Scribd
Upload
164 views21 pages

Database Security and Access Control

The document discusses database security requirements including physical and logical integrity, element integrity, auditability, access control, authentication, and availability. It then covers the SQL security model which implements discretionary access control based on users, actions, and objects. Finally, it examines using views and application programming to implement row-level security through discretionary access controls in a case study on a medical records database.

Uploaded by

elshaday desalegn
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
164 views21 pages

Database Security and Access Control

The document discusses database security requirements including physical and logical integrity, element integrity, auditability, access control, authentication, and availability. It then covers the SQL security model which implements discretionary access control based on users, actions, and objects. Finally, it examines using views and application programming to implement row-level security through discretionary access controls in a case study on a medical records database.

Uploaded by

elshaday desalegn
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd

Module 6: Database Security

Security Requirements
• Physical database integrity
• Logical database integrity
• Element integrity
• Auditability
• Access control
• User authentication
• Availability
Security Requirements…
• Physical database integrity
– immunity to physical catastrophe, such as power
failures, media failure
• physical securing hardware, UPS
• regular backups

• Logical database integrity


– reconstruction Ability
• maintain a log of transactions
• replay log to restore the systems to a stable point
Security Requirements…
• Element integrity
– integrity of specific database elements is their correctness or accuracy
• field checks
– allow only acceptable values
• access controls
– allow only authorized users to update elements
• change log
– used to undo changes made in error
• referential Integrity (key integrity concerns)
• two phase locking process

• Auditability
– log read/write to database
Security Requirements…
• Access Control (similar to OS)
– logical separation by user access privileges
– more complicated than OS due to complexity of DB
(granularity/inference/aggregation)
• User Authentication
– may be separate from OS
– can be rigorous
• Availability
– concurrent users
• granularity of locking
– reliability
SQL Security Model
• SQL security model implements DAC based on
– users: users of database - user identity checked during login process;
– actions: including SELECT, UPDATE, DELETE and INSERT;
– objects: tables (base relations), views, and columns (attributes) of
tables and views
• Users can protect objects they own
– when object created, a user is designated as ‘owner’ of object
– owner may grant access to others
– users other than owner have to be granted privileges to access object
SQL Security Model…
• Components of privilege are
– grantor, grantee, object, action, grantable
– privileges managed using GRANT and REVOKE operations
– the right to grant privileges can be granted
• Issues with privilege management
– each grant of privileges is to an individual or to “Public”
– makes security administration in large organizations difficult
– individual with multiple roles may have too many privileges for one of
the roles
– SQL3 is moving more to role based privileges
SQL Security Model…
• Authentication & identification mechanisms
– CONNECT <user> USING<password>
– DBMS may chose OS authentication
– or its own authentication mechanism
• Kerberose
• PAM
SQL Security Model
• Access control through views
– many security policies better expressed by granting privileges to views
derived from base relations

– example
CREATE VIEW AVSAL(DEPT, AVG)
AS SELECT DEPT, AVG(SALARY)
FROM EMP GROUP BY DEPT
• access can be granted to this view for every dept mgr

– example
CREATE VIEW MYACCOUNT AS
SELECT * FROM Account
WHERE Customer = current_user()
• view containing account info for current user
SQL Security Model
• Advantages of views
– views are flexible, and allow access control to be
defined at a description level appropriate to
application
– views can enforce context and data-dependent
policies
– data can easily be reclassified
SQL Security Model
• Disadvantages of views
– access checking may become complex
– views need to be checked for correctness (do they
properly capture policy?)
– completeness and consistency not achieved
automatically - views may overlap or miss parts of
database
– security-relevant part of DBMS may become very
large
SQL Security Model
• Inherent weakness of DAC
– DAC allows subject to be written to any other
object which can be written by that subject
– trojan horses to copy information from one object
to another
SQL Security Model
• Mandatory access controls (MAC)
– no read up, no write down
– traditional MAC implementations in RDBMS have
focused solely on MLS
– there have been three commercial MLS RDBMS
offerings
• trusted Oracle ,Informix OnLine/Secure, Sybase Secure
SQL Server
SQL Security Model
• Enforce MAC using security labels
– assign security levels to all data
• label associated with a row
– assign a security clearance to each users
• label associated with the user
– DBMS enforces MAC
• access to a row based upon
– the label associated with that row and the label associated
with the user accessing that row.
RECORDID CLIENTNO DEPTNO
Case Study
ALLOCATION_DATE LAST_UPDATE MEDICAL_HISTORY RISK_FACTOR

0010 K108341 K01 2006/01/05 2006/02/05 Diabetes 0

0020 K104546 K01 2006/10/20 2006/11/05 Arthritis 2

0030 S245987 S02 2006/09/01 2006/10/05 High Blood 3


Pressure

0040 S245456 S02 2006/06/26 2006/07/05 Asthma 1

– Medical record analyst


• READ all records
• WRITE all records
– Managers
• READ client records of their department
• READ only non-confidential columns
• No WRITE access
Case Study

• Columns
– medical record analysts have READ/WRITE access to confidential
columns
– managers have READ access to non-confidential columns
• Rows:
– medical record analysts can read and update all the records
– managers can read but not update client records for their department
Case Study: DAC Solution

Three approaches used to provide row level security


using DAC (Discretionary Access Control)
• application views
• programming logic embedded in the application
• physical separation using one or more databases
Case Study: DAC Solution

• Application views
– Widely used approach
– Views provide the ability to
filter data.
Case Study: DAC Solution
Create view manager_K01 as
select recordid, clientno,
deptno, allocation_date,
last_update,risk_factor
from Med_records
where Dept = ‘K01’;

Create view manager_S01 as


select recordid, clientno, deptno,
allocation_date, last_update, risk_factor
from Med_records
where Dept = ‘S01’;

Create view med_rec_analyst as


select * from Med_records;
Case Study: DAC Solution
• Application views
– number of views required is sometimes large as
application ages
– directing application users to the correct view
becomes management burden
– application complexity tends to increase due to
unforeseen security requirements
Presentation Topics
• MAC and DAC, MAC Vs DAC
• DAC & RBAC use in MS-SQL DBMS
• DAC & RBAC use in Oracle DBMS
• Statistical Database Security

Common questions

Powered by AI

Role-based access control (RBAC) represents an improvement over discretionary access control (DAC) by aligning permissions with defined roles within an organization, ensuring that users have the minimum necessary access rights based on their function. This reduces the complexity involved in managing individual permissions and the security risks associated with users holding excessive rights due to multiple roles. While DAC involves subjects directly controlling object permissions, RBAC structures permissions hierarchically and is often seen as more scalable and easier to audit within large organizations .

The benefits of using views in the SQL security model include their flexibility in defining access control at a level appropriate to the application and their capability to enforce context and data-dependent policies. Views can help in reclassifying data easily. However, the drawbacks include the potential complexity of access checking, issues with ensuring the correctness and consistency of views, and the risk of security-relevant parts of the DBMS growing excessively large .

The SQL security model implements discretionary access control (DAC) by checking user identity during the login process and managing access to database objects based on privileges granted to specific users or to "Public". Users have control over the objects they own and can grant access to others, with privileges managed using GRANT and REVOKE operations. The challenges in managing these privileges within large organizations include difficulty in security administration due to each grant of privileges being either to an individual or to "Public", and the potential for individuals with multiple roles to have excessive privileges for certain roles .

Field checks ensure element integrity by allowing only acceptable values, thus maintaining the correctness or accuracy of data. Access controls limit updates to authorized users only, preventing unauthorized changes. Change logs maintain a history of modifications to data, which can be used to undo changes made in error, thereby preserving the integrity of specific database elements .

Views can enforce data-dependent security policies by presenting data tailored according to specific criteria, such as user roles or contextual parameters. For instance, views can ensure that managers only see data relevant to their department. However, the reliance on views can lead to complex access management due to the need for a wide variety of views, verification for policy compliance, and potential overlap or omissions in views which could compromise security. Additionally, maintaining and updating these views to align with evolving security policies can be cumbersome .

The inherent weakness of discretionary access control (DAC) is that it allows a subject to write to any other object that can be written by the subject, creating a vulnerability to Trojan horses. This means that a malicious program could copy information from one object to another, potentially breaching data security by making unauthorized disclosures or modifications .

Physical database integrity ensures the database's immunity to physical catastrophes, such as power failures or media failures, through measures like securing hardware, using uninterruptible power supplies (UPS), and performing regular backups. Logical database integrity refers to the database's ability to be accurately reconstructed to a stable state in case of errors, achieved through transaction logs and the ability to replay these logs to restore systems .

Security labels are critical in enforcing mandatory access control (MAC) in database systems. Each piece of data is assigned a security level through such labels, which are also assigned to users. The database management system (DBMS) enforces MAC by granting access to a database row based on the comparison of the user's security clearance with the label of the data row. This ensures that users cannot read data above their clearance level or write data to a lower security level, maintaining data integrity and security compliance .

Mandatory access control (MAC) differs from discretionary access control (DAC) in that MAC enforces rules that prohibit reading higher-tier data (no read up) and writing to lower tiers (no write down), assigned through security labels to both data and users. Traditional MAC implementations in relational database management systems (RDBMS) have focused on multilevel security (MLS). By contrast, DAC relies on user-specific permissions that can be transferred at the user's discretion, raising issues with Trojan horse vulnerabilities .

Application views provide row-level security using discretionary access control (DAC) by allowing specific views to be created, which filter data based on certain criteria (e.g., user roles). For example, a view might be defined to allow managers to see client records for their department only without being able to update them. However, the challenges include the large number of views required as applications evolve, the management burden of directing application users to correct views, and increasing application complexity due to unforeseen security requirements .

You might also like