In the previous module, you learned the basics of assigning object privileges.
You may think that assigning privileges for many users takes a lot of SQL commands, and that changing your security scheme is a maintenance nightmare.
In this module, you will learn how to use roles to make assigning and maintaining object privileges much easier. By the end of this module, you will know how to:
- Define a role
- Create a role
- Grant privileges to a role and a role to a user
- Grant default and non-default roles
- Create password-protected roles
- Allow users to administer a role
- Examine why roles dont affect stored code
- List privileges granted to a role
- List roles granted to a user
- Drop a role from the database
Organizations worldwide are experiencing the impact of data breaches at an unprecedented rate.
It seems like every day brings a news story about
- a service provider losing subscribers' personal information,
- an employer losing employee HR records, or
- a government contractor losing sensitive intellectual property.
Data is the new currency, and bad actors are often able to leverage stolen data for financial or political advantage for years after a breach has occurred.
Where do organizations keep their sensitive data? At the end of the day, this data is stored and managed in databases. At one point, perimeter security solutions such as network firewalls were considered sufficient for protecting internal systems and repositories such as databases from data theft.
However, the threat environment for organizations has changed considerably in recent years.
Tools vary widely depending upon the attackers, from exploiting unpatched systems to very advanced methods where hackers penetrate a network, search for vulnerabilities, and then covertly exfiltrate data from servers.
These attacks can go undetected for weeks, months, or even years.
The need to protect data has never been greater. In addition to the monetary and reputational losses arising from data breaches, organizations today operate in an increasingly stringent and fast-evolving regulatory landscape. The United States alone has more than 20 national privacy and data security laws, with additional laws enacted at the state level. The European Union (EU) has harmonized data privacy laws across multiple member states with the General Data Protection Regulation (EU GDPR).
To understand why a
defense-in-depth[1] approach to database security is important, it is necessary to
understand the various actors who want your data and how they try to get it.
Threat actors can be broadly divided into two groups:
- outsiders and
- insiders.
Outsiders vary widely in their level of skill and resources. They include everyone from lone hacktivists” and cyber criminals seeking business disruption or financial gain, to criminal groups and nation state-sponsored organizations seeking to perpetrate
fraud and create disruption at a national scale. Insiders include current or former employees, curiosity seekers,
and customers or partners who take advantage of their position of trust to steal data.
The target for both of these groups includes personal data, financial data, trade secrets and regulated data.
[1]
Defense in Depth: Defense in Depth (DiD) refers to an information security approach in which a series of security mechanisms and controls are thoughtfully layered throughout a computer network to protect the confidentiality, integrity, and availability of the network and the data within.