IASP 525 Database Security Session 3cysecure.org/525/tanand/525/Session 3 - 09192018.pdf ·...

IASP 525 Database Security – Session 3

Tej Anand

09/19/2018

Objectives

© 2018. Tej Anand 2

1. Logical Model and Normalizing Data

2. SQL Review

3. OLAP Models

4. Types of data - PHI, IHI, Financial,

Confidential, Proprietary

Database Modeling Scenario


1. Model a business with employees who work in departments.

2. Departments can be arranged under other departments (parent

department)

3. Departments conduct projects.

4. Projects can be under other projects (major project)

5. Projects have a responsible department

6. Projects have a responsible employee

Conceptual Model


Employee

EmployeeId(PK)FullNameDate of BirthGenderDate of HireDepartmentNamePhone NumberTitleEducation LevelSalaryBonusCommission

Project

NameResponsibleDepartmentNameResponsibleEmployeeName

Has

0

1M

Department

Name

WorksIn

1

1

CanHaveAParent1

CanHaveAMajorProject

0

1

Logical Model


Employee

EmployeeId(PK)LastNameMiddleInitialFirstNameDate of BirthGenderDate of HireDepartmentId(FK)Phone NumberJobTitleEducation LevelSalaryBonusCommission

0

Department

DepartmentId(PK)ParentDepartmentId(FK)Name

Contains

M

1

CanHaveAParent1

1

Project

ProjectId(PK)MasterProjectId(FK)NameRespDepartId(FK)RespleEmplId(FK)StartDateEndDate

Has1M

0

1

M


IsResponsibleFor

Normalizing the Logical Model


Employee

EmployeeId(PK)LastNameMiddleInitialFirstNameDate of BirthGenderDate of HireDepartmentId(FK)Phone NumberJobTitleId (FK)Education LevelSalaryBonusCommission

0

Department

DepartmentId(PK)ParentDepartmentId(FK)Name

Contains

M

1

CanHaveAParent1

1

Project

ProjectId(PK)MasterProjectId(FK)NameRespDepartId(FK)RespleEmplId(FK)StartDateEndDate

Has1M

0

1

M

JobTitle

JobTitleId(PK)Name

1M


IsResponsibleFor

IsGivenTo

Should we consider further normalization?


1. Should education level and gender have their own entities?

2. What functional limitations do we see in this model?

a. Salary, bonus and commission?

b. Job Title?

c. Department?

d. Can Projects change Departments?

3. What eventually drives decisions to the questions above?

A much more functional model?


Employee

EmployeeId(PK)LastNameMiddleInitialFirstNameDate of BirthGenderDate of HireDepartmentId(FK)Phone NumberJobTitleId (FK)Education Level

Has M

1

JobTitle

JobTitleId(PK)Name1

M

IsGivenTo

Compensation

CompensationId(PK)EmployeeId(FK)SalaryCommissionBonusStartDateEndDate

EmployeeJobTitle

EmployeeJobTitle(PK)EmployeeId(FK)JobTitleId(FK)StartDateEndDate

1

MHas

Pros and Cons of Normalizing


Pros

1. Reduce redundant data – leads

to increased data integrity

2. Increase the number of

questions that can be asked

3. Segment sensitive data

4. Grant granular permission

Cons

1. More difficult for business to

understand

2. Queries require joins

3. Update performance can be

reduced

4. Insert performance?

Relational Database Physical Implementation


1. In relational databases, all data is stored in tables

2. Tables are structured in rows and columns

3. Horizontally, into rows

4. Vertically, into columns

5. Fields may or may not contain data

6. The data in fields is considered atomic

7. The column names of a table must be unique

8. All rows of a table should be different

SQL Overview


Creating the Employee Table


CREATE TABLE EMPLOYEE

( EMPNO CHAR(6) NOT NULL,

FIRSTNME VARCHAR(12) NOT NULL,

MIDINIT CHAR(1) NOT NULL,

LASTNAME VARCHAR(15) NOT NULL,

WORKDEPT CHAR(3) ,

. . .

. . .

BIRTHDATE DATE ,

SALARY DECIMAL(9,2) ,

BONUS DECIMAL(9,2) ,

COMM DECIMAL(9,2)

)

Importance of strong

data types for security

SQL Data Types


Data Type Comment

SMALLINT Whole numbers from -32768 to +32767

INTEGER Whole numbers from -2,147,483,648 to +2,147,483,647

DECIMAL(m,n) Decimal numbers with max. 31 digits m = total number of digits n = number of decimal digits

CHAR(n) or CHARACTER(n)

A fixed length string of numbers and or characters

VARCHAR(n) A variable length string of numbers and or characters

DATE (YYYYMMDD)

Display / Input Format (USA – mm/dd/yyyy, EUR –dd.mm.yyyy, ISO – yyyy-mm-dd)

TIME (HHMMSS) Display / Input Form (USA – fhh:mm AM or PM, EUR –hh.mm.ss, ISO – hh.mm.ss)

Advantages of Strong Data Types• Input verification• Logical, arithmetic, string operations• Sorting• Component extraction

Creating the Department Table


CREATE TABLE DEPARTMENT

( DEPTNO CHAR(3) NOT NULL,

DEPTNAME VARCHAR(25) NOT NULL,

MGRNO CHAR(6) NOT NULL,

ADMRDEPT CHAR(3) ,

)

Creating the Project Table


CREATE TABLE PROJECT

( PROJNO CHAR(6) NOT NULL,

PROJNAME VARCHAR(25) NOT NULL,

DEPTNO CHAR(3) NOT NULL,

RESPEMP CHAR(6) NOT NULL,

PRSTAFF SMALLINT(3,2) ,

PRSTDATE DATE NOT NULL,

PRENDDATE DATE

)

Employee Table


Department Table


Project Table


Retrieving data


SELECT Columns- Column names

- Arithmetic expressions

- Literals (text or numeric)

- Scalar functions

- Column functions

FROM Table or view names

WHERE Conditions (qualifies rows)

ORDER BY Sorts result rows

Retrieving data


SELECT Columns- Column names

- Arithmetic expressions

- Literals (text or numeric)

- Scalar functions

- Column functions

FROM Table or view names

WHERE Conditions (qualifies rows)

ORDER BY Sorts result rows

GROUP BY Creates sub totals in conjunction with column functions

Practicing SQL Select – Basic


1. Provide all data that exists in the DEPARTMENT table

2. What are the different JOB titles on the EMPLOYEE table?

3. Provide all employees, first and last names, and their salary sorted by salary

4. Show the order in which employees were hired, earliest first, with only their first and last names

5. Provide all employees making over $40,000. List their first name, last name, salary and order it by salary.

6. Provide all project names, project numbers, and the responsible employee number in DEPTNO ‘E01’

7. Provide the employee number, job title and education level of all analysts who have an education level of 16.

8. Provide the first name, last name, job title, and bonus of all employees who received a bonus greater than or equal to $700 but less less than or equal to $1000, and are not a manager

9. Provide the first name and last name of all male employees with a first name ending in “N” and a salary in the range $20000 to $40000

10. Provide first name, last name, salary, and education sorted by education level and salary for employees who are not a manager, commission is greater than bonus, salary range is $20000-$40000, there is an “E” anywhere in their first name and education level is 12, or 14, or 16, or 18

Practicing SQL Select – Functions


11. I need a list containing EMPNO, SALARY, COMM, and SALARY + COMM for employees whose salary is less than $20000,ordered by employee number

12. I need a list containing EMPNO, SALARY, COMM, and INCOME that is SALARY + COMM for employees whose salary is less than $20000,ordered by employee number

13. I need a list of the total income (salary and commission). In the total, assume unknown commissions to be zero.

14. I need a listing containing the ages of all employees 72 years old or more sorted by age in descending sequence

15. Interpret the first two characters of project number as a type of projects and display all projects of the type “IF”

16. Write a query to sum all salaries for workdepts beginning with the letter D

Practicing SQL Select – Group By


17. I need a list of the salaries for employees in the departments A00, B01 and C01. In addition, for these departments I want the total spent for salaries.

18. Find out the average salary per education level for each department group (given by the first character of the department number) for education levels 18 and higher.

19. Find the count of projects for each major project within a department and the average staff equivalent assigned to the major project. Report this sorted by major project.

20. Display the departments with the total spent for salaries is higher than $50,000.

21. By department, I need a list of jobs excluding manager, designer and field representative with an average salary higher than $25,000.

22. Display the departments with more than one employee.

Practicing SQL Select – Join


23. For every project, list the project number, project name and the name and number of the department responsible for the project.

24. For employees with a last name of HAAS, display the employee number, last name, and the name and number of the department they are working in.

25. Display the department name, the employee number and last name of the manager for department 21.

26. For department D21, list all project numbers, department number, manager number and last name.

27. Display the department name for the parent department of the Planning Services department.

28. Find all the employees who are older than their manager.

OLAP Data Models


1. OLAP vs. OLTP – performance, purpose, data flows

2. OLAP is read only – update is through controlled processes

3. Two major models – relational or pre-aggregated (multi-dimensional)

a. Performance vs. flexibility

b. Storage

c. Implementation complexity

4. Built-in mathematical operators (aggregate, drill-down)

OLAP Data Model Examples


Employee

Department

Project

Measures/Facts• …• …

Customer Product

Employee Supplier


Time

Time

Healthcare OLAP Data Model


Patient

Payor

Provider

Procedure


Time

OLAP Data Models Security Implications


1. Inference via drill down should be limited

2. Stay away from data that can identify unique individuals

3. Make sure the update processes are balanced and controlled

Types of Data


1. PHI (Personal Health Information), IHI (Individual Health

Information)

2. PII (Personally Identifiable Information)

3. Sensitive data – determined based on all stakeholders

4. Classified – determined based on “authoritative” stakeholders

5. Confidential, proprietary – determined by a business

6. Public

Week 4 Lookahead


• Assignment #1 – Data Breach Case Study - Due Date 09/21/2018 -

100 points

• Selected Readings

• Panos Vassiliadis, Timos Sellis, A survey of logical models for

OLAP databases, ACM SIGMOD Record, v. 28, no 4, 1999.

• Arjan Loeffen, Text databases: a survey of text models and

systems, ACM SIGMOD Record, v. 23, no 1, 1994.

• Norman W. Paton, Oscar Diaz, Active database systems, ACM

Computing Surveys, v. 31, no. 1, 1999.

• Hassan Artail, Haidar Safa, Mana, Shihab, Implementation of a

federated database on Bluetooth-enabled mobile devices, Proc.

of the 5th lnt'l Conf. on Pervasive Services, 2008.

• Domenico Beneventano, Sonia Bergamaschi, Claudio Sartori,

Description logics for semantic query optimization in object-

oriented database systems, ACM Transactions on Database

Systems, v. 28, no. 1, 2003.


Reflections …

IASP 525 Database Security Session 3cysecure.org/525/tanand/525/Session 3 - 09192018.pdf ·...

Documents

Transcript of IASP 525 Database Security Session 3cysecure.org/525/tanand/525/Session 3 - 09192018.pdf ·...