Term Paper on "Database Security Design of an Online Membership"
Term Paper 11 pages (2976 words) Sources: 1+
[EXCERPT] . . . .
Database SecurityDesign of an online membership and payment management system for the web using a Microsoft SQL Server database and a front end built in Microsoft Visual Stuido C#.net involves a variety of complex security issues. This paper discusses the goals of security and common security threats. It then describes in detail, Microsft SQL Server security techniques along with a brief overview of Web application security measures that can be taken to ensure adequate security for the membership and payment management application.
The Goals of Security
Database security is the protection of the database against unauthorized access, either intentional or accidental (Phippen). Security countermeasures should combat threats and the outcomes of such threats. Given a security policy's specification of "secure" and "nonsecure" actions, these security mechanisms can prevent the attack, detect the attack, or recover from the attack (Bishop, 2003).
Bishop (2003) explains the differences between prevention, detection and recovery. Prevention seeks to make the attack fail. Typically, prevention involves implementation of mechanisms that users cannot override and that are trusted to be implemented in a correct, unalterable way, so that the attacker cannot defeat the mechanism by changing it. Detection accepts that an attack will occur; the goal is to determine that an attack is underway, or has occurred, and report it. The attack may be monitored, however, to provide data about its nature, severity, and results. Typical detection mechanisms monitor various aspects of the system, looking for actions or information indicating an attack. Recov
download full paper ⤓
3. Sources of Security Threats decade ago database security issues were rarely reported. At that time databases were physically security and housed in central data centers. External access was mediated. Now, however, databases are externally accessible so that customers, suppliers and partners may be directly connected. Unfortunately, along with greater access comes greater potential for security threats.
3.1 Points of. Entry
Web-based applications have numerous possible entry points that present opportunity for unwanted access (Burleson):
Internet access - If hackers can guess the IP address of a server, they can telnet to the server and get a login prompt. At this point, all they need is a user ID and password to gain access to the server.
Port access - All Web applications are configured to listen on a predefined port for incoming connections, and they generally use a listener daemon process to poll for connections.
Server access - A four-tiered Web application (illustrated in Figure A) incorporates a series of Web servers, application servers, and database servers. Each of these servers presents a potential point of entry, and if remote shell access is enabled, a hacker that gets access to a single database may get access to many servers.
Network access - If hackers know the port, IP address, database ID, and password, they can gain direct access to the database.
3.2 Types of Threats
Summarized in Table 1 are sources of security threats as well as the ways each can contribute to concerns.
Common Web Application Security Threats
Sources of Threat
Reasons for Threat
Hardware
Fire/flood/bombs
Power loss/surge
Theft of Equipment
DBMS and application software
Program alteration
Theft of programs
Database
Amendment or copying of data
Data corruption
Communication networks
Wire tapping
Cable breakage
Administrators
Inadequate security
Users
Using another user's access
Unauthorized access
Hacking
Blackmail
Viruses
Operators
Trapdoors
Alterations
Inadequate training
Inadequate security
Source: Phippen, A., Database Security
4. Physical Security
Physical security means that your SQL Server system is running in a controlled-access environment in which only approved personnel have physical access to the system (Huston, 2003). This means that SQL Server should be isolated from Web infrastructures and direct Internet access. If there is an absolute requirement for SQL access across the Internet, it should only be available via a proxy system that enforces strict rules and scrubs out data streams that could compromise or damage the system or the data it contains. Further, all indirect access such as access via web sites and online applications should include appropriate bounds checking and input validation. For example, SQL delimiters must be stripped from input prior to passing them to the database system. Further, values for SQL access should always be contained and managed only on the server side of the application, as client manipulation of any client side values is likely and dangerous.
5. Security Mechanisms to Protect a Database
The goals of securing a database are (Zikopoulos, 2001):
Preventing unauthorized access to classified data by anyone without a business need to know
Preventing unauthorized users from committing mischief through malicious deletion or tampering of data
Monitoring user access of data through auditing techniques
This section describes technologies available in Microsoft SQL Server to meet these objectives such as access controls and authentication, views, rules and constraints, concurrency control, audit tracking, encryption, backup and recovery and techniques to prevent SQL Injection. Database security does not supercede other security technologies, such as network-layer firewalls, network monitoring and SSL-secured communications. But data protection in databases needs to be in place as the core element of a complete enterprise security infrastructure.
5.1 Access Controls and Authentication
Access control prevents unauthorized persons from accessing the system itself to obtain information or make changes. Microsoft SQL Server handles access control by allowing the creation of user accounts and passwords to control the log-in process. Additionally, Microsoft SQL Server supports the use of Windows NT Integrated Security where users are identified to the database by their Windows NT user accounts and are not required to enter an additional user ID and password to access the database (Chapple). This approach offers the benefit of shifting the burden of account management to the network administration staff and it provides the ease of a single sign-on to the end user.
According to Policht (2004, April), Windows authentication is far more secure than SQL Server authentication. This is because Windows credentials are delivered to SQL Server without passing the actual password, while SQL authentication sends the login name and password in unencrypted format, meaning that anyone who can capture network traffic carrying client authentication information can easily retrieve it. Anyone using SQL Server authentication should always encrypt communication between SQL server and its clients with the built-in feature of Multiprotocol Net Library or by implementing SSL.
5.2 Views
Views are an access control method to restrict low-level (also called row-level) access to data. Views allow a database administrator to hide sensitive rows and columns of information that reside in the original table from SQL statements. The administrator can give a user access to information by granting privileges on a view. Because these privileges are only for the view and do not affect the base table, the user's access is confined to the view, which is generated by creating a subset of the data contained in required table. Microsoft SQL Server 2000 has a feature called the View Index that give the database the capability to define an index on a view (Carpenter, 2000). Additionally, SQL Server View Indexes are dynamic in that changes to the data in the base tables are automatically reflected in the indexed view.
5.3 Rules and Constraints
Both rules and constraints implement data integrity for column values in SQL Server (Mullins, 1998). Rules and constraints in SQL Server can be used to:
enforce the range of data values that can be stored in a column (check constraints) enforce the uniqueness of a column or group of columns within a table (unique / primary key constraints) enforce referential integrity (primary key and foreign key constraints).
Rules are free-standing database objects that can be used to enforce data integrity. This is desirable because it promotes reusability. Unlike constraints, rules are "free-standing" database objects; meaning they stand by themselves outside the scope of any other object.
5.4 Concurrency Control
Concurrency control deals with the issues involved with allowing multiple people simultaneous access to shared entities (Ambler, 2004). A collision occurs when two activities, which may or may not be full-fledged transactions, attempt to change entities within a system of record. A database administrator can either devise ways to avoid collisions or detect and then resolve them. Transactions are collections of actions that potentially modify two or more entities. The easiest way for an application to implement transactions is to use the features supplied by SQL Server. Transactions can be started, attempted, then committed or aborted via SQL code. Also, database APIs such as Java Database Connectivity and Open Database Connectivity provide classes that support basic transactional functionality.
Microsoft SQL Server offers both optimistic and pessimistic concurrency control ("Optimistic and pessimistic concurrency").
Optimistic concurrency control works on the assumption that resource conflicts between multiple users… READ MORE
Quoted Instructions for "Database Security Design of an Online Membership" Assignment:
I am planning to design an online membership and payment management system on the web.
It will have a back-end and a frond-end. The back end will be using Microsoft S SQL server 2000 for my database.(You can write here about SQL injection, etc. My front –end I will be using is Microsoft Visual Studio c# .net.
my research topics is: Database security (how to implement security mechanism protecting sensitive and critical information when they are reachable through http)
STRUCTURE AND LAYOUT EXAMPLE IF YOU WISH YOU CAN USE IT BUT MUST BE SIMILAR TO THIS LAYOUT
The structure can be something like this:
1. Introduction
2. The goal of Security
3. Physical Security
4. Identify threats
4.1 Hardware
4.2 Software
4.3 Communication Network
4.4 Concurrency
4.5 Malicious Attack
4.6 User errors
5. Security Mechanisms to protect a database
5.1 Integrity
5.2 Authorisation Access Controls and Authentication
5.3 View
5.4 Concurrency Control
5.5 Audit Tracking
5.6 Encryption
5.7 Backup & Recovery
5.8 SQL Injection
6 Web Securities
6.1 Firewall
6.2 SSL
6.3 ………..
7. Conclusion
8.Critical Evaluation
9. Reference
These are examples write whatever is appropriate for the research topic
PLEASE TRY to make it simple and easy English structure so I can understand
Try and get different opinion and ideas form different authors
USE minimum 15 reference
Reference from academic journals, books and other useful resources. It would be best if you can find good academic journals.
THIS ARE same websites to help you find same journals
http://portal.acm.org/portal.cfm
http://www.scirus.com/srsapp/
http://www.databasejournal.com/features/mssql/article.php/3418281
http://databases.about.com/od/security/
If you type in Google: Improving web Application security from Microsoft
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/threatcounter.asp
You can Download
Download Improving Web Application Security from the MS.com Download Center in .pdf format.
CITE USING HARVARD REFERENCE CORRECTLY
How to Reference "Database Security Design of an Online Membership" Term Paper in a Bibliography
“Database Security Design of an Online Membership.” A1-TermPaper.com, 2005, https://www.a1-termpaper.com/topics/essay/database-security-design/16965. Accessed 6 Jul 2024.
Related Term Papers:
Security Issues of Online Communities Term Paper
Security Issues of Online Communities
Online communities have emerged in recent years as a result of the rapid growth of the Internet, arousing intrigue in citizens, policy-makers and government officials.… read more
Term Paper 60 pages (15576 words) Sources: 1+ Topic: Computers / IT / Internet
Mara Salvatrucha and 18th Street Gangs: Threat to National Security? Thesis
predominantly Latino Gangs, Mara Salvatrucha (aka MS-13), and the 18th Street Gang operating on the streets of communities across America. This study is significant because it will provide a snapshot… read more
Thesis 40 pages (17380 words) Sources: 40 Style: APA Topic: Crime / Police / Criminal Justice
Informing Adults on Secured Online Environments for Children Term Paper
Adults on Secured Online Environments for Children
Conceptual Framework
Scope
Title Searches, Articles, Research Documents, Journals and Websites..
Historical Overview of Individual Technology Usage
Changing Roles of the Instructor, Parent,… read more
Term Paper 50 pages (12910 words) Sources: 1+ Style: APA Topic: Computers / IT / Internet
Hybrid on Line Instruction Essay
Hybrid Online Instruction
There is push of the higher education towards novel instruction delivery models by the advent of the internet. This leads to the student being the focus of… read more
Essay 8 pages (3091 words) Sources: 8 Topic: Education / Teaching / Learning
Information Systems Multi-Chapter Personal Trainer Case Study
Information Systems Multi-Chapter Case Study
Personal Trainer Inc., Information Systems Case Study
Business Profile, Organization chart, Susan vs Gary, Systems Discussion
The three most critical business processes for Personal Trainer… read more
Case Study 13 pages (3615 words) Sources: 0 Topic: Business / Corporations / E-commerce
Sat, Jul 6, 2024
If you don't see the paper you need, we will write it for you!
We can write a new, 100% unique paper!