LECTURE 8: DATABASE SECURITY

A database is a collection of data and a set of rules that organize the data by specifying certain relationships
among the data.
A database administrator is a person who defines the rules that organize the data and also controls who should
have access to what parts of the data.
The user interacts with the database through a program called a database manager or a database management
system (DBMS), informally known as a front end.

Advantages of Using Databases

A database is a single collection of data, stored and maintained at one central location, to which many people
have access as needed.
The actual implementation may involve some other physical storage arrangement or access. The essence of a
good database is that the users are unaware of the physical arrangements; the unified logical arrangement is all
they see. A database offers many advantages over a simple file system:
 shared access, so that many users can use one common, centralized set of data
 minimal redundancy, so that individual users do not have to collect and maintain their own sets of data
 data consistency, so that a change to a data value affects all users of the data value
 data integrity, so that data values are protected against accidental or malicious undesirable changes
 controlled access, so that only authorized users are allowed to view or to modify data values
A DBMS is designed to provide these advantages efficiently. However, as often happens, the objectives can
conflict with each other.
This clash is not surprising, because measures taken to enforce security often increase the computing system's
size or complexity.
Security interests may also reduce the system's ability to provide data to users by limiting certain queries that
would otherwise seem innocuous .

Security Requirements
The following is a list of requirements for database security.
 Physical database integrity. The data of a database are immune to physical problems, such as power failures,
and someone can reconstruct the database if it is destroyed through a catastrophe.
 Logical database integrity. The structure of the database is preserved. With logical integrity of a database, a
modification to the value of one field does not affect other fields, for example.
 Element integrity. The data contained in each element are accurate.
 Auditability. It is possible to track who or what has accessed (or modified) the elements in the database.
 Access control. A user is allowed to access only authorized data, and different users can be restricted to
different modes of access (such as read or write).
 User authentication. Every user is positively identified, both for the audit trail and for permission to access
certain data.
 Availability. Users can access the database in general and all the data for which they are authorized.

Integrity of the Database

If a database is to serve as a central repository of data, users must be able to trust the accuracy of the data values.
 This condition implies that the database administrator must be assured that updates are performed only by
authorized individuals.
 It also implies that the data must be protected from corruption, either by an outside illegal program action or
by an outside force such as fire or a power failure.
Two situations can affect the integrity of a database:
1. when the whole database is damaged
2. when individual data items are unreadable.

It is important to be able to reconstruct the database at the point of a failure. For instance, when the power fails
suddenly, a bank's clients may be in the middle of making transactions or students may be in the midst of
registering online for their classes.
The DBMS must maintain a log of transactions. In the event of a system failure, the system can obtain accurate
account balances by reverting to a backup copy of the database and reprocessing all later transactions from the
log.

Element Integrity
The integrity of database elements is their correctness or accuracy. Authorized users are responsible for entering
correct data in databases. However, users and programs make mistakes collecting data, computing results, and
entering values.
DBMSs sometimes take special action to help catch errors as they are made and to correct errors after they are
inserted.
This corrective action can be taken in three ways.
1. The DBMS can apply field checks, activities that test for appropriate values in a position. A field might be
required to be numeric, an uppercase letter, or one of a set of acceptable characters. The check ensures that a
value falls within specified bounds or is not greater than the sum of the values in two other fields. These
checks prevent simple errors as the data are entered.
2. Provided by access control. Data files may contain data from several sources, and redundant data may be
stored in several different places.
3. Means of providing database integrity is maintaining a change log for the database. A change log lists every
change made to the database; it contains both original and modified values. Using this log, a database
administrator can undo any changes that were made in error.

Auditability
For some applications it may be desirable to generate an audit record of all access (read or write) to a database.
 Such a record can help to maintain the database's integrity, or at least to discover after the fact who had
affected what values and when.
 Users can access protected data incrementally; that is, no single access reveals protected data, but a set of
sequential accesses viewed together reveals the data, much like discovering the clues in a detective novel . In
this case, an audit trail can identify which clues a user has already been given, as a guide to whether to tell
the user more.
 it is possible for a record to be accessed but not reported to a user, as when the user performs a select
operation.

Access Control
Databases are often separated logically by user access privileges.
Limited access is both a responsibility and a benefit of this centralization.
The database administrator specifies who should be allowed access to which data, at the view, relation, field,
record, or even element level.
The DBMS must enforce this policy, granting access to all specified data or no access where prohibited .
Restricting inference may mean prohibiting certain paths to prevent possible inferences. Restricting access to
control inference also limits queries from users who do not intend unauthorized access to values. Moreover,
attempts to check requested accesses for possible unacceptable inferences may actually degrade the DBMS's
performance.

User Authentication
The DBMS can require rigorous user authentication. A DBMS might insist that a user pass both specific
password and time-of-day checks. This authentication supplements the authentication performed by the
operating system.

Availability
A DBMS has aspects of both a program and a system. It is a program that uses other hardware and software
resources, yet to many users it is the only application run. Users often take the DBMS for granted, employing it
as an essential tool with which to perform particular tasks .
Integrity/Confidentiality/Availability
The three aspects of computer security ”integrity, confidentiality, and availability ”clearly relate to database
management systems.
 integrity is a major concern in the design of database management systems.
 Confidentiality is a key issue with databases because of the inference problem, whereby a user can access
sensitive data indirectly. Inference and access control are covered later in this chapter.
 Availability is important because of the shared access motivation underlying database development.
However, availability conflicts with confidentiality. The last sections of the chapter address availability in an
environment in which confidentiality is also important.

Reliability and Integrity

Database concerns about reliability and integrity can be viewed from three dimensions:
 Database integrity: concern that the database as a whole is protected against damage, as from the failure of a
disk drive or the corruption of the master database index. These concerns are addressed by operating system
integrity controls and recovery procedures.
 Element integrity: concern that the value of a specific data element is written or changed only by authorized
users. Proper access controls protect a database from corruption by unauthorized users.
 Element accuracy: concern that only correct values are written into the elements of a database. Checks on the
values of elements can help to prevent insertion of improper values. Also, constraint conditions can detect
incorrect values.

Several factors can make data sensitive.

 Inherently sensitive. The value itself may be so revealing that it is sensitive. Examples are the locations of
defensive missiles or the median income of barbers in a town with only one barber.
 From a sensitive source. The source of the data may indicate a need for confidentiality. An example is
information from an informer whose identity would be compromised if the information were disclosed.
 Declared sensitive. The database administrator or the owner of the data may have declared the data to be
sensitive. Examples are classified military data or the name of the anonymous donor of a piece of art.
 Part of a sensitive attribute or a sensitive record. In a database, an entire attribute or record may be classified
as sensitive. Examples are the salary attribute of a personnel database or a record describing a secret space
mission.
 Sensitive in relation to previously disclosed information. Some data become sensitive in the presence of other
data. For example, the longitude coordinate of a secret gold mine reveals little, but the longitude coordinate in
conjunction with the latitude coordinate pinpoints the mine.
All of these factors must be considered to determine the sensitivity of the data.

Multilevel Databases
So far, we have considered data in only two categories: either sensitive or nonsensitive.
Sensitivity is determined not just by attribute but also in ways that we investigate below.

Three characteristics of database security emerge.

 The security of a single element may be different from the security of other elements of the same record or
from other values of the same attribute. This situation implies that security should be implemented for each
individual element.
 Two levels ”sensitive and nonsensitive ”are inadequate to represent some security situations. Several grades
of security may be needed. These grades may represent ranges of allowable knowledge, which may overlap.
Typically, the security grades form a lattice.
 The security of an aggregate ”a sum, a count, or a group of values in a database ”may be different from the
security of the individual elements. The security of the aggregate may be higher or lower than that of the
individual elements.
Proposals f or Multilevel Security
Sensitivity Lock
A sensitivity lock is a combination of a unique identifier (such as the record number) and the sensitivity level.
Because the identifier is unique, each lock relates to one particular record. Many different elements will have the
same sensitivity level. A malicious subject should not be able to identify two elements having identical
sensitivity levels or identical data values just by looking at the sensitivity level portion of the lock. Because of
the encryption, the lock's contents, especially the sensitivity level, are concealed from plain view. Thus, the lock
is associated with one specific record, and it protects the secrecy of the sensitivity level of that record.

Separation
Separation is necessary to limit access. These mechanisms can help to implement multilevel security for
databases.

Partitioning
The database is divided into separate databases, each at its own level of sensitivity. This approach is similar to
maintaining separate files in separate file cabinets .
This control destroys a basic advantage of databases: elimination of redundancy and improved accuracy through
having only one field to update.
It does not address the problem of a high-level user who needs access some low-level data combined with high-
level data.
Nevertheless, because of the difficulty of establishing, maintaining, and using multilevel databases, many users
with data of mixed sensitivities handle their data by using separate, isolated databases.

Encryption
If sensitive data are encrypted, a user who accidentally receives them cannot interpret the data. Thus, each level
of sensitive data can be stored in a table encrypted under a key unique to the level of sensitivity.

Integrity Lock
The lock is a way to provide both integrity and limited access for a database.

Summary of Database Security

This lecture has addressed three aspects of security for database management systems: confidentiality and
integrity problems specific to database applications, the inference problem for statistical databases, and problems
of including users and data of different sensitivity levels in one database.
Both confidentiality and integrity are important to users of databases.

Confidentiality can be broken by indirect disclosure of a negative result or of the bounds of a value. Integrity of
the entire database is a responsibility of the DBMS software; this problem is handled by most major commercial
systems through backups , redundancy, change logs, and two-step updates. Integrity of an individual element of
the database is the responsibility of the database administrator, who defines the access policy.

Multilevel secure databases must provide both confidentiality and integrity. Separation can be implemented
physically, logically, or cryptographically .
The five approaches to assuring confidentiality in multilevel secure databases:
 integrity lock,
 trusted front end,
 commutative filters,
 distributed databases, and
 restricted views.
But the analysis of the problems and the derivation of techniques are typical of how we analyze security needs in
any software application.

Exercise
Discuss emerging trends in Information security.