Course Content and Outcome Guide for CIS 277D

Course Number:
CIS 277D
Course Title:
Database Security
Credit Hours:
Lecture Hours:
Lecture/Lab Hours:
Lab Hours:
Special Fee:

Course Description

Covers all aspects of securing a database. Uses Oracle database security to explain concepts in an relational database. Topics covered include: the importance of a database policy, identification and authorization methods (including web applications), securing connection pools and proxy authorization, identity management and enterprise users, authorizations and auditing, fine-grained access control (including application contexts security, views, row -level security, virtual private database, Oracle label security and database encryption). Recommended: CIS 276. Additional lab hours may be required. Audit available.

Intended Outcomes for the course

On completion of this course a student should be able to:
1. Carry out a risk analysis for a large database.
2. Implement identification and authentication procedures, fine-grained access control and data encryption techniques.
3. Set up accounts with privileges and roles.
4. Audit accounts and the database system.
5. Back-up and Restore a database.

Course Activities and Design

This course is presented with a combination of lectures and labs.
Students will be expected to complete DB security assignments.

Outcome Assessment Strategies

Students will complete the following assessments:
• Design and set up a DB with security principles in mind.
• Develop a risk analysis for a DB.
• Conduct an audit of DB usage.
• Create secure authentication procedures for web application users.
• Use well-established Encryption routines for data storage and retrieval.
• Troubleshoot DB security issues.
• Backup and restore a DB.

Course Content (Themes, Concepts, Issues and Skills)

• Review of System/Software/Security Development Life Cycle
• Survey typical security policies
o Importance of having a policy
o Policy must be weighed against the need for DB access
o DB security best practices
• Risk analysis
o Documentation
o Analysis is ongoing
o Contingency planning
• Passwords
o Good Vs Bad passwords
o Practicality of password rules
• Identification
o User-supplied Vs Technological
o Protecting against spoofing and Identity theft
• Authentication (Is the person who they say they are?)
o Connection pools and proxy authentication
o Enterprise users
o Web users
• Authorizations
o Privileges
o Roles
• Auditing
o Application audit
o Trigger audit
o Autonomous audit
o Data versioning
o Best practices for auditing
o Performance Testing
o Fine-grained auditing
• Fine-grained access control
o Local context
o Global context
o Object level
o Row or column level
• Label security
• Data encryption
o Key management
o Hashing
o Performance monitoring
• DB Backup and recovery
• Troubleshoot data integrity problem