Call Girl 9827461493 Call Girls in Escort service book now
GUWAHATI 💋 Call Girl 9827461493 Call Girls in Escort service book nowGUWAHATI 💋 Call Girl 9827461493 Call Girls in Escort service book now
GUWAHATI 💋 Call Girl 9827461493 Call Girls in Escort service book now
 
Phases of Negotiation .pptx
Phases of Negotiation .pptx Phases of Negotiation .pptx
Phases of Negotiation .pptx
 
Pre Engineered Building Manufacturers Hyderabad.pptx
Pre Engineered Building Manufacturers Hyderabad.pptxPre Engineered Building Manufacturers Hyderabad.pptx
Pre Engineered Building Manufacturers Hyderabad.pptx
 
Ooty Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Avail...
Ooty Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Avail...Ooty Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Avail...
Ooty Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Avail...
 
Escorts in Nungambakkam Phone 8250092165 Enjoy 24/7 Escort Service Enjoy Your...
Escorts in Nungambakkam Phone 8250092165 Enjoy 24/7 Escort Service Enjoy Your...Escorts in Nungambakkam Phone 8250092165 Enjoy 24/7 Escort Service Enjoy Your...
Escorts in Nungambakkam Phone 8250092165 Enjoy 24/7 Escort Service Enjoy Your...
 
SEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 Months
SEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 MonthsSEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 Months
SEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 Months
 
Uneak White's Personal Brand Exploration Presentation
Uneak White's Personal Brand Exploration PresentationUneak White's Personal Brand Exploration Presentation
Uneak White's Personal Brand Exploration Presentation
 

The Complete Guide to DBA Practices & Procedures - Database Security - Part 14

  • 1. Database Administration: The Complete Guide to Practices and Procedures Chapter 14 Database Security
  • 2. Data Breaches • Data breaches dominate the IT newscape • According to The Privacy Rights Clearinghouse, more than 544 million records have been breached between January 10, 2005 and early 2012. – Over the course of almost 3,000 separate events. http://www.privacyrights.org/data-breach This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/the-complete-guide-to-dba-practices-and-procedures-database-security-part-14-585
  • 3. How Prevalent is this Problem? • 68% of companies are losing sensitive data or having it stolen out from under them six times a year • An additional 20% are losing sensitive data 22 times or more per year. Sources: eWeek, March 3, 2007 IT Policy Compliance Group http://www.eweek.com/c/a/Desktops-and-Notebooks/Report-Some-Companies-Lose-Data-Six-Times-a-Year/ This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/the-complete-guide-to-dba-practices-and-procedures-database-security-part-14-585
  • 4. Who is Responsible for Security? • The DBA typically is responsible for administering database security – Some organizations have transferred this task to a separate security administration function that controls all of the IT security for the company. – However, even in shops where security administration is a separate entity, database security is still handled by the DBA group… • …because database security is handled differently than a typical IT authorization scenario. – When the security administration group handles security policies, this group usually relies on third- party security software This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/the-complete-guide-to-dba-practices-and-procedures-database-security-part-14-585
  • 5. Login Details When the DBMS controls the addition of logins, the DBA is required to provide certain information about the login when it is created: • Password—the key phrase, word, or character string associated with the new login that must be provided by the user before access to the database is permitted • Default database—the name of the database to which the user will initially be connected during login • Default language—the default language assigned to the login when using the DBMS if multiple languages are supported • Name—the actual full name of the user associated with this login • Additional details—additional details about the user for which the login has been created: e-mail, phone number, office location, business unit, and so on. This is useful for documentation purposes This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/the-complete-guide-to-dba-practices-and-procedures-database-security-part-14-585
  • 6. login SUID DBMS user Data basename UID Database Users This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/the-complete-guide-to-dba-practices-and-procedures-database-security-part-14-585
  • 7. Types of Privileges • Table: to control who can access and modify the data within tables • Database object: to control who can create new database objects and drop existing database objects • System: to control who can perform certain types of systemwide activities • Program: to control who can create, modify, and use database programs • Stored procedure: to control who can execute specific functions and stored procedures This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/the-complete-guide-to-dba-practices-and-procedures-database-security-part-14-585
  • 8. System Privileges • System privileges control which users can use certain DBMS features and execute certain DBMS commands. • The system privileges available will vary from DBMS to DBMS but may include: – The ability to archive database logs – Shut down and restart the database server – Start traces for monitoring – Manage storage – Manage database caches This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/the-complete-guide-to-dba-practices-and-procedures-database-security-part-14-585
  • 9. Revoking Authority • Revoke is the inverse of Grant • Using Revoke, a DBA can remove privileges from a user that has previously been Granted those privileges • Proceed with caution if WITH GRANT OPTION was used – Cascading revokes can occurThis document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/the-complete-guide-to-dba-practices-and-procedures-database-security-part-14-585
  • 10. Label Based Access Control (LBAC) • LBAC provides for a more granular security scheme, specifying who can read and modify data in individual rows and/or columns. • For example, you might want to set up an authorization scenario such that employees can see their own data but no one else’s. Or your authorization needs might dictate that each employee’s immediate manager is able to see his payroll information as well as all of his employee’s data, and so on up through the org chart. • Setting up such a security scheme is virtually impossible without LBAC. This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/the-complete-guide-to-dba-practices-and-procedures-database-security-part-14-585
  • 11. LBAC Example This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/the-complete-guide-to-dba-practices-and-procedures-database-security-part-14-585
  • 12. Groups • Group-level authority is similar to roles. • Each DBMS provides built-in groups that cannot be changed. The following groups are common among the major DBMSs: – System administrator. Sometimes abbreviated SA or SYSADM, the system administrator group is the most powerful within the DBMS. – Database administrator. Sometimes abbreviated as DBADM or DBA, the database administrator group gives all privileges over a specific database, plus the ability to access, but not modify, data in tables within that database. – Database maintenance. Sometimes abbreviated as DBMAINT, the database maintenance group includes the specific database privileges for maintaining database objects (such as the ability to run utilities and issue commands). – Security administrator. The security administrator role, aka SSO or SECADM, has the privilege-set permitting the granting and revoking of database security across the DBMS. Any database security-related activities can be performed by the security administrator. – Operations control. Sometimes referred to as OPER or SYSOPR, the operations control role has the authority to perform operational database tasks such as backup and recovery, or terminating runaway tasks. This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/the-complete-guide-to-dba-practices-and-procedures-database-security-part-14-585
  • 13. Using Views for Security • A view can be created that omits sensitive information. – By creating the view without the sensitive columns, users can be granted the SELECT privilege on the view and will be able to access employee information that is deemed appropriate. – For example, this view omits salary details: This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/the-complete-guide-to-dba-practices-and-procedures-database-security-part-14-585
  • 14. Original Data “Johnson” Encryption Algorithm Encrypted Data “s&1Yu.8” Encryption Key Decryption Algorithm Encryption Encryption transforms data rendering it unreadable to anyone without the decryption key. This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/the-complete-guide-to-dba-practices-and-procedures-database-security-part-14-585
  • 15. “In Transit” Encryption • Encrypting data in transit is undertaken to prohibit network packet sniffing. – If the data is encrypted before it is sent over the network and decrypted upon reception at its destination, then it is protected along its journey. – Anyone nefariously attempting to access the data en route will receive only encrypted data. – Without the decryption key, the data cannot be read. • Data in transit encryption most commonly is supported using DBMS system parameters and commands or through an add-on encryption product. This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/the-complete-guide-to-dba-practices-and-procedures-database-security-part-14-585
  • 16. SQL Injection Example • A web-based application using dynamic SQL requires users to login with their e-mail address and a password. • Perhaps the SQL looks something like this: • A savvy hacker can attempt a SQL injection attack by entering: This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/the-complete-guide-to-dba-practices-and-procedures-database-security-part-14-585
  • 17. SQL Injection Prevention • Using well designed query language interpreters and coding applications appropriately can prevent SQL injection attacks. – When possible use static SQL. – Always validate user input by testing type, length, format, and range. – The program should make absolutely no assumptions about the size, type, or content of the data that is received. – Avoid concatenating user input that has not been validated. – Analyze input and reject anything that contains special characters such as the semi-colon (;), the string delimiter ('), comment delimiters (--, /*…*/), V$ (the beginning of Oracle DBA views), and xp_ (the beginning of SQL Server catalog stored procedures). – For Microsoft SQL Server users, beware of the Transact-SQLprocedure xp_cmdshell. This procedure spawns a Windows command shell and passes in a string for execution. This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/the-complete-guide-to-dba-practices-and-procedures-database-security-part-14-585
  • 18. Job Scheduling and Security • Most organizations schedules tasks to be run at predetermined times, and when those tasks involve database access, authority must be granted to the scheduler. • It is not a very good idea to grant SYSADM authority to the job scheduler. • Doing so would permit any job to perform any database task—creating potentially severe security problems. • Instead, determine how to grant individual authorization to specific jobs using the facilities of the scheduling package and the DBMS. This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/the-complete-guide-to-dba-practices-and-procedures-database-security-part-14-585
  • 19. Questions This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/the-complete-guide-to-dba-practices-and-procedures-database-security-part-14-585
  • 20. 1 Flevy (www.flevy.com) is the marketplace for premium documents. These documents can range from Business Frameworks to Financial Models to PowerPoint Templates. Flevy was founded under the principle that companies waste a lot of time and money recreating the same foundational business documents. Our vision is for Flevy to become a comprehensive knowledge base of business documents. All organizations, from startups to large enterprises, can use Flevy— whether it's to jumpstart projects, to find reference or comparison materials, or just to learn. Contact Us Please contact us with any questions you may have about our company. • General Inquiries support@flevy.com • Media/PR press@flevy.com • Billing billing@flevy.com