1. Database Security
- Protects DB from unauthorized access, misuse, corruption, loss.
- Two key parts:
- Authentication → Who are you?
- Authorization → What can you do?
2. User Authentication (WHO)
Definition: Verifying user’s identity before access.
Types (Mnemonic → P-M-B-T-C):
- P → Password-based: Username + password.
- M → Multi-Factor (MFA): Password + OTP/token/biometric.
- B → Biometric: Fingerprint, face, retina.
- T → Token-based: Temporary access tokens.
- C → Certificate-based: Digital certificates (PKI).
Best Practices:
✔ Strong passwords
✔ Use MFA
✔ Lock accounts on multiple failed logins
✔ Rotate credentials regularly
3. User Authorization (WHAT)
Definition: Decides what a user can do after authentication.
Types (Mnemonic → R-D-M-A):
- R → Role-based (RBAC): Access based on role (Admin, User).
- D → Discretionary (DAC): Owner gives permissions.
- M → Mandatory (MAC): Access based on strict security labels (Confidential, Secret).
- A → Attribute-based (ABAC): Access depends on attributes (location, device).
Levels of Access Control:
- Object Level: Whole table/view.
- Column Level: Specific columns (e.g., hide Salary).
- Row Level: Specific rows (e.g., Manager sees only their team).
4. Security Best Practices
- 🔑 Principle of Least Privilege (give only required access).
- 🔐 Encrypt sensitive data (passwords, card details).
- 📊 Audit logs for unusual activity.
- 🛡️ Database firewalls to block threats.
- 🔄 Regular patching to fix vulnerabilities.
5. Quick Examples
- Login to DB:
- Authentication → Username/password check.
- Authorization → Can user SELECT/UPDATE table?
- Bank Database:
- Teller → Can see balance.
- Manager → Can see balance + transactions.
- Shopping Site:
- Customer → Sees own orders only.
6. Authentication vs Authorization
| Aspect | Authentication | Authorization |
|---|---|---|
| Meaning | Verifies who | Decides what |
| Happens | First | After authentication |
| Example | Login with password | Can read/write DB |
✅ Exam Hack:
- Authentication = WHO
- Authorization = WHAT
- Mnemonics:
- AuthN → Name (WHO)
- AuthZ → Zone (WHAT access zone)