DBST668
Project Alpha: Database Security for the [Name of Company]
You are a cybersecurity consultant who specializes in helping businesses protect the privacy and security of their databases. The services your company supplies include: 1) analysis of existing databases to assess their security and to recommend security solutions, and 2) development of new database solutions and applications.
You have just signed on with a new client [you may choose what type of company] who is worried about a recent breach in the security of the businesss principal database. Personal data have been compromised and, as a result, the client is losing business. The client has asked you to prepare and test new security policies, plans and procedures to minimize the potential for additional breaches. You have finished interviewing pertinent staff about their objectives for the project and the weaknesses they see in the security of the database. It is now up to you to provide a plan of action. It will provide a brief description of the objectives of the client in securing the database, purpose of the database, the types of sensitive information that need to be protected, weaknesses in the existing system, and your plan for securing the data. The plan should also show your knowledge of the legal and general due diligence requirements for protecting customer data.
Having taken these steps, you will prepare a technical report that includes the security plan; all of the design tasks to implement it (for SQL statements, please include both source and output); a diagram file with your ERD (in original format, such as .erd for ER Assistant); and a plain text script file with all your SQL statements (source only, and it should run error free in Oracle to generate the same output as shown in your report).
When you submit your project, your work will be evaluated using the competencies listed below. You can use this list to check your work before submission.
1: You can communicate clearly in writing and speaking, meeting expectations for content, purpose, organization, audience, and format.
1.1: Organize document or presentation clearly in a manner that promotes understanding and meets the requirements of the assignment.
1.2: Develop coherent paragraphs or points so that each is internally unified and so that each functions as part of the whole document or presentation.
1.3: Provide sufficient, correctly cited support that substantiates the writer’s ideas.
1.4: Tailor communications to the audience.
1.5: Use sentence structure appropriate to the task, message and audience.
1.6: Follow conventions of Standard Written English.
1.7: Create neat and professional looking documents appropriate for the project or presentation.
1.8: Create clear oral messages.
2: You can apply logical processes to formulate clear, defensible ideas based on the analysis of facts and ethical considerations.
2.1: Identify and clearly explain the issue, question, or problem under critical consideration.
2.2: Locate and access sufficient information to investigate the issue or problem.
2.3: Evaluate the information in a logical and organized manner to determine its value and relevance to the problem.
2.4: Consider and analyze information in context to the issue or problem.
2.5: Develop well-reasoned ideas, conclusions or decisions, checking them against relevant criteria and benchmarks.
3: You can determine an organizations database security needs and provide an appropriate design solution.
3.1 You can distinguish different levels of security and privacy requirements.
3.2 You can analyze different security mechanisms and evaluate design trade-offs
3.3 You can conduct an organizational, technical, economic and financial feasibility study of the proposed system
4: You can develop a security plan with the appropriate security policies and procedures
4.1 You can develop a security plan that includes the proposed methods & approaches to be used to safeguard digital assets and establishes the goals and strategies to accomplish the task.
4.2 You can develop a set of rules & standards to properly maintain security in an organization.
4.3. You can select and enforce the procedures that detailed steps to enforce your policy and accomplish objectives
5: You can implement and use the database:
5.1 You can write SQL DDL statements to create tables in Oracle
5.2 You can write SQL statements to create users in Oracle
5.3 You can write SQL statements that grant rights to users
5.4 You can write SQL statements that create views in Oracle
5.5 You can write SQL statements that create roles in Oracle
5.6 You can write SQL statements that grant roles to users in Oracle
5.7 You can write the SQL statements that create VPDs in Oracle
5.8 You can write the SQL statement that create Oracle Label Security Policy in Oracle
5.9 You can write SQL/PL that creates procedures in Oracle
6. You can test the database security and demonstrate that it works.
6.1 You can develop the test criteria for each security mechanism to demonstrate it does what it is supposed to do.
6.2 You can develop the test criteria for each security mechanism to demonstrate it does not due what it is not supposed to do.
6.3 You can write SQL statements that grant rights to users
Step 1 Determine the clients security and privacy needs for the database
Your first step in project Alpha is to do an analysis of the security and privacy requirements for the data in the database. You decide, based upon your analysis, that a general principle of least privilege should be applied (users have the least amount of access to data necessary to perform their duties; or more informally, they can see what they need to see and do what they need to do, but they cant see anything they are not supposed to see, or do anything they are not supposed to do). To carry out step 1, you need to develop a prototype database that contains the different types of data that need to be protected in order to model the security solutions and prove that they are sufficient.
Step 2 Create the security plan, develop the necessary security policies and procedures
Your next step is to create the security plan including the security policies and procedure that are necessary to execute the plan. You will develop a set of scenarios that describe what each users job or role is; what data they need to see, update, or change in order to perform their duties, and the best security mechanism (basic table rights, views, VPDs, OLS, or procedures) to use to control their access to the data.
Step 3 Develop the SQL necessary to create and implement the security plan
The following step is to develop the SQL necessary to:
Create all users and/or roles that are necessary
Grant those users the rights necessary to perform their function
Create any tables necessary to show all the protected data types are covered and protected as required
Step 4 Test the database security and show that it works
Your final step is to develop test scenarios that show the users have the access they need to perform their duties and no other access. For example, if a bank tellers duties are to open and close accounts, accept deposits and provide withdrawals, they need: 1) access to view balances in all accounts authorized, 2) access to update balances to reflect deposits and withdrawals; and 3) access to open or close an account.
——————————————-
The lab project should be assembled in a format similar to class paper. The main difference is that the subject is the students own lab project and may not have many or even any references. Your name should be on the cover, pages should be number and the title of the project (and your name) should be on each page. It should be logically organized and professionally done (no spelling errors, clear writing).
It should have sections such as:
· Introduction
· Timeline
· Conceptual Data Model
· Logical Data Model
· Physical Design
· Security and Privacy Requirements
· Security and Privacy Implementation
· Security Testing & Verification of DB Implementation
For additional information and examples please see Project area of course (just before week 1 in the content area of the course.
