← Back to Topics

Topic 8: Security, Privacy, and Responsible Data Management

Secure Access, Encryption, Compliance, and Ethical Data Handling

Topic Overview

Database security and privacy are fundamental responsibilities requiring defense in depth: multiple layers of protection from network access controls to application-level validation. SQL injection remains a critical vulnerability when user input is concatenated into queries rather than using parameterized statements. Authentication verifies user identity, while authorization enforces access control through models like RBAC (role-based) or ABAC (attribute-based). Encryption protects data at rest (disk encryption, database-level encryption) and in transit (TLS/SSL), with key management being critical to effectiveness. Compliance requirements like GDPR mandate data minimization, right to deletion, and audit trails. Students must evaluate security threats, implement appropriate defenses, and design systems that protect sensitive data while maintaining usability and performance.

Student Presentation Assignments

Student 1:SQL Injection & Secure Access

Required Coverage:

  • Must explain SQL injection attacks, demonstrating how they work with executable examples focusing on attack mechanics, not sensational demos, and identifying common attack vectors
  • Must explain parameterized queries, specifying prevention techniques and best practices with code examples
  • Must analyze ORM security risks, explaining how ORMs can still be vulnerable (e.g., raw SQL, string interpolation)
  • Must explain secure coding practices, specifying input validation techniques and least privilege principles as system design constraints, not afterthoughts
  • Must evaluate at least one real breach example, analyzing why safeguards failed and how it could have been prevented through system design, not just describing what happened
  • Must explain defense in depth, specifying multiple layers of protection (network, database, application)

Student 2:Authentication & Authorization

Required Coverage:

  • Must explain database auth models, specifying user management approaches and access control mechanisms
  • Must compare RBAC vs ABAC, analyzing when each is appropriate and trade-offs in flexibility vs operational complexity, not just feature comparisons
  • Must explain least privilege principle, specifying how to grant minimum necessary access and common violations
  • Must explain secrets management, comparing approaches (environment variables, secret stores) and analyzing security trade-offs, including rotation strategies and blast radius considerations
  • Must evaluate application-level vs DB-level security, specifying where to enforce access control and trade-offs
  • Must explain multi-factor authentication and session management, specifying implementation approaches and analyzing risk reduction, not UX features

Student 3:Encryption & Data Protection

Required Coverage:

  • Must compare encryption at rest approaches (database-level vs disk-level), analyzing security and performance trade-offs
  • Must explain encryption in transit, specifying TLS/SSL configuration for database connections and certificate management
  • Must explain key management, specifying secure key storage approaches and treating key rotation as a requirement, not an optional enhancement
  • Must evaluate performance trade-offs, quantifying encryption overhead and optimization techniques
  • Must compare cloud provider encryption tools, analyzing managed service benefits and limitations, including trust and control trade-offs, not vendor feature comparisons
  • Must explain field-level encryption, specifying use cases and implementation approaches for protecting sensitive columns

Student 4:Data Privacy & Compliance

Required Coverage:

  • Must explain GDPR basics for engineers, specifying key requirements (data minimization, right to deletion) and technical obligations, including technical friction (backups, logs, replicas)
  • Must explain PII handling, specifying how to identify personally identifiable information and protection strategies
  • Must explain data retention and deletion, specifying how to implement right to be forgotten and technical challenges, analyzing system design implications (backups, replicas, audit logs)
  • Must explain audit trails, specifying what to log (access, modifications) and how to implement compliance requirements
  • Must evaluate ethical data storage considerations, analyzing responsible data practices and their technical implications, tying ethical considerations to system design choices, not philosophical discussions
  • Must compare other regulations (CCPA, HIPAA), specifying industry-specific requirements and how they differ from GDPR

Presentation Requirements

All presentations must be 17–20 minutes in duration and include the following components:

Note: Presentations that only summarize definitions, list features, or copy diagrams without interpretation will receive low marks. Each presentation must demonstrate analytical reasoning through comparisons, trade-off analysis, and justification of design decisions. Reading slides verbatim or presenting material that could be satisfied by reading documentation will be penalized.

Report Requirement: In addition to the presentation, each student must submit an individual PDF report. See Seminar Report Requirements for format, content, and submission details.

Evaluation Criteria

Criterion Weight Description
Technical Correctness 30% Accuracy of technical content, correct use of terminology, absence of errors
Depth of Understanding 25% Goes beyond surface-level definitions, demonstrates system-level comprehension
Clarity and Structure 20% Logical flow, clear explanations, appropriate use of examples and visuals
Use of Examples and Trade-offs 15% Concrete examples, discussion of limitations, comparison with alternatives
Slide Quality and Time Management 10% Professional formatting, appropriate pacing, stays within time limit

Recommended References

Books:

Documentation:

Academic / Technical: