Database Security

Database Security includes policies framed to protect data, falling in the hands of unauthorized
users. Security also includes the techniques used to ensure that the data elements aren’t changed
or deleted by unauthorized persons.

Levels of Security:
Database Management System (DBMS) provides 6 levels of security. These are given below:

1. Network Level Security

2. Operating System-Level Security
3. Database System-Level Security
4. Program Level Security
5. Record Level Security
6. Field Level Security

Network Level Security:

Network Software Level Security is required in case of a distributed database system. Network
Software has a built-in method for login security controls, permitting authorized users to log in
and gain access to resources on the network. Another level of security provided by network
software is the right security. Right security controls the files, sub-directories and directories. A
user or a group of users can access.
Another level of security is attribute security. Attribute security determines if a particular file can
be viewed, shared, renamed, modified or deleted by a user or not. Therefore, even if a user or
group of users have the privilege to delete a particular file, but they can’t do so if the attribute of
the file doesn’t allow.

Operating System-Level Security:

Even if you have a strong DBMS software, a weak operating system may serve as a means of
unauthorized deletion of database files. So, secure OS is most important.

Database System-Level Security:

Some database users may be allowed to access only a portion of the database and denied access
to other portions. A user may be given permission to view information but not to modify data.
That is, the user can issue SELECT queries but not INSERT, UPDATE or DELETE queries.

Program Level Security:

It debars unauthorized users from using particular programs that may access the database.
Example: A bank account may be allowed to use a program that retrieves details of a customer
account, but not a program that modifies the balance account.

Record Level Security:

It debars unauthorized users from accessing or updating certain records, such as records of
managers in the EMPLOYEE table.

Field Level Security:

It debars unauthorized users from accessing or updating data in certain fields such as Salary
field.

DATA INTEGRITY AND CONTROL

Data integrity refers to the accuracy and consistency (validity) of data over its lifecycle.
Compromised data, after all, is of little use to enterprises, not to mention the dangers presented
by sensitive data loss. For this reason, maintaining data integrity is a core focus of many
enterprise security solutions.

Data integrity can be compromised in several ways. Each time data is replicated or transferred, it
should remain intact and unaltered between updates. Error checking methods and validation
procedures are typically relied on to ensure the integrity of data that is transferred or reproduced
without the intention of alteration.

Data integrity practices should be an essential component of effective enterprise security

protocols. Data integrity may be compromised through:

 Human error, whether malicious or unintentional

 Transfer errors, including unintended alterations or data compromise during transfer from
one device to another
 Bugs, viruses/malware, hacking, and other cyber threats
 Compromised hardware, such as a device or disk crash
 Physical compromise to devices

Since only some of these compromises may be adequately prevented through data security, the
case for data backup and duplication becomes critical for ensuring data integrity. Other data
integrity best practices include input validation to preclude the entering of invalid data, error
detection/data validation to identify errors in data transmission, and security measures such as
data loss prevention, access control, data encryption, and more.

Need for system integrity

 System integrity begins with selecting and deploying the right hardware and software
components to authenticate a user’s identity—and help prevent others from assuming it.
In doing so, it needs to offer efficient administrative functions to restrict access to
administrator-level functions, and give administrators processes and controls to manage
changes to the system.
 There are many individual components to system integrity, such as vulnerability
assessment, antivirus, and anti-malware solutions. However, the ultimate goal from an
access control standpoint is to prevent the installation and execution of malicious code—
while protecting valuable data—from the outset.

Need for system control

  System Control manages and controls the overall Systems Engineering Process. This
activity identifies the work to be performed and develops the schedules and costs
estimates for the effort.
 It coordinates all activities and assures that all are operating from the same set of
requirements, agreements and design iteration. It’s the center for configuration
management throughout the systems engineering process.
 System Analysis and Control interacts with all the other activities of the Systems
Engineering Process. It evaluates the outputs of the other activities and conducts
independent studies to determine which of the alternate approaches is best suited to the
application.
 It determines when results of one activity require the action of another activity and directs
the action to be performed. The initial analyses performed in this activity are the basis for
the Systems Engineering Plan (SEP) and the systems engineering entries in the Integrated
Master Plan (IMP) which define the overall systems engineering effort. From the SEP
and IMP, the Integrated Master Schedule (IMS) is developed to relate the IMP events and
SEP processes to calendar dates.

Need for System Security:

 System security is a process to protect the system from damage, error and unauthorized
access. The level of protection depends upon the sensitivity of data, the reliability of the
user and the complexity of the system. A well designed system includes control
procedures to provide physical protection, maintenance, data integrity and restrict system
access.
 The system security includes for related issues –
o System integrity:
 It refers to proper functioning of hardware and programs, safety against
external threats such as eavesdropping The data integrity makes sure that
data do not differ from its original form and have not been accidently or
intentionally disclosed, altered or destroyed.
o System security: -It refers to the protection of data from loss, disclosure,
modification and destruction.
o Privacy: -It defines the rights of the user or organisation to determine what
information, we want to show or accept from other and how organisation can be
protected against unfair or excessive dissemination of information.
o Confidentiality: -It is a special status given to the sensitive information in the
database for privacy.

Threats to the system security:

1. Errors and omissions

2. Fire
3. Natural disaster
4. External attack
5. Disgruntled and dishonest employees
Disaster management
Disaster management is generally a planning process and it produces a document which ensures
businesses to solve critical events that affect their activities. Such events can be a natural disaster
(earthquakes, flood, etc.), cyber–attack or hardware failure like servers or routers.

As such having a document in place it will reduce the down time of business process from the
technology and infrastructure side. This document is generally combined with Business
Continuity Plan which makes the analyses of all the processes and prioritizes them according to
the importance of the businesses. In case of a massive disruption it shows which process should
be recovered firstly and what should be the downtime. It also minimizes the application service
interruption. It helps us to recover data in the organized process and help the staff to have a clear
view about what should be done in case of a disaster.

Requirements to Have a Disaster Recovery Plan

Disaster recovery starts with an inventory of all assets like computers, network equipment,
server, etc. and it is recommended to register by serial numbers too. We should make an
inventory of all the software and prioritize them according to business importance.

An example is shown in the following table −

Down Disaster
Systems Preventions Solution strategy Recover fully
Time type
Fix the primary server
Payroll Server We take backup Restore the backups
8 hours and restore up to date
system damaged daily in the Backup Server
data

You should prepare a list of all contacts of your partners and service providers, like ISP contact
and data, license that you have purchased and where they are purchased. Documenting all your
Network which should include IP schemas, usernames and password of servers.

Preventive steps to be taken for Disaster Recovery

 The server room should have an authorized level. For example: only IT personnel should
enter at any given point of time.
 In the server room there should be a fire alarm, humidity sensor, flood sensor and a
temperature sensor.
These are more for prevention. You can refer the following image.
  At the server level, RAID systems should always be used and there should always be a
spare Hard Disk in the server room.
 You should have backups in place, this is generally recommended for local and off-site
backup, so a NAS should be in your server room.
 Backup should be done periodically.
 The connectivity to internet is another issue and it is recommended that the headquarters
should have one or more internet lines. One primary and one secondary with a device that
offers redundancy.
 If you are an enterprise, you should have a disaster recovery site which generally is
located out of the city of the main site. The main purpose is to be as a stand-by as in any
case of a disaster, it replicates and backs up the data.

Resources Used:
https://webeduclick.com/database-security/
https://digitalguardian.com/blog/what-data-integrity-data-protection-101
https://www.ques10.com/p/13835/explain-the-need-for-system-integrity-control-and-/
https://www.tutorialspoint.com/computer_security/computer_security_disaster_recovery.htm