MAY 2021 P/ID 40560/PCI3L

Time : Three hours Maximum : 80 marks

PART A — (10 × 2 = 20 marks) Answer any

TEN questions, in 50 words each.

1. Define surrogate key.

2. RDBMS.

3. Data Risk Assessment.

4. Explain data risk.

5. What is an object?

6. What is encryption?

7. Authentication.

8. Audit trails.

9. Define VPD.

10. SQL injection.

11. Virtual space is sage.

12. Password is a form of protection.

 PART B — (5 × 6 = 30 marks)
Answer any FIVE questions, in 250 words each.

13. Explain the need for database management? Use

illustration to explain.

14. Explain the concept of RDBMS.

15. Enumerate the steps in creating and enforcing password

profiles.

16. Explain the concept of database security lifecycle.

17. What are the need for virtual private database (VPDs)?

18. How to implement VPDs? Explain

with illustration.

19. CIA of information - Discuss.

PART C — (3 × 10 = 30 marks)
Answer any THREE questions, in 500 words each.

20. Enumerate the forms of RDBMS with related to E-R

model. Explain each form with suitable examples.

21. Explain the method to analyze data threats, risk and

vulnerabilities.
2 P/ID 40560/PCI3L

22. Discuss about database access controls with suitable

examples.

23. How to use password for all database components?

24. Explain the features of good password for a virtual

database.

———————
 1) A surrogate key on a table is a column with a unique
identifier for each row. The key is not generated from
the table data. Data modelers like to create surrogate
keys on their tables when they design data warehouse
models.
2) A relational database is a type of database that stores and
provides access to data points that are related to one
another. Relational databases are based on the relational
model, an intuitive, straightforward way of representing
data in tables.
3) A data risk assessment is the process by which an
organization reviews sensitive data under its control.
4) Data risk management is the controlled process an
organization uses when acquiring, storing, transforming,
and using its data, from creation to retirement, to
eliminate data risk
5) An object database or object-oriented database is a
database management system in which information is
represented in the form of objects as used in object-
oriented programming. Object databases are different
from relational databases which are table-oriented.
6) In cryptography, encryption is the process of encoding
information. This process converts the original
representation of the information, known as plaintext,
into an alternative form known as ciphertext. Ideally,
only authorized parties can decipher a ciphertext back to
plaintext and access the original information.
7) The process or action of verifying the identity of a user
or process“user authentication for each device ensures
that the individual using the device is recognized by the
company”
8) An audit trail is a security-relevant chronological record,
set of records, and/or destination and source of records
that provide documentary evidence of the sequence of
activities that have affected at any time a specific
operation, procedure, event, or device
9) A virtual private database or VPD masks data in a larger
database so that only a subset of the data appears to
exist, without actually segregating data into different
tables, schemas or databases
10) SQL injection is a code injection technique that might
destroy your database. SQL injection is one of the most
common web hacking techniques
12)A password is a form of secret authentication data that is
used to control access to a resource. The password is kept
secret from those not allowed access, and those wishing to
gain access are tested on whether or not they know the
password and are granted or denied access accordingly.
 13)A database management system (DBMS) is system
software for creating and managing databases. A DBMS
makes it possible for end users to create, protect, read,
update and delete data in a database. The most prevalent
type of data management platform, the DBMS essentially
serves as an interface between databases and users or
application programs, ensuring that data is consistently
organized and remains easily accessible.
 What does a DBMS do?

The DBMS manages the data; the database engine allows

data to be accessed, locked and modified; and the database
schema defines the database’s logical structure. These three
foundational elements help provide concurrency, security,
data integrity and uniform data administration procedures.
The DBMS supports many typical database administration
tasks, including change management, performance
monitoring and tuning, security, and backup and recovery.
Most database management systems are also responsible for
 automated rollbacks and restarts as well as logging and
auditing of activity in databases and the applications that
access them.
The DBMS provides a centralized view of data that can be
accessed by multiple users from multiple locations in a
controlled manner. A DBMS can limit what data end users
see and how they view the data, providing many views of a
single database schema. End users and software programs
are free from having to understand where the data is
physically located or on what type of storage medium it
resides because the DBMS handles all requests.
 The DBMS can offer both logical and physical data
independence to protect users and applications from having
to know where data is stored or from being concerned about
changes to the physical structure of data. So long as
programs use the application programming interface (API)
for the database that the DBMS provides, developers won’t
have to modify programs just because changes have been
made to the database.

14) What is a Relational Database (RDBMS)?

 A relational database is a type of database that stores and
provides access to data points that are related to one another.
Relational databases are based on the relational model, an
intuitive, straightforward way of representing data in tables.
In a relational database, each row in the table is a record
with a unique ID called the key. The columns of the table
hold attributes of the data, and each record usually has a
value for each attribute, making it easy to establish the
relationships among data points

16)What is a Security Lifecycle?

At a high level, the security lifecycle is a schema that helps
IT teams understand what information and systems need
protection, and how information flows through the business
from intake to deletion.
 What is the Purpose of the Data Security Lifecycle?

The short answer is: gaining visibility. In fact, CISOs agree

that data visibility is the biggest cybersecurity weakness,
according to a recent Fortra study.
 Knowing what data you have on hand, where it is, and how
it is being used are among the first steps towards better
overall data security, especially with the massive amount of
data generated, collected, and transferred every. Single. Day.
 The data security lifecycle (also known as the lifecycle of
data), functions as a blueprint to help organizations identify
where their data is vulnerable, and where gaps could lead to
data breach.
Related Reading: What is Data Security?
What are the Phases in a Data Security Lifecycle?
The data security lifecycle is made up of seven unique
stages:
Capture*

Store*
Analyze

Use
Publish

Archive
 Purge

*Some information management lifecycle designs do not

include the capture and storage steps, but these establish the
foundation for the data’s full term at your organization.
Considering security during these stages is essential to start
on the right foot.
Image
 data_security_lifecycle

As a cycle, these stages repeat, overlap, and backtrack.

While “lifecycle” may capture the process from a high level,
the
Build, test, and deploy applications on Oracle Cloud—for
free.
What is a Relational Database (RDBMS)?
 A relational database is a type of database that stores and
provides access to data points that are related to one another.
Relational databases are based on the relational model, an
intuitive, straightforward way of representing data in tables.
In a relational database, each row in the table is a record
with a unique ID called the key. The columns of the table
hold attributes of the data, and each record usually has a
value for each attribute, making it easy to establish the
relationships among data points.
 A relational database example

Here’s a simple example of two tables a small business

might use to process orders for its products. The first table is
a customer info table, so each record includes a customer’s
name, address, shipping and billing information, phone
number, and other contact information. Each bit of
information (each attribute) is in its own column, and the
database assigns a unique ID (a key) to each row. In the
second table—a customer order table—each record includes
the ID of the customer that placed the order, the product
ordered, the quantity, the selected size and color, and so on
—but not the customer’s name or contact information.
 These two tables have only one thing in common: the ID
column (the key). But because of that common column, the
relational database can create a relationship between the two
tables. Then, when the company’s order processing
application submits an order to the database, the database
can go to the customer order table, pull the correct
information about the product order, and use the customer
ID from that table to look up the customer’s billing and
shipping information in the customer info table. The
warehouse can then pull the correct product, the customer
can receive timely delivery of the order, and the company
can get paid. .
17)Intro to Virtual Private Databases (VPDs)
Intro to Virtual Private Databases (VPDs)
Introduced in Oracle8i, a Virtual Private Database (VPD) is
the most popular security feature of Oracle Database
Enterprise Edition. It is used when the standard object
privileges and associated database roles are insufficient to
meet the application security requirements.
Oracle VPD enables you to create security policies or group
policies to control database access at the row and column
level. It allows multiple users to access a single schema
while preventing them from accessing data which is not
relevant to them. VPD uses Fine-Grained Access Control to
limit visibility of the data to the specific users. This is also
referred to as the Row Level Security (RLS) and Fine
Grained Access Control (FGAC).
 Generally, we leverage data access control in application
accessing the data. Oracle VPD security policies provide a
mechanism to secure data at the database level itself. The
ability to secure data at a granular database object level is a
very powerful feature of VPD. By principle, Oracle Virtual
Private Database adds a dynamic WHERE clause to an SQL
statement that is issued against the table, view, or is a
synonym of an applied Oracle Virtual Private Database
security policy.
 We attach security policies directly to the database tables,
views, or synonyms. Oracle Virtual Private Database
enforces security to a fine level of granularity directly on
these objects. As a result, the policies are automatically
applied whenever a user accesses data from these objects.
There is no way to bypass the VPD security policy added for
these objects. When a user accesses the VPD enforced object
(table, view, or synonym), based on the VPD predicate
function,
 Oracle engine dynamically modifies the SQL statement of
the user. An additional WHERE clause condition is added as
returned by the policy function of the object being accessed.
Oracle engine modifies the statement dynamically as
returned by the predicate function of the VPD policy. Oracle
Virtual Private Database policies can be applied to SELECT,
INSERT, UPDATE, INDEX, and DELETE statements.
Oracle Virtual Private Database policy uses the DBMS_RLS
package for VPD enforcement, which is described in detail
below. The DBMS_RLS package contains the fine-grained
access control administrative interface, which is used to
implement VPD. DBMS_RLS is available with the
Enterprise Edition only.
Procedure Description
ADD_POLICY Adds a fine-grained access control
policy to a table, view, or synonym

ENABLE_POLICY Enables or disables a fine-grained

access control policy
REFRESH_POLICY Causes all the cached statements
associated with the policy to be reparsed

DROP_POLICY Drops a fine-grained access control

policy from a table, view, or synonym
CREATE_POLICY_GROUP Creates a policy group

DELETE_POLICY_GROUP Deletes a policy group

 ADD_GROUPED_POLICY Adds a policy
associated with a policy group

ENABLE_GROUPED_POLICY Enables or disables a

row-level group security policy
REFRESH_GROUPED_POLICY Reparses the SQL
statements associated with a refreshed policy

DROP_GROUPED_POLICY Drops a policy

associated with a policy group
DISABLE_GROUPED_POLICY Disables a row-level
group security policy

ADD_POLICY_CONTEXTAdds the context for the active

application
DROP_POLICY_CONTEXT Drops a driving context
from the object so that it will have one less driving context

22) What Is Database Access Control?

 Database access control, or DB access control, is a method
of allowing access to a company’s sensitive information only
to user groups who are allowed to access such data and
restricting access to unauthorized persons to prevent data
breaches in database systems.
Database Access Control in DBMS includes two main
components: authentication and authorization.
Authentication is a means of confirming a person’s identity
when accessing your database. It is important to remember
that user authentication is not enough to keep data safe.
Authorization, which establishes whether a user’s level of
access or data access control is appropriate, is an additional
layer of protection. Ultimately, there is no data security
without authentication and authorization.
Every company today that has employees who interact with
data, and thus every organization, needs to establish data
access control Examples of Database Access Control

After shedding light on the question “What is Access

Control?” it is now important to note that these controls are
in place to safeguard resources from unauthorized, illegal
access and ensure that subjects can only access objects using
secure, pre-approved procedures.
With that, the most well-known examples of Database
Access Control include:
Discretionary Access Control (DAC)
 The data owner grants access to DAC models. DAC is a
method for assigning access rights based on rules defined by
the user.
 Mandatory Access Control (MAC)

In MAC, people are permitted access based on an

information clearance, designed using a nondiscretionary
paradigm. MAC refers to a policy that assigns access
permissions based on central authority regulations.
Role-Based Access Control (RBAC)
 RBAC uses fundamental security principles like “least
privilege” and “separation of privilege” to give access
depending on a user’s role. As a result, someone wanting to
access information can only access the data required for their
function.
 Attribute-Based Access Control (ABAC)

Each resource and user in ABAC receives a set of attributes.

This dynamic approach makes a judgment on resource
access based on comparing the user’s features, such as time
of day, position, and location.
How Database Access Control Systems Work
Database Access Control Systems work on three sides: the
user, the administrator, and the infrastructure.
 The User: When an employee wishes to enter a restricted
area, they must provide their credentials. An unlock request
gets made at a card reader, which sends the information to an
Access Control Unit, subsequently authorizing the user and
opening the door.

The Administrator: An access control system has a

management dashboard or portal on the administrative side.
Office administrators, IT managers, and security chiefs can
use the control portal to specify who has access to the
premises and under what conditions.
 The System Infrastructure: An access control system’s
infrastructure includes electric locks, card readers, door
status for traffic monitoring, and requests to exit devices, all
of which report to the control panel and the server.
ase Access Control