集输大队报表数据迁移外文翻译03083107刘骞.docx
- 文档编号:26987262
- 上传时间:2023-06-24
- 格式:DOCX
- 页数:24
- 大小:69.54KB
集输大队报表数据迁移外文翻译03083107刘骞.docx
《集输大队报表数据迁移外文翻译03083107刘骞.docx》由会员分享,可在线阅读,更多相关《集输大队报表数据迁移外文翻译03083107刘骞.docx(24页珍藏版)》请在冰豆网上搜索。
集输大队报表数据迁移外文翻译03083107刘骞
中国石油大学(华东)
本科毕业设计(论文)外文翻译
学生姓名:
刘骞
学号:
03083107
专业班级:
软件工程03-1班
指导教师:
郑秋梅
2007年6月20日
DatabaseSecurityinaWebEnvironment
Introduction
Databaseshavebeencommoningovernmentdepartmentsandcommercialenterprisesformanyyears.Today,databasesinanyorganizationareincreasinglyopeneduptoamultiplicityofsuppliers,customers,partnersandemployees-anideathatwouldhavebeenunheardofafewyearsago.Numerousapplicationsandtheirassociateddataarenowaccessedbyavarietyofusersrequiringdifferentlevelsofaccessviamanifolddevicesandchannels–oftensimultaneously.Forexample:
•Onlinebanksallowcustomerstoperformavarietyofbankingoperations-viatheInternetandoverthetelephone–whilstmaintainingtheprivacyofaccountdata.
•E-CommercemerchantsandtheirServiceProvidersmuststorecustomer,orderandpaymentdataontheirmerchantserver-andkeepitsecure.
•HRdepartmentsallowemployeestoupdatetheirpersonalinformation–whilstprotectingcertainmanagementinformationfromunauthorizedaccess.
•Themedicalprofessionmustprotecttheconfidentialityofpatientdata–whilstallowingessentialaccessfortreatment.
•Onlinebrokeragesneedtobeabletoprovidelargenumbersofsimultaneoususerswithup-to-dateandaccuratefinancialinformation.
Thiscomplexlandscapeleadstomanynewdemandsuponsystemsecurity.Theglobalgrowthofcomplexweb-basedinfrastructuresisdrivinganeedforsecuritysolutionsthatprovidemechanismstosegregateenvironments;performintegritycheckingandmaintenance;enablestrongauthenticationandnon-repudiation;andprovideforconfidentiality.Inturn,thisnecessitatescomprehensivebusinessandtechnicalriskassessmenttoidentifythethreats,vulnerabilitiesandimpacts,andfromthisdefineasecuritypolicy.Thisleadstosecuritydefinitionsthroughouttheinfrastructure-operatingsystem,databasemanagementsystem,middlewareandnetwork.
Financial,personalandmedicalinformationsystemsandsomeareasofgovernmenthavestrictrequirementsforsecurityandprivacy.Inappropriatedisclosureofsensitiveinformationtothewrongpartiescanhaveseveresocial,legalandregulatoryconsequences.Failuretoaddressthebasicscanresultinsubstantialdirectandconsequentialfinanciallosses-witnessthefraudlossesthroughthecompromiseofseveralmillioncreditcardnumbersinmerchants’databases[Occf],plusassociateddamagetobrand-imageandlossofconsumerconfidence.
Thisarticlediscussessomeofthemainissuesindatabaseandwebserversecurity,andalsoconsidersimportantarchitectureanddesignissues.
ASimpleModel
Atthesimplestlevel,awebserversystemconsistsoffront-endsoftwareandback-enddatabaseswithinterfacesoftwarelinkingthetwo.Normally,thefront-endsoftwarewillconsistofserversoftwareandthenetworkserveroperatingsystem,andtheback-enddatabasewillbearelationalorobject-orienteddatabasefulfillingavarietyoffunctions,includingrecordingtransactions,maintainingaccountsandinventory.TheinterfacesoftwaretypicallyconsistsofCommonGatewayInterface(CGI)scriptsusedtoreceiveinformationfromformsonwebsitestoperformonlinesearchesandtoupdatethedatabase.
Dependingontheinfrastructure,middlewaremaybepresent;inaddition,securitymanagementsubsystems(withsessionanduserdatabases)thataddressthewebserver’sandrelatedapplications’requirementsforauthentication,accesscontrolandauthorizationmaybepresent.Communicationsbetweenthissubsystemandeitherthewebserver,middlewareordatabaseareviaapplicationprograminterfaces(APIs)..
ThissimplemodelisdepictedinFigure1.
Securitycanbeprovidedbythefollowingcomponents:
•Webserver.
•Middleware.
•Operatingsystem.
.
.Figure1:
ASimpleModel.
•DatabaseandDatabaseManagementSystem.
•Securitymanagementsubsystem.
Thesecurityofsuchasystemaddresses
Aspectsofauthenticity,integrityandconfidentialityandisdependentonthesecurityoftheindividualcomponentsandtheirinteractions.Someofthemostcommonvulnerabilitiesarisefrompoorconfiguration,inadequatechangecontrolproceduresandpooradministration.However,eveniftheseareasareproperlyaddressed,vulnerabilitiesstillarise.Theappropriatecombinationofpeople,technologyandprocessesholdsthekeytoprovidingtherequiredphysicalandlogicalsecurity.Attentionshouldadditionallybepaidtothesecurityaspectsofplanning,architecture,designandimplementation.
Inthefollowingsections,weconsidersomeofthemainsecurityissuesassociatedwithdatabases,databasemanagementsystems,operatingsystemsandwebservers,aswellasimportantarchitectureanddesignissues.Ourtreatmentseeksonlytooutlinethemainissuesandtheinterestedreadershouldrefertothereferencesforamoredetaileddescription.
DatabaseSecurity
Databasemanagementsystemsnormallyrunontopofanoperatingsystemandprovidethesecurityassociatedwithadatabase.Typicaloperatingsystemsecurityfeaturesincludememoryandfileprotection,resourceaccesscontrolanduserauthentication.Memoryprotectionpreventsthememoryofoneprograminterferingwiththatofanotherandlimitsaccessanduseoftheobjectsemployingtechniquessuchasmemorysegmentation.Theoperatingsystemalsoprotectsaccesstootherobjects(suchasinstructions,inputandoutputdevices,filesandpasswords)bycheckingaccesswithreferencetoaccesscontrollists.Securitymechanismsincommonoperatingsystemsvarytremendouslyand,forthosethatarelacking,thereexistsspecial-purposesecuritysoftwarethatcanbeintegratedwiththeexistingenvironment.However,thiscanbeanexpensive,time-consumingtaskandintegrationdifficultiesmayalsoadverselyimpactapplicationbehaviors.
Mostdatabasemanagementsystemsconsistofanumberofmodules-includingdatabasequeryinganddatabaseandfilemanagement-alongwithauthorization,concurrentaccessanddatabasedescriptiontables.Thesemanagementsystemsalsouseavarietyoflanguages:
adatadefinitionlanguagesupportsthelogicaldefinitionofthedatabase;developersuseadatamanipulationlanguage;andaquerylanguageisusedbynon-specialistend-users.
Databasemanagementsystemshavemanyofthesamesecurityrequirementsasoperatingsystems,buttherearesignificantdifferencessincetheformerareparticularlysusceptibletothethreatofimproperdisclosure,modificationofinformationandalsodenialofservice.Someofthemostimportantsecurityrequirementsfordatabasemanagementsystemsare:
•Multi-LevelAccessControl.
•Confidentiality.
•Reliability.
•Integrity.
•Recovery.
Theserequirements,alongwithsecuritymodels,areconsideredinthefollowingsections.
Multi-LevelAccessControl
Inamulti-applicationandmulti-userenvironment,administrators,auditors,developers,managersandusers–collectivelycalledsubjects-needaccesstodatabaseobjects,suchastables,fieldsorrecords.Accesscontrolrestrictstheoperationsavailabletoasubjectwithrespecttoparticularobjectsandisenforcedbythedatabasemanagementsystem.Mandatoryaccesscontrolsrequirethateachcontrolledobjectinthedatabasemustbelabeledwithasecuritylevel,whereasdiscretionaryaccesscontrolsmaybeappliedatthechoiceofasubject.
Accesscontrolindatabasemanagementsystemsismorecomplicatedthaninoperatingsystemssince,inthelatter,allobjectsareunrelatedwhereasinadatabasetheconverseistrue.Databasesarealsorequiredtomakeaccessdecisionsbasedonafinerdegreeofsubjectandobjectgranularity.Inmulti-levelsystems,accesscontrolcanbeenforcedbytheuseofviews-filteredsubsetsofthedatabase-containingthepreciseinformationthatasubjectisauthorizedtosee.
Ageneralprincipleofaccesscontrolisthatasubjectwithhighlevelsecurityshouldnotbeabletowritetoalowerlevelobject,andthisposesaproblemfordatabasemanagementsystemsthatmustreadalldatabaseobjectsandwritenewobjects.Onesolutiontothisproblemistouseatrusteddatabasemanagementsystem.
Confidentiality
Somedatabaseswillinevitablycontainwhatisconsideredconfidentialdata.Forexample,itcouldbeinherentlysensitiveoritssourcemaybesensitive,oritmaybelongtoasensitivetable,thusmakingitdifficulttodeterminewhatisactuallyconfidential.Disclosureisalsodifficulttodefine,asitcanbedirect,indirect,involvethedisclosureofboundsorevenmereexistence.
Aninferenceproblemexistsindatabasemanagementsystemswherebyuserscaninfersensitiveinformationfromrelativelyinsensitivequeries.Atrivialexampleisarequestforinformationabouttheaveragesalaryofanemployeeandthenumberofemployeesturnsouttobejustone,thusrevealingtheemployee’ssalary.However,muchmoresophisticatedstatisticalinferenceattackscanalsobemounted.Thishighlightsthefactthat,althoughthedataitselfmaybeproperlycontrolled,confidentialinformationmaystillleakout.
Controlscantakeseveralforms:
notdivulgingsensitiveinformationtounauthorizedparties(whichdependsontherespectivesubjectandobjectsecuritylevels),loggingwhateachuserknowsormaskingresponsedata.Thefirstcontrolcanbeimplementedfairlyeasily,thesecondquicklybecomesunmanageableforalargenumberofusersandthethirdleadstoimpreciseresponses,andalsoexemplifiesthetrade-offbetweenprecisionandsecurity.Polyinstantiationreferstomultipleinstancesofadataobjectexistinginthedatabaseanditcanprovideapartialsolutiontotheinferenceproblemwherebydifferentd
- 配套讲稿:
如PPT文件的首页显示word图标,表示该PPT已包含配套word讲稿。双击word图标可打开word文档。
- 特殊限制:
部分文档作品中含有的国旗、国徽等图片,仅作为作品整体效果示例展示,禁止商用。设计者仅对作品中独创性部分享有著作权。
- 关 键 词:
- 大队 报表 数据 迁移 外文 翻译 03083107 刘骞