Database Security & Administration
Overview
Database Security & Administration involves protecting database systems from unauthorized access, ensuring data confidentiality, integrity, and availability. Effective security measures are essential for protecting sensitive information and maintaining system reliability.
Database administration encompasses day-to-day management tasks, maintenance, backup and recovery, user management, and security enforcement.
Database Security Fundamentals
1. Authentication
Authentication verifies the identity of users attempting to access the database.
Methods:
- Username/password authentication
- Integrated Windows authentication
- Certificate-based authentication
- Multi-factor authentication (MFA)
- Database-level vs OS-level authentication2. Authorization
Authorization determines what authenticated users are allowed to do. It's enforced through privileges and permissions.
3. Access Control
Controlling who can access what data and operations:
- Discretionary Access Control (DAC): Owners control access to their data
- Mandatory Access Control (MAC): System-enforced access based on security labels
- Role-Based Access Control (RBAC): Access based on user roles
User and Role Management
Creating Users
-- Create user
CREATE USER 'app_user'@'localhost'
IDENTIFIED BY 'strong_password';
-- Grant privileges
GRANT SELECT, INSERT, UPDATE ON company_db.*
TO 'app_user'@'localhost';Roles
Roles group privileges together for easier management:
-- Create role
CREATE ROLE 'sales_team';
-- Grant privileges to role
GRANT SELECT, INSERT ON Orders TO 'sales_team';
GRANT SELECT ON Products TO 'sales_team';
-- Assign role to user
GRANT 'sales_team' TO 'john_doe';Privileges and Permissions
Database privileges control what actions users can perform:
Object-Level Privileges
- SELECT: Read data from tables/views
- INSERT: Add new rows
- UPDATE: Modify existing rows
- DELETE: Remove rows
- EXECUTE: Run stored procedures
Database-Level Privileges
- CREATE: Create new database objects
- DROP: Delete database objects
- ALTER: Modify database objects
System-Level Privileges
- CREATE USER: Create new users
- GRANT: Grant privileges to others
- BACKUP: Create database backups
- RESTORE: Restore database backups
Principle of Least Privilege
Users should be granted only the minimum privileges necessary to perform their tasks:
Application User:
- Needs to: Read and write to specific tables
- Should have: SELECT, INSERT, UPDATE on those tables only
- Should NOT have: DROP, DELETE, or admin privileges
Read-only User:
- Needs to: Generate reports
- Should have: SELECT on relevant tables/views only
- Should NOT have: INSERT, UPDATE, DELETEData Encryption
1. Encryption at Rest
Encrypting data stored on disk to protect against unauthorized physical access:
- Transparent Data Encryption (TDE): Encrypt entire database files
- Column-level encryption: Encrypt specific sensitive columns
2. Encryption in Transit
Encrypting data during transmission between client and database server:
- SSL/TLS: Encrypt network connections
- Encrypted connections: Protect data over networks
SQL Injection Prevention
SQL Injection is a security vulnerability where malicious SQL code is inserted into queries.
Prevention Techniques
- Parameterized queries: Use placeholders instead of string concatenation
- Input validation: Validate and sanitize user input
- Least privilege: Use limited database accounts
- Prepared statements: Pre-compile SQL with parameters
❌ VULNERABLE (String concatenation):
query = "SELECT * FROM Users WHERE Username = '" + username + "'";
✅ SAFE (Parameterized query):
query = "SELECT * FROM Users WHERE Username = ?";
params = [username];
execute(query, params);Backup and Recovery
1. Backup Types
Full Backup
Complete copy of entire database at a point in time.
Incremental Backup
Backs up only changes since last backup.
Differential Backup
Backs up changes since last full backup.
Transaction Log Backup
Backs up transaction log for point-in-time recovery.
2. Backup Strategy
- Frequency: How often to backup (daily, hourly, real-time)
- Retention: How long to keep backups
- Storage: Where backups are stored (off-site, cloud)
- Testing: Regularly test restore procedures
Database Administration Tasks
1. Daily Tasks
- Monitor database performance
- Check error logs
- Verify backups completed
- Monitor disk space
- Check user activity
2. Weekly Tasks
- Review performance metrics
- Check index fragmentation
- Review security logs
- Update statistics
- Test backup restoration
3. Monthly Tasks
- Review and optimize slow queries
- Rebuild fragmented indexes
- Review user access and privileges
- Update database documentation
- Review capacity planning
Auditing and Logging
Track database activities for security and compliance:
- Login attempts: Successful and failed logins
- Data access: Who accessed what data
- Data modifications: INSERT, UPDATE, DELETE operations
- Privilege changes: GRANT, REVOKE operations
- Schema changes: DDL operations (CREATE, ALTER, DROP)
Disaster Recovery
Plan for recovering from catastrophic failures:
- Recovery Time Objective (RTO): Maximum acceptable downtime
- Recovery Point Objective (RPO): Maximum acceptable data loss
- Failover procedures: Switching to backup systems
- Disaster recovery testing: Regularly test recovery procedures
Security Best Practices
- Use strong passwords: Complex, unique passwords
- Enable encryption: At rest and in transit
- Regular updates: Keep database software patched
- Monitor access: Review logs regularly
- Limit network access: Firewall rules, VPN access
- Regular backups: Tested backup and recovery procedures
- Principle of least privilege: Grant minimum necessary access
- Audit regularly: Review user access and permissions
Common Security Threats
- SQL Injection: Malicious SQL code injection
- Unauthorized access: Breached credentials
- Data breaches: Unauthorized data access
- Denial of Service: Overwhelming system resources
- Privilege escalation: Gaining unauthorized privileges
Compliance and Regulations
Database security must comply with regulations:
- GDPR: European data protection regulations
- HIPAA: Healthcare data protection (USA)
- PCI DSS: Payment card data security
- SOX: Financial data regulations
Next Steps
Review fundamental database concepts in the Database Introduction, or explore design principles in Database Design Process.