information systems control & audit(13) shin, soojung based on ron’s book
TRANSCRIPT
Information Systems Control & Audit(13)
Shin, SooJung
Based on Ron’s book
Chapter 14Database Controls
(1) Introduction
(1) The database subsystem provides functions to define, create, modify, delete, and read data in an information system.
(2) Declarative data: static aspects of real-world objects and associations- 예 ) 급여 파일에는 각 직원의 급여율 , 직위 , 종업원 등을 저장
(3) Procedural data: dynamic aspects of real-world objects and associations- 예 ) 주식투자를 위한 룰을 저장
(4) Knowledge base: Declarative data+ Procedural data(5) Object-oriented DBMS –design objects, multimedia objects…(6) Datawarehouse, datamart(7) Data mining
(1) The database subsystem provides functions to define, create, modify, delete, and read data in an information system.
(2) Declarative data: static aspects of real-world objects and associations- 예 ) 급여 파일에는 각 직원의 급여율 , 직위 , 종업원 등을 저장
(3) Procedural data: dynamic aspects of real-world objects and associations- 예 ) 주식투자를 위한 룰을 저장
(4) Knowledge base: Declarative data+ Procedural data(5) Object-oriented DBMS –design objects, multimedia objects…(6) Datawarehouse, datamart(7) Data mining
(2) Access controls
(1) Owner- schema, views, relations
(2) Restrictions to users who are not owners.- Name-dependent restrictions(content-independent): users either have access to a named
data resources or they do not have access to the resources- Content-dependent restrictions: users are permitted or denied access to a data resource
depending on its contents- context -dependent restrictions: users are permitted or denied access to a data resource
depending on the context in which they are seeking access.- history -dependent restrictions: users are permitted or denied access to a data resource
depending on the time series of accesses to and actions they have on data resources
(3) 기타- Views: View 를 활용하여 4 가지의 restriction 을 구현할 수 있음 .(name-dependent,
conditional)- Privilege propagation 의 제한 : horizontal( 사용자의 수 제한 ), vertical(depth 의 제한 )
(1) Owner- schema, views, relations
(2) Restrictions to users who are not owners.- Name-dependent restrictions(content-independent): users either have access to a named
data resources or they do not have access to the resources- Content-dependent restrictions: users are permitted or denied access to a data resource
depending on its contents- context -dependent restrictions: users are permitted or denied access to a data resource
depending on the context in which they are seeking access.- history -dependent restrictions: users are permitted or denied access to a data resource
depending on the time series of accesses to and actions they have on data resources
(3) 기타- Views: View 를 활용하여 4 가지의 restriction 을 구현할 수 있음 .(name-dependent,
conditional)- Privilege propagation 의 제한 : horizontal( 사용자의 수 제한 ), vertical(depth 의 제한 )
(1) Discretionary access controls
(2) Access controls
(1) MAC- resources 는 classification 으로 , users 는 clearance level 로 할당- User 가 resource 에 access 하는 rule : BLP, Biba model 등의 policy 활용
(2) DB 에 적용- Classification levels can be assigned to specific data items/attributes in a resord/relation
and to records/relations as a whole. The value of the classification level is then compared against the users’s clearance level to determine whether the data item /attributes or records/relations will be made available to the user
- View 를 implement 하는 방법 (1)- 하나의 record/relation tuple or instance 에 있는 데이터를 filtering 하고 사용자에게 가용한 데이터를 결정하기 위해 conditional rule를 사용 -> single tuple
- View 를 implement 하는 방법 (2)- 각 clearance level 에 따라 보안과 무결성 법칙을 만족하는 multiple tuple 을 생성 (polyinstantiation)
- Database subsystem 의 access control rule -> OS 와 DBMS 의 양쪽에 적용- DB 가 replicated 된 경우 : 각 site 에 동일한 접근제어 규칙이 적용되어야 함 .- DB 가 partitioned 된 경우 : 사용자의 request 가 정확하고 완전하게 route 되어야 함 .
(1) MAC- resources 는 classification 으로 , users 는 clearance level 로 할당- User 가 resource 에 access 하는 rule : BLP, Biba model 등의 policy 활용
(2) DB 에 적용- Classification levels can be assigned to specific data items/attributes in a resord/relation
and to records/relations as a whole. The value of the classification level is then compared against the users’s clearance level to determine whether the data item /attributes or records/relations will be made available to the user
- View 를 implement 하는 방법 (1)- 하나의 record/relation tuple or instance 에 있는 데이터를 filtering 하고 사용자에게 가용한 데이터를 결정하기 위해 conditional rule를 사용 -> single tuple
- View 를 implement 하는 방법 (2)- 각 clearance level 에 따라 보안과 무결성 법칙을 만족하는 multiple tuple 을 생성 (polyinstantiation)
- Database subsystem 의 access control rule -> OS 와 DBMS 의 양쪽에 적용- DB 가 replicated 된 경우 : 각 site 에 동일한 접근제어 규칙이 적용되어야 함 .- DB 가 partitioned 된 경우 : 사용자의 request 가 정확하고 완전하게 route 되어야 함 .
(2) Mandatory access controls
(3) Integrity controls
(1) E-R model Integrity constraints- Uniqueness: 한 entity 의 각 instance 는 unique 해야 함- Maximum cardinality/ Minimum cardinality: entity 의 instance 들의 최대 및 최소 갯수- Entity identifier: 각 값이 유일하게 entity 의 각 instance 를 정의하는 attribute 를 지정함 .- Value type of identifier: attributes 의 allowed value type 지정- Value set of identifier: attributes 의 allowed value set 지정
(2) Relational data model Integrity constraints- Key: candidate key 는 relation 의 각 tuple 을 유일하게 정의해야 함 .- Entity:primary key 는 null value 가 되면 안됨 .- Referential: relation 상의 tuple 들 사이에 consistency 가 유지되어야 함 .
(3) Object data model Integrity constraintsA. Structural properties- Unique identifier( 시스템생성 ): 각 object 는 유일해야 함- Unique key( 사용자생성 )- Value type of attribute: attributes 의 allowed value type 지정- Value set of attribute: attributes 의 allowed value set 지정- Types and inheritance: subtype object 는 supertype object 와 관련된 integrity constraint 를
전부보유B. Dynamic properties(procedures)- 사용된 언어의 syntactic & semantic rule 를 따라야 함 .C. Relationship integrity- Referential: 한 object 가 다른 object 를 refer 할 경우 존재해야 함- Composition: composite relationship 간의 참여 object 의 추가 및 삭제 룰의 정의- Cardinality: relation 에 참여하는 object 의 최대 및 최소 갯수 정의
(1) E-R model Integrity constraints- Uniqueness: 한 entity 의 각 instance 는 unique 해야 함- Maximum cardinality/ Minimum cardinality: entity 의 instance 들의 최대 및 최소 갯수- Entity identifier: 각 값이 유일하게 entity 의 각 instance 를 정의하는 attribute 를 지정함 .- Value type of identifier: attributes 의 allowed value type 지정- Value set of identifier: attributes 의 allowed value set 지정
(2) Relational data model Integrity constraints- Key: candidate key 는 relation 의 각 tuple 을 유일하게 정의해야 함 .- Entity:primary key 는 null value 가 되면 안됨 .- Referential: relation 상의 tuple 들 사이에 consistency 가 유지되어야 함 .
(3) Object data model Integrity constraintsA. Structural properties- Unique identifier( 시스템생성 ): 각 object 는 유일해야 함- Unique key( 사용자생성 )- Value type of attribute: attributes 의 allowed value type 지정- Value set of attribute: attributes 의 allowed value set 지정- Types and inheritance: subtype object 는 supertype object 와 관련된 integrity constraint 를
전부보유B. Dynamic properties(procedures)- 사용된 언어의 syntactic & semantic rule 를 따라야 함 .C. Relationship integrity- Referential: 한 object 가 다른 object 를 refer 할 경우 존재해야 함- Composition: composite relationship 간의 참여 object 의 추가 및 삭제 룰의 정의- Cardinality: relation 에 참여하는 object 의 최대 및 최소 갯수 정의
(4) Application software controls
When application programs use the database, they should follow certain update and report protocols to protect the integrity of the database
-update protocols: to ensure that changes to the database reflect changes to the real-world entities and associations between entities that data in the database is supposed to represent.
-report protocols: to provide information to users of the database that will enable them to identify errors or irreguralities
(1) Update protocols- Sequence check the order of transaction & master files during batch update- Ensuring correct end-of-file procedures are followed so that records are not lost- Processing multiple transactions for a single record in the correct order - Posting monetary transactions that mismatch a master file record against a suspense account
(2) Report protocols- printing control data for internal table/standing data to ensure it remains accurate and complete- Printing run-to-run control totals- Printing suspense account entries
When application programs use the database, they should follow certain update and report protocols to protect the integrity of the database
-update protocols: to ensure that changes to the database reflect changes to the real-world entities and associations between entities that data in the database is supposed to represent.
-report protocols: to provide information to users of the database that will enable them to identify errors or irreguralities
(1) Update protocols- Sequence check the order of transaction & master files during batch update- Ensuring correct end-of-file procedures are followed so that records are not lost- Processing multiple transactions for a single record in the correct order - Posting monetary transactions that mismatch a master file record against a suspense account
(2) Report protocols- printing control data for internal table/standing data to ensure it remains accurate and complete- Printing run-to-run control totals- Printing suspense account entries
(5) Concurrency controls
(1) Nature of the shared data resource problem- 해결책 : lock out one process from a data resource while it is being used by another process-> deadlock 의 문제점 발생 ( 두 프로세스가 서로 필요한 데이터를 release 하길 기다림 )
(2) The problem of deadlock(3) Solutions to deadlock(4) Preventing deadlock( two phase locking)- transaction 의 effect 를 propagate 하기 위해 필요한 모든 데이터를 획득하여 다른 프로세스로
부터 lock 을 함 . 데이터 items 들에 대한 모든 update 가 완료될때까지 data item 들은 release되지 않음 .
- growing phase : the transaction acquires locks without releasing locks- Shrinking phase: when the transaction releases a lock -> release all locks
(5) Distributed database concurrency controls- replicated DB: 한 DB 에 primary copy 를 설정하고 , transaction 이 데이터 item 접근시
primary copy 의 lock 을 획득함 .- Partitioned DB: transaction 은 접근하고자 하는 data item 에 대한 scheduler 를 찾아야 함 .
(1) Nature of the shared data resource problem- 해결책 : lock out one process from a data resource while it is being used by another process-> deadlock 의 문제점 발생 ( 두 프로세스가 서로 필요한 데이터를 release 하길 기다림 )
(2) The problem of deadlock(3) Solutions to deadlock(4) Preventing deadlock( two phase locking)- transaction 의 effect 를 propagate 하기 위해 필요한 모든 데이터를 획득하여 다른 프로세스로
부터 lock 을 함 . 데이터 items 들에 대한 모든 update 가 완료될때까지 data item 들은 release되지 않음 .
- growing phase : the transaction acquires locks without releasing locks- Shrinking phase: when the transaction releases a lock -> release all locks
(5) Distributed database concurrency controls- replicated DB: 한 DB 에 primary copy 를 설정하고 , transaction 이 데이터 item 접근시
primary copy 의 lock 을 획득함 .- Partitioned DB: transaction 은 접근하고자 하는 data item 에 대한 scheduler 를 찾아야 함 .
Process P Process Q
Data source1
Data source2
Time t Time t
Time t+1
Salesperson 1
PART A100
PART B150
Time t80
Time t100
Time t+150
Salesperson 2
Time t+190
(6)Cryptographic controls
(1) The primary means of encrypting data: block encryption(2) Portable storage media: encryption 이 controller 에 있는 cryptographic device 에 의해 수행됨 .
미디어가 도난시 데이터의 privacy 를 보장하지만 사용자 사이에는 보호하지 못함(3) DB 가 replicated 된 경우 : - 각 replication 마다 동일한 키를 사용할 경우 , 복사본을 만들고 복구하기가 쉽고 , 사용자의 tra
nsaction 에 대해 load balancing 하기가 용이하지만- 키가 안전하게 분산되어야 하고 , 한 키에 대한 변경은 모든 사이트의 키의 변경을 가져와야 함- 각 사이트마다 각 키가 존재하면 조금 더 안전하지만 백업이나 작업 분산이 어려움 .(4) DB 가 partitioned 된 경우- 사용자에 의해 소유된 데이터가 분산됨- 사용자에 따라 동일한 키가 사용될 경우 사용자 데이터에 대한 접근이 명확하나 키가 여러
사이트에서 보관되어야 하므로 위의 문제들이 발생함 .- 여러 사이트가 각기 다른 키를 가지고 있는 경우 각 사이트의 데이터는 조금 더 안전하나 transa
ction 이 여러곳의 데이타들을 접근할 때 높은 overhead 발생
(1) The primary means of encrypting data: block encryption(2) Portable storage media: encryption 이 controller 에 있는 cryptographic device 에 의해 수행됨 .
미디어가 도난시 데이터의 privacy 를 보장하지만 사용자 사이에는 보호하지 못함(3) DB 가 replicated 된 경우 : - 각 replication 마다 동일한 키를 사용할 경우 , 복사본을 만들고 복구하기가 쉽고 , 사용자의 tra
nsaction 에 대해 load balancing 하기가 용이하지만- 키가 안전하게 분산되어야 하고 , 한 키에 대한 변경은 모든 사이트의 키의 변경을 가져와야 함- 각 사이트마다 각 키가 존재하면 조금 더 안전하지만 백업이나 작업 분산이 어려움 .(4) DB 가 partitioned 된 경우- 사용자에 의해 소유된 데이터가 분산됨- 사용자에 따라 동일한 키가 사용될 경우 사용자 데이터에 대한 접근이 명확하나 키가 여러
사이트에서 보관되어야 하므로 위의 문제들이 발생함 .- 여러 사이트가 각기 다른 키를 가지고 있는 경우 각 사이트의 데이터는 조금 더 안전하나 transa
ction 이 여러곳의 데이타들을 접근할 때 높은 overhead 발생
(7) File handling controls
(1) File handling controls are used to prevent accidental destruction of data contained on a storage media(2) 방법- internal label- Generation numbers- Retention dates- Control totals- Magnetic tape file protection rings- Read-only switches- External labels
(1) File handling controls are used to prevent accidental destruction of data contained on a storage media(2) 방법- internal label- Generation numbers- Retention dates- Control totals- Magnetic tape file protection rings- Read-only switches- External labels
(8) Audit trail controls
(1) Accounting audit trailAccounting audit trail 을 유지하기 위해서 database subsystem 은 다음과 같은 기능을 수행함 .- It must attach a unique time stamp to all transactions applied against the database definition or t
he database(implosion, explosion)- The database subsystem must attach beforeimages and afterimages of the data item against whic
h a transaction is applied to the audit trail entry for the transaction- The database subsystem must provide facilities to define, create, modify, delete, and retrieve data
in the audit trail
(2) Operations audit trail- Maintains the chronology of resource consumption events that affect the database definition or t
he database- Check Response time, amount of resource consumed DB reorganization 고려 transaction 적용 process 의 재구성 고려
(1) Accounting audit trailAccounting audit trail 을 유지하기 위해서 database subsystem 은 다음과 같은 기능을 수행함 .- It must attach a unique time stamp to all transactions applied against the database definition or t
he database(implosion, explosion)- The database subsystem must attach beforeimages and afterimages of the data item against whic
h a transaction is applied to the audit trail entry for the transaction- The database subsystem must provide facilities to define, create, modify, delete, and retrieve data
in the audit trail
(2) Operations audit trail- Maintains the chronology of resource consumption events that affect the database definition or t
he database- Check Response time, amount of resource consumed DB reorganization 고려 transaction 적용 process 의 재구성 고려
(9) Existence controls
(1) 5 types of failure- application program error- System software error- HW failure- Procedural error- Environmental failure
(2) Existence control- loss 발생시 복구수행- Backup strategy- Recovery strategy a. DB 의 current state 가 복구되어야 할 경우 (rollforward operation)- using prior version or dump of
DB and a log of transaction or changes b. DB 의 prior state 가 복구되어야 할 경우 (rollback operation)- using a log of changes to the databas
e
(1) 5 types of failure- application program error- System software error- HW failure- Procedural error- Environmental failure
(2) Existence control- loss 발생시 복구수행- Backup strategy- Recovery strategy a. DB 의 current state 가 복구되어야 할 경우 (rollforward operation)- using prior version or dump of
DB and a log of transaction or changes b. DB 의 prior state 가 복구되어야 할 경우 (rollback operation)- using a log of changes to the databas
e
(1) Maintaining the previous two version of a master file and the previous version of the transaction file
(2) If the current(son) version of the master file is lost, it can be recovered by processing the current transaction file against the previous version of the master file(father).
(3) If the previous version of the master file is lost during recovery, it too can be recovered by using the grandfather version of the master file and the previous version of the transaction file.
(1) Maintaining the previous two version of a master file and the previous version of the transaction file
(2) If the current(son) version of the master file is lost, it can be recovered by processing the current transaction file against the previous version of the master file(father).
(3) If the previous version of the master file is lost during recovery, it too can be recovered by using the grandfather version of the master file and the previous version of the transaction file.
(1) Grandfather, father, son strategy
(9) Existence controls
Transactionfile
Grandfather-kept forFurther 2 cycles
Input masterfile
Father-kept forFurther 2 cycles
Output masterfile
Son-kept forFurther 3 cycles
Update
program
Updatereports
(1) Maintaining two completely separate copies of the database and updating both simultaneously
(2) Assists a recovery from environmental failure, processor failure, or storage medium failure, but it does not protect the database against software error or procedural error.
(1) Maintaining two completely separate copies of the database and updating both simultaneously
(2) Assists a recovery from environmental failure, processor failure, or storage medium failure, but it does not protect the database against software error or procedural error.
(2) Dual recording/mirroring strategy
(9) Existence controls
Remotelylocated
Primarydatabase
Frontend
processor
Primary
processor
Duplicatedatabase
Duplicate
processor
Remotelylocated
(1) Copying the whole or a portion of the database to some backup medium.(2) Recovery involves rewriting the dump back to the primary storage medium and reproces
sing transactions that have occurred since the time of the dump(3) Physical dumping involves reading and copying the database in the serial order of the re
cords on the storage medium(track by track). – global recovery of the database(4) Logical dumping involves reading and copying the database in the serial order of the logi
cal records in a file – selective recovery of the database
(1) Copying the whole or a portion of the database to some backup medium.(2) Recovery involves rewriting the dump back to the primary storage medium and reproces
sing transactions that have occurred since the time of the dump(3) Physical dumping involves reading and copying the database in the serial order of the re
cords on the storage medium(track by track). – global recovery of the database(4) Logical dumping involves reading and copying the database in the serial order of the logi
cal records in a file – selective recovery of the database
(3) Dumping
(9) Existence controls
(1) Recording a transaction that changes the database or an image of the record changed by an update action
(2) 3 types of logging- transaction log to allow reprocessing of transactions during recovery- Beforeimage logs to allow rollback of the database: record 가 update 되는 각 시간마다
update 되기전의 image 가 logged 됨- Afterimage logsto allow rollforward of the database:record 가 transaction 에 의해 upda
te 된 후에 그 image 가 log 에 copy 되어야 함
(1) Recording a transaction that changes the database or an image of the record changed by an update action
(2) 3 types of logging- transaction log to allow reprocessing of transactions during recovery- Beforeimage logs to allow rollback of the database: record 가 update 되는 각 시간마다
update 되기전의 image 가 logged 됨- Afterimage logsto allow rollforward of the database:record 가 transaction 에 의해 upda
te 된 후에 그 image 가 log 에 copy 되어야 함
(4) Logging
(9) Existence controls
Unsuccessfulinput
transaction
DBMSsuccessful
inputtransaction
DB
Transactioninput
(1) Full dump 의 overhead 를 줄이려는 목적(2) Logging records that have not been changed since the last database dump(3) The database is recovered by going back to but not including the second last residual dum
p and rolling forward the database using the residual dump log.(4) Residual dumping reduces the overheads associated with dumping because records that h
ave been changed and recorded on the log are not then dumped
(1) Full dump 의 overhead 를 줄이려는 목적(2) Logging records that have not been changed since the last database dump(3) The database is recovered by going back to but not including the second last residual dum
p and rolling forward the database using the residual dump log.(4) Residual dumping reduces the overheads associated with dumping because records that h
ave been changed and recorded on the log are not then dumped
(5) Residual dumping
(9) Existence controls
(1) Differential file is a file of changes made to the database(2) Keeping the database intact and writing changes to the database to a separate file(3) In due course these changes are written to the database(4) If failure occurs before changes are applied, the intact database constitutes a prior dump
of the database(5) Providing a log of transactions have been kept, these transactions can then be reprocesses
against the database.
(1) Differential file is a file of changes made to the database(2) Keeping the database intact and writing changes to the database to a separate file(3) In due course these changes are written to the database(4) If failure occurs before changes are applied, the intact database constitutes a prior dump
of the database(5) Providing a log of transactions have been kept, these transactions can then be reprocesses
against the database.
(6) Differential files/shadow paging
(9) Existence controls
Differentialfile
DBMS
Primaryfile
Separatechannels
(a) Differential file strategy
1
2
3
4
CurrentPagetable
Points toNew page 3
1
2
3
4
shadowPagetable
Points toold page 3
Page 3
(old)
Page 2
Page 3
(new)
Page 4
shadowPagetable
Page 1
(b) Shadow page strategy