1. Trang chủ
  2. » Công Nghệ Thông Tin

Bài giảng Bảo mật cơ sở dữ liệu: Security models - Trần Thị Kim Chi

141 48 0

Đang tải... (xem toàn văn)

Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống

THÔNG TIN TÀI LIỆU

Thông tin cơ bản

Định dạng
Số trang 141
Dung lượng 3,68 MB

Nội dung

Bài giảng Bảo mật cơ sở dữ liệu: Security models trình bày các nội dung: Access control, types of Access control, mandatory access control, rules based access control, authentication methods, operating system authentication,... Mời các bạn cùng tham khảo.

SECURITY MODELS Operating System Security Fundamentals Tiếp theo Slide 10 Giảng Viên: Trần Thị Kim Chi © FPT Software Agenda a Access control b Inference and covert channels c Open/close policy d Database Application Security Models Discretionary/mandatory access control © FPT Software Access control • Access control is a security technique that can be used to regulate who or what can view or use resources in a computing environment • Access control systems perform authorization identification, authentication, access approval, and accountability of entities through login credentials includingpasswords , personal identification numbers (PINs), biometric scans, and physical or electronic keys © FPT Software Types of Access control • There are two main types of access control: – – • Physical, logical Physical access control limits access to campuses, buildings, rooms and physical IT assets • Logical access limits connections to computer networks, system files and data © FPT Software Types of Access control The four main categories of access control are: • • • • Mandatory access control Discretionary access control Role-based access control Rule-based access control © FPT Software Mandatory access control (MAC) • Mandatory access control (MAC) is a system-controlled policy restricting access to resource objects (such as data files, devices, systems, etc.) based on the level of authorization or clearance of the accessing entity, be it person, process, or device • http://searchsecurity.techtarget.com/definition/mandatory-access-control-MAC â FPT Software Discretionary access control(DAC) ã Discretionary access control (DAC) is a type of access control defined by the  Trusted Computer System Evaluation Criteria "as a means of restricting access to objects based on the identity of subjects and/or groups to which they belong The controls are discretionary in the sense that a subject with a certain access permission is capable of passing that permission (perhaps indirectly) on to any other subject (unless restrained by mandatory access control)" • Discretionary access control is commonly discussed in contrast to mandatory access control  (MAC, sometimes termed non-discretionary access control) â FPT Software Role-based access control (RBAC) ã Role-based access control (RBAC) is a method of regulating access to computer or network resources based on the roles of individual users within an enterprise • • http://searchsecurity.techtarget.com/definition/role-based-access-control-RBAC http:// searchsecurity.techtarget.com/tip/Role-based-access-control-for-effective-security-management â FPT Software Rules Based Access Control ã Rules Based Access Control is a strategy for managing user access to one or more systems, where business changes trigger the application of Rules, which specify access changes • Implementation of Rules Based Access Control systems is feasible so long as the number of triggering business events and the set of possible actions that follow those events are both small • - See more at: http://hitachiid.com/concepts/rules_based_access_control.html#sthash.TJMhLiGM.dpuf © FPT Software Authentication Methods • Authentication: – – • Permits access to the operating system Physical authentication: – – • Verifies user identity Allows physical entrance to company property Magnetic cards and biometric measures Digital authentication: verifies user identity by digital means © FPT Software 10 Security Model Based on Application Functions • • • Application authenticates users Application is divided into functions Considerations: – – – – Isolates application security from database Passwords must be securely encrypted Must use a real database user Granular privileges require more effort during implementation © FPT Software 127 Security Model Based on Application Functions © FPT Software 128 Security Model Based on Application Roles and Functions • • • Combination of models Application authenticates users Application is divided into functions: – – • Roles are assigned to functions Functions are assigned to users Highly flexible model © FPT Software 129 Security Model Based on Application Roles and Functions © FPT Software 130 curity Model Based on Application Tables • • • Depends on the application to authenticate users Application provides privileges to the user based on tables; not on a role or a function User is assigned access privilege to each table owned by the application owner © FPT Software 131 curity Model Based on Application Tables © FPT Software 132 curity Model Based on Application Tables • Implementation in SQL Server: – – Grant authorization on application functions to the end user Alter authorization table from the security model based on database roles; incorporate the table and access columns required to support model © FPT Software 133 plication Security Models © FPT Software 134 plication Security Models â FPT Software 135 ta Encryption ã ã Passwords should be kept confidential and preferably encrypted Passwords should be compared encrypted: – – Never decrypt the data Hash the passwords and compare the hashes © FPT Software 136 Summary • • • Security: level and degree of being free from danger and threats Database security: degree to which data is fully protected from unauthorized tampering Information systems: backbone of day-to-day company operations â FPT Software 137 Summary ã Information security architecture – – • Model for protecting logical and physical assets Company’s implementation of a C.I.A triangle Enforce security at all levels of the database © FPT Software 138 Summary • An application user is simply a record created for a user within the application schema; usually does not have database privileges or roles assigned • Access matrix: – – – • Columns represent objects Rows represent subjects Authorization cell Access mode â FPT Software 139 Summary ã • Application types: client/server, Web, and Data Warehouse Application security models – – – – – Database roles Application roles Application functions Roles and functions in the application Application tables © FPT Software 140 © FPT Software 141 ... ã ã http://searchsecurity.techtarget.com/definition/role-based-access-control-RBAC http:// searchsecurity.techtarget.com/tip/Role-based-access-control-for-effective -security- management â FPT... accessing entity, be it person, process, or device ã http://searchsecurity.techtarget.com/definition/mandatory-access-control-MAC â FPT Software Discretionary access control (DAC) • Discretionary... c Open/close policy d Database Application Security Models Discretionary/mandatory access control © FPT Software Access control • Access control is a security technique that can be used to regulate

Ngày đăng: 08/05/2021, 19:07

TỪ KHÓA LIÊN QUAN