Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated:
1
00:00:01,400 --> 00:00:03,980
In this lesson, we're going
to be discussing database
2
00:00:03,980 --> 00:00:07,550
security, specifically,
talking about the principles
3
00:00:07,550 --> 00:00:12,110
of security in general, how
those can apply to the database
4
00:00:12,110 --> 00:00:13,730
world as well.
5
00:00:13,730 --> 00:00:17,990
So security is and will
be one of the top concerns
6
00:00:17,990 --> 00:00:22,010
in the computing world for
the foreseeable future.
7
00:00:22,010 --> 00:00:24,110
It is a big hot topic.
8
00:00:24,110 --> 00:00:28,490
There are companies springing
up that focus only on security,
9
00:00:28,490 --> 00:00:32,000
that do things like penetration
testing and scanning
10
00:00:32,000 --> 00:00:33,900
and those types of things.
11
00:00:33,900 --> 00:00:36,590
So security is a major concern.
12
00:00:36,590 --> 00:00:40,070
Of course, there's recent
examples of department stores
13
00:00:40,070 --> 00:00:45,080
and various companies where the
security has been compromised
14
00:00:45,080 --> 00:00:47,030
and the information
has leaked out
15
00:00:47,030 --> 00:00:49,160
and it's been made
available to people
16
00:00:49,160 --> 00:00:51,230
that it doesn't belong to.
17
00:00:51,230 --> 00:00:53,030
And part of this is
because the amount
18
00:00:53,030 --> 00:00:55,940
of information
that we're storing
19
00:00:55,940 --> 00:00:57,980
is increasing and increasing.
20
00:00:57,980 --> 00:01:01,880
If you think of all the social
networking sites, all of that
21
00:01:01,880 --> 00:01:06,320
is what we call PII, or
Personally Identifiable
22
00:01:06,320 --> 00:01:08,810
Information,
information that can
23
00:01:08,810 --> 00:01:11,630
be used to identify
a particular person.
24
00:01:11,630 --> 00:01:15,170
This type of information
is important to companies
25
00:01:15,170 --> 00:01:17,600
like credit card
and loan companies
26
00:01:17,600 --> 00:01:20,810
and such to be able to
identify a person, as well
27
00:01:20,810 --> 00:01:23,750
as just purchasing
things on the internet.
28
00:01:23,750 --> 00:01:26,780
If that information gets
out, then other people
29
00:01:26,780 --> 00:01:30,260
can steal identities and
impersonate that person.
30
00:01:30,260 --> 00:01:32,240
So all of these
things are pointing
31
00:01:32,240 --> 00:01:35,120
to the idea of security
coming to a head
32
00:01:35,120 --> 00:01:38,300
really, where there
will be even more
33
00:01:38,300 --> 00:01:42,440
incidents in the news that
have a big impact on day
34
00:01:42,440 --> 00:01:44,030
to day life.
35
00:01:44,030 --> 00:01:46,640
And the interesting thing
for a database administrator
36
00:01:46,640 --> 00:01:49,250
to consider is that
most of this information
37
00:01:49,250 --> 00:01:52,010
is stored in a
database of some type.
38
00:01:52,010 --> 00:01:55,910
By and large, the information is
stored in relational databases,
39
00:01:55,910 --> 00:01:58,730
although there are other
types of databases that store
40
00:01:58,730 --> 00:02:02,010
some types of information.
41
00:02:02,010 --> 00:02:06,330
And it's also true that security
is often overlooked in the day
42
00:02:06,330 --> 00:02:09,540
to day operations of a
database administrator.
43
00:02:09,540 --> 00:02:12,930
Since so much of a
database administrators day
44
00:02:12,930 --> 00:02:16,950
is spent fighting fires,
performance tuning,
45
00:02:16,950 --> 00:02:20,040
creating objects,
backup and recovery,
46
00:02:20,040 --> 00:02:22,830
all those types of
things, it is safe to say
47
00:02:22,830 --> 00:02:25,500
that there are a lot of
database administrators
48
00:02:25,500 --> 00:02:28,890
that really just don't
consider security in the day
49
00:02:28,890 --> 00:02:30,870
to day operations.
50
00:02:30,870 --> 00:02:32,700
And this is just because
they're overwhelmed
51
00:02:32,700 --> 00:02:34,590
with other types of things.
52
00:02:34,590 --> 00:02:36,780
And, to be honest,
security is one
53
00:02:36,780 --> 00:02:39,360
of those areas where a
database administrator is not
54
00:02:39,360 --> 00:02:42,480
going to get a lot of
support from other parts
55
00:02:42,480 --> 00:02:45,370
of the organization
by and large.
56
00:02:45,370 --> 00:02:48,750
If you're dealing with
developers and users,
57
00:02:48,750 --> 00:02:51,510
and you try to implement
tight security,
58
00:02:51,510 --> 00:02:53,370
that makes it more
difficult for them
59
00:02:53,370 --> 00:02:55,530
to do their jobs, quite simply.
60
00:02:55,530 --> 00:02:57,990
And they don't want
those roadblocks.
61
00:02:57,990 --> 00:02:59,760
But it has to be considered.
62
00:02:59,760 --> 00:03:04,290
DBA has to be the one that
stands up and at least says,
63
00:03:04,290 --> 00:03:09,330
this is a risk, and we need to
mitigate that risk in some way.
64
00:03:09,330 --> 00:03:12,180
Hopefully, the DBA gets
support from their management,
65
00:03:12,180 --> 00:03:14,680
although that's not
always the case as well.
66
00:03:14,680 --> 00:03:18,540
So, for a DBA, you have
to consider the security
67
00:03:18,540 --> 00:03:20,970
and you have to at
least make known
68
00:03:20,970 --> 00:03:25,140
your risks and your findings,
security problems that
69
00:03:25,140 --> 00:03:26,550
exist in the organization.
70
00:03:26,550 --> 00:03:28,680
You have to at least
be able to bring those
71
00:03:28,680 --> 00:03:32,650
to someone's attention,
even for your own sake.
72
00:03:32,650 --> 00:03:34,500
One of the principles
of security
73
00:03:34,500 --> 00:03:37,800
is the principle
of least privilege,
74
00:03:37,800 --> 00:03:42,470
the idea that less is best
as far as privileges go.
75
00:03:42,470 --> 00:03:44,810
There's a myth about
the typical hacker.
76
00:03:44,810 --> 00:03:47,900
And hackers make
the news when they
77
00:03:47,900 --> 00:03:51,410
are some kid in the Ukraine
that attacked a bank
78
00:03:51,410 --> 00:03:53,330
or something of that nature.
79
00:03:53,330 --> 00:03:55,340
But that is a myth
as far as that
80
00:03:55,340 --> 00:03:58,400
being the main
type of attack that
81
00:03:58,400 --> 00:04:00,930
involves computer security.
82
00:04:00,930 --> 00:04:05,250
The majority of attacks against
computer security are internal.
83
00:04:05,250 --> 00:04:07,770
And this has been true
almost since the beginning
84
00:04:07,770 --> 00:04:09,090
of computers.
85
00:04:09,090 --> 00:04:11,640
It isn't the external
attacks, it's
86
00:04:11,640 --> 00:04:14,730
the internal attacks
that are more prevalent.
87
00:04:14,730 --> 00:04:17,760
And that's why database
security is so important.
88
00:04:17,760 --> 00:04:21,090
Because, if a hacker, or
an attacker, or someone who
89
00:04:21,090 --> 00:04:24,990
wants to compromise information,
is internal to a company,
90
00:04:24,990 --> 00:04:27,870
then they may have
access to the database,
91
00:04:27,870 --> 00:04:30,030
and the data that
they're looking for
92
00:04:30,030 --> 00:04:31,920
may be stored in the database.
93
00:04:31,920 --> 00:04:35,730
And so that's why it's not
enough in today's world just
94
00:04:35,730 --> 00:04:39,000
to have strong firewalls
outside of your company.
95
00:04:39,000 --> 00:04:41,080
Firewall security is important.
96
00:04:41,080 --> 00:04:44,250
And it's not the only security
that you have to have.
97
00:04:44,250 --> 00:04:46,920
You have to have
security in layers,
98
00:04:46,920 --> 00:04:48,960
sort of walls inside of walls.
99
00:04:48,960 --> 00:04:52,480
And that's where database
security comes in.
100
00:04:52,480 --> 00:04:54,250
So the principle
of least privilege
101
00:04:54,250 --> 00:04:57,850
states that a user should only
be granted the privileges that
102
00:04:57,850 --> 00:05:01,270
are absolutely necessary
for that user to accomplish
103
00:05:01,270 --> 00:05:03,040
their given tasks.
104
00:05:03,040 --> 00:05:05,860
So this is the
walls within walls.
105
00:05:05,860 --> 00:05:08,410
So, if we say that
an attacker could
106
00:05:08,410 --> 00:05:11,230
be internal to the
organization, then it's
107
00:05:11,230 --> 00:05:15,280
important that that user
internal to the organization
108
00:05:15,280 --> 00:05:18,960
only have the privileges
that they absolutely need.
109
00:05:18,960 --> 00:05:22,620
It is easier to confine
a potential attacker
110
00:05:22,620 --> 00:05:25,680
and still give the person
the kinds of privileges they
111
00:05:25,680 --> 00:05:28,470
need in order to do their job.
112
00:05:28,470 --> 00:05:30,040
But we don't give them more.
113
00:05:30,040 --> 00:05:33,270
And a good example of this
is sometimes managers.
114
00:05:33,270 --> 00:05:37,470
If a manager is managing a
database administration team
115
00:05:37,470 --> 00:05:40,440
and yet does not log
into the database,
116
00:05:40,440 --> 00:05:43,200
oftentimes the manager
will say, well,
117
00:05:43,200 --> 00:05:45,270
since I am the
manager of the DBAs,
118
00:05:45,270 --> 00:05:47,250
I need to have a
database account
119
00:05:47,250 --> 00:05:49,240
with administrative
level access.
120
00:05:49,240 --> 00:05:52,350
And that's just not the
case, because that just
121
00:05:52,350 --> 00:05:54,930
is one more tunnel
into the database that
122
00:05:54,930 --> 00:05:57,540
can be compromised.
123
00:05:57,540 --> 00:05:59,560
Our next principle is auditing.
124
00:05:59,560 --> 00:06:02,830
And the principle of auditing
goes back to the statement
125
00:06:02,830 --> 00:06:06,250
that every action should be
traceable to one and only one
126
00:06:06,250 --> 00:06:07,120
user.
127
00:06:07,120 --> 00:06:10,870
So, if a user goes in
and does an operation,
128
00:06:10,870 --> 00:06:14,630
we should be able to trace that
operation back to the user.
129
00:06:14,630 --> 00:06:16,870
So some violations
of this kind of
130
00:06:16,870 --> 00:06:20,350
include things like shared
passwords, where users
131
00:06:20,350 --> 00:06:21,760
will share their passwords.
132
00:06:21,760 --> 00:06:26,500
Or shared accounts are
created that many users use.
133
00:06:26,500 --> 00:06:30,640
So, if we have a single account
for all of our developers
134
00:06:30,640 --> 00:06:33,010
to log in and use
the database, then,
135
00:06:33,010 --> 00:06:35,320
if something wrong
happens, there's
136
00:06:35,320 --> 00:06:38,450
no way to trace that back
to an individual user.
137
00:06:38,450 --> 00:06:40,960
So that's what
auditing is all about.
138
00:06:40,960 --> 00:06:42,670
A security policy.
139
00:06:42,670 --> 00:06:45,730
Every organization should have
a written security policy.
140
00:06:45,730 --> 00:06:48,280
And this goes back
to the idea that we
141
00:06:48,280 --> 00:06:51,160
said in the beginning,
where security is not
142
00:06:51,160 --> 00:06:54,730
always supported in an
organization at the management
143
00:06:54,730 --> 00:06:57,320
level or at the user level.
144
00:06:57,320 --> 00:07:01,360
It is important that a company
have a security policy.
145
00:07:01,360 --> 00:07:03,070
These are the things
that we allow.
146
00:07:03,070 --> 00:07:06,190
This is the organization
of our security, how
147
00:07:06,190 --> 00:07:09,790
it is with roles and privileges,
who has what privileges, so
148
00:07:09,790 --> 00:07:10,610
on and so forth.
149
00:07:10,610 --> 00:07:14,320
This is true of a lot of
different computer assets,
150
00:07:14,320 --> 00:07:18,200
but especially as it terms
with database security.
151
00:07:18,200 --> 00:07:20,350
And, finally, role
based security.
152
00:07:20,350 --> 00:07:23,260
Security should be based
on job roles rather than
153
00:07:23,260 --> 00:07:25,190
direct permissions.
154
00:07:25,190 --> 00:07:28,870
If you have 100
users, and all of them
155
00:07:28,870 --> 00:07:33,010
are given direct permissions
to 1,000 objects,
156
00:07:33,010 --> 00:07:36,490
that's not even very large in
an organization or a database.
157
00:07:36,490 --> 00:07:40,030
But the management of keeping
all of those permissions
158
00:07:40,030 --> 00:07:42,250
correct is going
to be a nightmare.
159
00:07:42,250 --> 00:07:44,770
And problems are going
to happen security.
160
00:07:44,770 --> 00:07:47,260
Holes are going to
develop from that.
161
00:07:47,260 --> 00:07:50,110
And so that's why security
should be role-based.
162
00:07:50,110 --> 00:07:54,190
So a job role, and that role
is given to a number of people,
163
00:07:54,190 --> 00:07:56,840
and certain permissions
are given to that role.
164
00:07:56,840 --> 00:08:00,010
So role-based security
actually makes an organization
165
00:08:00,010 --> 00:08:04,150
more secure because it limits
the amount of possibility
166
00:08:04,150 --> 00:08:08,260
there are for breaches
with direct permissions.
13634
Can't find what you're looking for?
Get subtitles in any language from opensubtitles.com, and translate them here.