Đang tải... (xem toàn văn)
Bài giảng Bảo mật cơ sở dữ liệu: Security models trình bày các nội dung: Access control, types of Access control, mandatory access control, rules based access control, authentication methods, operating system authentication,... Mời các bạn cùng tham khảo.
SECURITY MODELS Operating System Security Fundamentals Tiếp theo bài 1 bắt đầu từ Slide 10 Giảng Viên: Trần Thị Kim Chi © FPT Software Agenda a Access control b Inference and covert channels c Open/close policy d Database Application Security Models Discretionary/mandatory access control â FPT Software Access control • Access control is a security technique that can be used to regulate who or what can view or use resources in a computing environment Access control systems perform authorization identification, authentication, access approval, and accountability of entities through login credentials includingpasswords, personal identification numbers (PINs), biometric scans, and physical or electronic keys © FPT Software Types of Access control • There are two main types of access control: – – • • Physical, logical Physical access control limits access to campuses, buildings, rooms and physical IT assets Logical access limits connections to computer networks, system files and data © FPT Software Types of Access control The four main categories of access control are: • Mandatory access control • Discretionary access control • Role-based access control • Rule-based access control © FPT Software Mandatory access control (MAC) • • Mandatory access control (MAC) is a systemcontrolled policy restricting access to resource objects (such as data files, devices, systems, etc.) based on the level of authorization or clearance of the accessing entity, be it person, process, or device http:// searchsecurity.techtarget.com/definition/mandatory-a © FPT Software Discretionary access control (DAC) • • Discretionary access control (DAC) is a type of access control defined by the Trusted Computer System Evaluation Criteria "as a means of restricting access to objects based on the identity of subjects and/or groups to which they belong The controls are discretionary in the sense that a subject with a certain access permission is capable of passing that permission (perhaps indirectly) on to any other subject (unless restrained by mandatory access control )" Discretionary access control is commonly discussed in contrast to mandatory access control (MAC, sometimes termed non-discretionary access control) © FPT Software Role-based access control (RBAC) • • • Role-based access control (RBAC) is a method of regulating access to computer or network resources based on the roles of individual users within an enterprise http:// searchsecurity.techtarget.com/definition/role-based-access-co http:// searchsecurity.techtarget.com/tip/Role-based-access-control-f © FPT Software Rules Based Access Control • • • Rules Based Access Control is a strategy for managing user access to one or more systems, where business changes trigger the application of Rules, which specify access changes Implementation of Rules Based Access Control systems is feasible so long as the number of triggering business events and the set of possible actions that follow those events are both small - See more at: http://hitachiid.com/concepts/rules_based_access_control.html#sthas h.TJMhLiGM.dpuf © FPT Software Authentication Methods • Authentication: – – • Physical authentication: – – • Verifies user identity Permits access to the operating system Allows physical entrance to company property Magnetic cards and biometric measures Digital authentication: verifies user identity by digital means © FPT Software 10 Security Model Based on Application Functions • • • Application authenticates users Application is divided into functions Considerations: – – – – Isolates application security from database Passwords must be securely encrypted Must use a real database user Granular privileges require more effort during implementation © FPT Software 127 Security Model Based on Application Functions © FPT Software 128 Security Model Based on Application Roles and Functions • • • Combination of models Application authenticates users Application is divided into functions: – – • Roles are assigned to functions Functions are assigned to users Highly flexible model © FPT Software 129 Security Model Based on Application Roles and Functions © FPT Software 130 Security Model Based on Application Tables • • • Depends on the application to authenticate users Application provides privileges to the user based on tables; not on a role or a function User is assigned access privilege to each table owned by the application owner © FPT Software 131 Security Model Based on Application Tables © FPT Software 132 Security Model Based on Application Tables • Implementation in SQL Server: – – Grant authorization on application functions to the end user Alter authorization table from the security model based on database roles; incorporate the table and access columns required to support model © FPT Software 133 Application Security Models © FPT Software 134 Application Security Models © FPT Software 135 Data Encryption • • Passwords should be kept confidential and preferably encrypted Passwords should be compared encrypted: – – Never decrypt the data Hash the passwords and compare the hashes â FPT Software 136 Summary Security: level and degree of being free from danger and threats Database security: degree to which data is fully protected from unauthorized tampering Information systems: backbone of day-to-day company operations © FPT Software 137 Summary • Information security architecture – – • Model for protecting logical and physical assets Company’s implementation of a C.I.A triangle Enforce security at all levels of the database â FPT Software 138 Summary An application user is simply a record created for a user within the application schema; usually does not have database privileges or roles assigned Access matrix: – – – • Columns represent objects Rows represent subjects Authorization cell Access mode © FPT Software 139 Summary • • Application types: client/server, Web, and Data Warehouse Application security models – – – – – Database roles Application roles Application functions Roles and functions in the application Application tables © FPT Software 140 © FPT Software 141 ... within an enterprise http:// searchsecurity.techtarget.com/definition/role-based-access-co http:// searchsecurity.techtarget.com/tip/Role-based-access-control-f â FPT Software Rules Based Access... mandatory access control (MAC, sometimes termed non-discretionary access control) © FPT Software Role-based access control (RBAC) • • • Role-based access control (RBAC) is a method of regulating... Open/close policy d Database Application Security Models Discretionary/mandatory access control © FPT Software Access control • • Access control is a security technique that can be used to regulate