Data and Database Security and Controls

Data and Database Security and Controls

1 Handbook of Information Security Management, Auerbach Publishers, 1993, pages 481-499. DATA AND DATABASE SECURITY AND CONTROLS Ravi S. Sandhu and Sushil Jajodia Center for Secure Information Systems & Department of Information and Software Systems Engineering George Mason University, Fairfax, VA 22030-4444 Telephone: 703-993-1659 1 Intro duction This chapter discusses the topic of data security and controls, primarily in the context of Database Management Systems DBMSs. The emphasis is on basic principles and mechanisms, which have b een successfully used by practitioners in actual pro ducts and systems. Where appropriate, the limitations of these techniques are also noted. Our discussion fo cuses on principles and general concepts. It is therefore indep endent of any particular pro duct except for section 7 which discusses some pro ducts. In the more detailed considerations we limit ourselves sp eci cally to relational DBMSs. The reader is assumed to be familiar with rudimentary concepts of relational databases and SQL. A brief review of essential concepts is given in the app endix. The chapter b egins with a review of basic security concepts in section 2. This is followed, in section 3, by a discussion of access controls in the current generation of commercially available DBMSs. Section 4 intro duces the problem of multilevel security. It is shown that the techniques of section 3 are inadequate to solve this problem. Additional techniques develop ed for multilevel security are reviewed. Sec- tion 5, discusses the various kinds of inference threats that arise in a database system, and discusses metho ds that have b een develop ed for dealing with them. Section 6 addresses the problem of data integrity. Current practice in this area is discussed and limitations are noted. Section 7 discusses some commercially available DBMS pro ducts. Section 8 gives a summary of the chapter. A glossary and list of readings follow the summary. Finally, the app endix gives a brief review of essential relational concepts and SQL. 2 Basic Security Concepts In this section we review some basic security concepts which are imp ortant for un- derstanding this chapter. We also de ne some technical terms which will be used throughout this chapter. Whenever we use a technical term for the rst time we will italicize it, to draw attention to its de nition which is given at that p oint. 2.1 Secrecy, Integrity and Availability The ob jective of data security can be divided into three separate, but interrelated, areas as follows. Secrecy is concerned with improp er disclosure of information. The terms con - dentiality or non-disclosure are synonyms for secrecy. Integrity is concerned with improp er mo di cation of information or pro cesses. Availability is concerned with improp er denial of access to information. The term denial of service is also used as a synonym for availability. These three ob jectives arise in practically every information system. For example, in a payroll system secrecy is concerned with preventing an employee from nding out the b oss's salary; integrity is concerned with preventing an employee from changing his or her salary; and availabilityis concerned with ensuring that the paychecks are printed on time as required by law. Similarly, in a military command and control system secrecy is concerned with preventing the enemy from determining the target co ordinates of a missile; integrity is concerned with preventing the enemy from alter- ing the target co ordinates; and availability is concerned with ensuring that the missile do es get launched when the order is given. Any system will have these three requirements co-existing to some degree. There are of course di erences regarding the relative imp ortance of these ob jectives in a given system. The commercial and military sectors b oth have similar needs for high integrity systems. The secrecy and availability requirements of the military are often more stringent than in typical commercial applications. These three ob jectives also di er with resp ect to our understanding of the ob jec- tives themselves and of the technology to achieve them. It is easiest to understand the ob jective of secrecy. Integrity is a less tangible ob jective on which exp erts in the eld have diverse opinions. Availability is technically the least understo o d asp ect. In terms of technology, the dominance of the commercial sector in the marketplace has led vendors to emphasize mechanisms for integrity rather than for military-like secrecy needs. The availability ob jective is so p o orly understo o d that no pro duct to dayeven tries to address it directly. Availability is discussed only in passing in this chapter. 2 2.2 Security Policy The purp ose of a security policy is to elab orate the three generic security ob jectives of secrecy, integrity and availability,in the context of a particular system. The generic ob jectives have all used the term \improp er" in their de nition. A statement of security p olicy largely consists of de ning what is the meaning of \improp er" for a particular system. The meaning of \improp er" is sometimes mandated bylaw, such as for secrecy in the classi ed military and government sectors. Legal and professional requirements apply to medical records and other sensitive p ersonal information ab out individu- als. Due to con ict of interest considerations so-called Chinese Walls are required to prevent business consultants from accessing con dential information for two or more companies comp eting in the same market sector. In general, however, security p olicy is largely determined within an organization rather than imp osed by mandate from outside. This is particularly so in the integrity and availability arenas. 2.3 Prevention, Detection and Tolerance The ob jective of data security can be approached in two distinct, and mutually sup- p ortive, ways. Prevention. Prevention ensures that security breaches cannot o ccur. The basic technique is that the system examines every action and checks its conformance with the security p olicy b efore allowing it to o ccur. This technique is called access control. Detection. Detection ensures that sucient history of the activity in the system is recorded in an audit trail, so that a security breach can b e detected after the fact. This technique is called auditing. Every system employs some mix of these two techniques. Sometimes the distinction between these two techniques gets blurred. For example, consider a system which monitors the audit trail in real time lo oking for imminent security violations so as to prevent them. Such a system is preventive in nature, yet the technology used is basically a detective one. The distinction is nevertheless a useful one. Our fo cus in this chapter is on preventive techniques. Prevention is the more fundamental technique. An e ective detection mechanism requires a mechanism to prevent improp er mo di cation of the audit trail. Moreover, detection is ultimately useful only to the extent that it prevents improp er activityby threatening punitive action. Finally, there is the third \technique" of tolerance in which the p otential for some security breaches is tolerated; b ecause either these breaches are to o exp ensive 3 to prevent or detect, or the likeliho o d of their o ccurrence is considered suciently low, or security measures are acceptable to users only up to some reasonable p oint. Every practical system tolerates some degree of risk with resp ect to p otential security breaches. It is, however, imp ortant to understand what risk is b eing tolerated and what is b eing covered by preventive/detective mechanisms. 2.4 Assurance Security mechanisms, whether preventive or detective in nature, can b e implemented with various degrees of assurance. Assurance is directly related to the e ort required to subvert the mechanism. Low assurance mechanisms are easy to implement but also relatively easy to subvert. Subtle bugs in system and/or application software have led to numerous security breaches. On the other hand, high assurance mecha- nisms are notoriously dicult to implement. They also tend to su er from degraded p erformance. Fortunately, rapid advances in hardware p erformance are making the p erformance p enalty acceptable. 3 Access Controls in Current Systems In this section we discuss the access controls provided in the current generation of commercially available Database Management Systems. Our fo cus is on relational systems. The access controls describ ed here are often referred to as discretionary access controls as opp osed to the mandatory access controls of multilevel security. Discussion of this distinction is deferred until section 4. The purp ose of access controls is to ensure that a user is only p ermitted to p erform those op erations on the database for which that user is authorized. Access controls are based on the premise that the user has b een correctly identi ed to the system by some authentication pro cedure. Authentication typically requires the user to supply his or her claimed identity e.g., user name, op erator numb er, etc. along with a password or some other authentication token. Authentication may be p erformed by the Op erating System, the Database Management System, a sp ecial Authentication Server, or some combination thereof. Authentication is not discussed any further in this chapter. We simply assume that a suitable mechanism is in place. 3.1 Granularity and Mo des of Access Control Access controls can be imp osed at various degrees of granularity in a system. Some p ossibilities are enumerated b elow. The entire database. 4 Some collection of relations. One relation. Some columns of one relation.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    37 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us