Page 142 - Courses
P. 142
Logical Security Applications
Databases inherently have weak security mechanisms. The network and OS layers will integrate with
the database layer such that the OS layer normally restricts access to the database.
Database vendors have focused more on data structures, access, and retrieval than on database
security.
Generally accepted IT separation of duties (SoDs) restricts access to the database to the DBAs. No
other IT personnel will have access to the database.
Concepts
Access Restriction
Organizations usually restrict access to production databases solely to the database administrators.
Super users may also have direct access to specific datbase tables or elements. A super user is a
business user with capabilities to manipulate data in the database through a utility program or
script.
A key concept is that if the operating system (OS) and database are interfaced correctly, then there is
less of a need to perform a full security audit of the database.
Standard audit programs exist to guide the auditor through an audit of the database.
Relational Databases
The standard databases in use today are relational databases. Key aspects of relational databases
include:
All data is stored in tables.
Tables have columns and rows.
Tables are related, whereby each has a column with common types of information.
Related columns are called primary and secondary keys; these are used to reference each other.
Examples of common relational databases in use include:
IBM’s DB2.
Oracle’s Database.
Microsoft SQL Server.
Sybase.
Database Security Mechanisms
Common database security mechanisms may include:
User accounts and passwords — They usually reside in a database table. Passwords may not be
encrypted.
Copyright © 2022 by The Institute of Internal Auditors, Inc. All rights reserved.
