Database Security and Authorization - PowerPoint PPT Presentation

Loading...

PPT – Database Security and Authorization PowerPoint presentation | free to download - id: 71b7df-M2RjM



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

Database Security and Authorization

Description:

Title: Formal Technical Reviews Author: Annette Tetmeyer Last modified by: rihab Created Date: 10/5/2009 1:41:59 AM Document presentation format: On-screen Show (4:3) – PowerPoint PPT presentation

Number of Views:129
Avg rating:3.0/5.0
Slides: 116
Provided by: Annet67
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Database Security and Authorization


1
Database Security and Authorization
  • Sameh Elghzali, CPIM, PMP
  • EECS710 - Information Security and Assurance -
    Fall 2010

2
Outline (1/3)
  • Quick database introduction
  • Database Security and Authorization
  • Database Security Issues
  • Control Measures
  • Database Security and DBA
  • Access Protection, User Accounts, and Database
    Audits
  • Discretionary Access Control
  • Types of Discretionary Privileges
  • Specifying Privileges Using Views
  • Revoking Privileges
  • Propagation of Privileges Using the GRANT OPTION
  • Specifying Limits on Propagation of Privileges

3
Outline (2/3)
  • Mandatory Access Control and Role-Based Access
    Control for Multilevel Security
  • Comparing Discretionary Access Control and
    Mandatory Access Control
  • Role-Based Access Control
  • Access Control Policies for E-Commerce and the
    Web
  • Statistical Database Security
  • Flow Control
  • Covert Channels
  • Encryption and Public Key Infrastructures
  • The Data and Advanced Encryption Standards
  • Public Key Encryption
  • Digital Signatures

4
Outline (3/3)
  • Privacy Issues and Preservation
  • Database Survivability
  • Oracles EnterpriseOne DB Security Features
  • Summary
  • References

5
Quick Database Introduction (1/5)
Figure 1 A simplified database system environment
6
Quick Database Introduction (2/5)
  • There are multiple architecture
  • Centralized
  • Client-Server

Figure 2 Logical two tier Client/server
Architecture.
7
Quick Database Introduction (3/5)
  • Relational Database Elements
  • Schema
  • Relation / Table / File
  • Tuple / Row / Record
  • Attribute / Column / Field
  • Primary key
  • Uniquely identifies a row
  • Foreign key
  • Links one table to attributes in another
  • View / Virtual table

8
Quick Database Introduction (4/5)
Figure 3
9
Quick Database Introduction (5/5)
  • Typical DBMS Functionality
  • Define a database (data types, structures,
    constraints)
  • Construct or Load the initial database contents
  • Manipulating the database (Retrieval,
    Modification)
  • Processing and Sharing by a set of concurrent
    users and application programs
  • Protection or Security measures to prevent
    unauthorized access
  • Active processing to take internal actions on
    data
  • Presentation and Visualization of data
  • Maintaining the database and associated programs
    over the lifetime of the database application

10
Quick Database Introduction (5/5)
Figure 3 A database that stores student and
course Information.
11
Outline (1/2)
  • Quick database introduction
  • Database Security and Authorization
  • Database Security Issues
  • Control Measures
  • Database Security and DBA
  • Access Protection, User Accounts, and Database
    Audits
  • Discretionary Access Control
  • Types of Discretionary Privileges
  • Specifying Privileges Using Views
  • Revoking Privileges
  • Propagation of Privileges Using the GRANT OPTION
  • Specifying Limits on Propagation of Privileges

12
Database Security Issues (1/9)
  • Types of Security
  • Legal and ethical issues
  • Legal rights to access certain information
  • Numerous laws governing private information
  • Policy issues
  • What kind of information should not be made
    publicly available? (examples credit ratings and
    medical records)
  • System-related issues
  • Which level various security functions should be
    enforce
  • The need to identify multiple security levels 
  • Categorize data and users based on their
    classifications

13
Database Security Issues (2/9)
  • Threats to databases
  • Loss of integrity
  • Protection from improper modification
  • Loss of availability
  • Availability refers to making object available to
    human and program where they have a legitimate
    right
  • Loss of confidentiality
  • Confidentiality refers to the protection of data
    from unauthorized disclosure
  • Can range from violations to Data Privacy Act to
    the jeopardization of national security
  • Could result in loss of public confidence,
    embarrassment, or legal action against the
    organization

14
Database Security Issues (3/9)
  • Four kinds of countermeasures can be implemented
  • Access control
  • Inference control
  • Flow control
  • Encryption

15
Database Security Issues (4/9)
  • A DBMS includes a database security and
    authorization subsystem that is responsible for
    ensuring the security portions of a database
    against unauthorized access
  • Two types of database security mechanisms
  • Discretionary security mechanisms
  • Grant privileges to users to access data in a
    specified mode
  • Mandatory security mechanisms
  • Used to enforce multilevel security by
    classifying data and users into various security
    classes or levels and then implement the
    appropriate security policy

16
Database Security Issues (5/9)
  • Role-bases security is an extension of mandatory
    access control, which enforce policies and
    privileges on the concept of roles

Figure 4 Multiple Access Control Policies DAC,
MAC and RBAC are not mutually exclusive. A
system may implement two or even three of these
policies for some or all types of access. Source
SAND94
17
Database Security Issues (6/9)
  • The security mechanism of a DBMS must include
    provisions for restricting access to the database
    system as a whole either to obtain information or
    make malicious changes to database
  • This function is called access control and is
    handled by creating user accounts and passwords
    to control login process by the DBMS

18
Database Security Issues (7/9)
  • The security problem associated with databases is
    that of controlling the access to a statistical
    database, which is used to provide statistical
    information or summaries of values based on
    various criteria
  • Countermeasure can be implemented
  • inference control measures

19
Database Security Issues (8/9)
  • Another security issue is that of flow control,
    which prevents information from flowing in such a
    way that it reaches unauthorized users
  • Channels that are pathways for information to
    flow implicitly in ways that violate the security
    policy of an organization are called covert
    channels
  • Countermeasure can be implemented
  • Allow all flows of information except from class
    confidential (C) to class nonconfidential (N)

20
Database Security Issues (9/9)
  • A final security issue is data encryption, which
    is used to protect sensitive data (such as credit
    card numbers, SSN) that is being transmitted via
    some type communication network
  • The data is encoded using some encoding algorithm
    in such way that
  • An unauthorized user who access encoded data will
    have difficulty deciphering it
  • An authorized users are given decoding or
    decrypting algorithms (or keys) to decipher data

21
Outline (1/2)
  • Quick database introduction
  • Database Security and Authorization
  • Database Security Issues
  • Control Measures
  • Database Security and DBA
  • Access Protection, User Accounts, and Database
    Audits
  • Discretionary Access Control
  • Types of Discretionary Privileges
  • Specifying Privileges Using Views
  • Revoking Privileges
  • Propagation of Privileges Using the GRANT OPTION
  • Specifying Limits on Propagation of Privileges

22
Control Measures (1/2)
  • Must include provisions for restricting access
    for the database system as a whole
  • Must prevent access to detailed confidential
    information about specific individuals in
    Statistical databases
  • Must prevent information from flowing in such way
    that it reaches to unauthorized users through
    what is called covert channels
  • Must protect sensitive data that is transmitted
    via some type of communications network

23
Control Measures (2/2)
  • There are four control measures that are used to
    provide security of data in databases
  • Access control
  • Inference control
  • Flow control
  • Data encryption

24
Outline (1/2)
  • Quick database introduction
  • Database Security and Authorization
  • Database Security Issues
  • Control Measures
  • Database Security and DBA
  • Access Protection, User Accounts, and Database
    Audits
  • Discretionary Access Control
  • Types of Discretionary Privileges
  • Specifying Privileges Using Views
  • Revoking Privileges
  • Propagation of Privileges Using the GRANT OPTION
  • Specifying Limits on Propagation of Privileges

25
Database Security and the DBA (1/2)
  • The database administrator (DBA) is the central
    authority for managing a database system
  • The DBAs responsibilities include
  • granting privileges to users who need to use the
    system
  • classifying users and data in accordance with the
    policy of the organization
  • The DBA is responsible for the overall security
    of the database system

26
Database Security and the DBA (2/2)
  • The DBA has a DBA account in the DBMS
  • Sometimes these are called a system or super user
    account
  • These accounts provide powerful capabilities such
    as
  • 1. Account creation
  • 2. Privilege granting
  • 3. Privilege revocation
  • 4. Security level assignment
  • Action 1 is access control, whereas 2 and 3 are
    discretionary and 4 is used to control mandatory
    authorization

27
Outline (1/2)
  • Quick database introduction
  • Database Security and Authorization
  • Database Security Issues
  • Control Measures
  • Database Security and DBA
  • Access Protection, User Accounts, and Database
    Audits
  • Discretionary Access Control
  • Types of Discretionary Privileges
  • Specifying Privileges Using Views
  • Revoking Privileges
  • Propagation of Privileges Using the GRANT OPTION
  • Specifying Limits on Propagation of Privileges

28
Access Protection, User Accounts, and Database
Audits(1/5)
  • DBMS provide access control for database for
    authenticated users
  • DBMS provides specific access rights to portions
    of the database
  • e.g. create, insert, delete, read, write
  • to entire database, tables, selected rows or
    columns
  • possibly dependent on contents of a table entry

29
Access Protection, User Accounts, and Database
Audits(2/5)
  • can support a range of policies
  • centralized administration
  • A small number of privileged users may grant or
    revoke access rights
  • ownership-based administration
  • The owner (creator) of a table may grant or
    revoke access rights of table
  • decentralized administration
  • The owner of table may grant or revoke
    authorization rights to other users, allowing
    them to grant and revoke access to the table

30
Access Protection, User Accounts, and Database
Audits(3/5)
  • Whenever a person or group of persons need to
    access a database system, the individual or group
    must first apply for a user account
  • The DBA will then create a new account id and
    password for the user if he/she deems there is a
    legitimate need to access the database
  • The user must log in to the DBMS by entering
    account id and password whenever database access
    is needed

31
Access Protection, User Accounts, and Database
Audits(4/5)
  • The database system must also keep track of all
    operations on the database that are applied by a
    certain user throughout each login session
  • To keep a record of all updates applied to the
    database and of the particular user who applied
    each update, we can modify system log, which
    includes an entry for each operation applied to
    the database that may be required for recovery
    from a transaction failure or system crash

32
Access Protection, User Accounts, and Database
Audits(5/5)
  • If any tampering with the database is suspected,
    a database audit is performed
  • A database audit consists of reviewing the log to
    examine all accesses and operations applied to
    the database during a certain time period
  • A database log that is used mainly for security
    purposes is sometimes called an audit trail

33
Outline (1/2)
  • Quick database introduction
  • Database Security and Authorization
  • Database Security Issues
  • Types of Security
  • Database Security and DBA
  • Access Protection, User Accounts, and Database
    Audits
  • Discretionary Access Control
  • Types of Discretionary Privileges
  • Specifying Privileges Using Views
  • Revoking Privileges
  • Propagation of Privileges Using the GRANT OPTION
  • Specifying Limits on Propagation of Privileges

34
Discretionary Access Control Based on Granting
and Revoking Privileges
  • The typical method of enforcing discretionary
    access control in a database system is based on
    the granting and revoking privileges
  • Many current relational DBMS use some variation
    of this technique
  • The main idea to include statements in the query
    language that allow DBA and selected users to
    grant and revoke privileges

35
Types of Discretionary Privileges (1/6)
  • The account level
  • At this level, the DBA specifies the particular
    privileges that each account holds independently
    of the relations in the database
  • The relation level (or table level)
  • At this level, the DBA can control the privilege
    to access each individual relation or view in the
    database

36
Types of Discretionary Privileges (2/6)
  • The privileges at the account level apply to the
    capabilities provided to the account itself and
    can include
  • the CREATE SCHEMA or CREATE TABLE privilege, to
    create a schema or base relation
  • the CREATE VIEW privilege
  • the ALTER privilege, to apply schema changes such
    adding or removing attributes from relations
  • the DROP privilege, to delete relations or views
  • the MODIFY privilege, to insert, delete, or
    update tuples
  • and the SELECT privilege, to retrieve information
    from the database by using a SELECT query

37
Types of Discretionary Privileges (3/6)
  • The second level of privileges applies to the
    relation level
  • This includes base relations and virtual (view)
    relations
  • The granting and revoking of privileges generally
    follow an authorization model for discretionary
    privileges known as the access matrix model where
  • The rows of a matrix M represents subjects
    (users, accounts, programs)
  • The columns represent objects (relations,
    records, columns, views, operations)
  • Each position M(i,j) in the matrix represents the
    types of privileges (read, write, update) that
    subject i holds on object j

38
Types of Discretionary Privileges (4/6)
  • To control the granting and revoking of relation
    privileges, each relation R in a database is
    assigned an owner account, which is typically the
    account that was used when the relation was
    created in the first place
  • The owner of a relation is given all privileges
    on that relation
  • DBA can assign an owner to a whole schema by
    creating the schema and associating the
    appropriate authorization identifier with that
    schema, using the CREATE SCHEMA command
  • The owner account holder can pass privileges on
    any of the owned relation to other users by
    granting privileges to their accounts

39
Types of Discretionary Privileges (5/6)
  • In SQL the following types of privileges can be
    granted on each individual relation R
  • SELECT (retrieval or read) privilege on R
  • Gives the account retrieval privilege
  • Gives the account the privilege to use the SELECT
    statement to retrieve tuples from R
  • MODIFY privileges on R
  • Gives the account the capability to modify tuples
    of R
  • This privilege is further divided into UPDATE,
    DELETE, and INSERT privileges to apply the
    corresponding SQL command to R
  • In addition, both the INSERT and UPDATE
    privileges can specify that only certain
    attributes can be updated by the account

40
Types of Discretionary Privileges (6/6)
  • The following types of privileges in SQL can be
    granted on each individual relation R
  • REFERENCES privilege on R
  • This gives the account the capability to
    reference relation R when specifying integrity
    constraints
  • The privilege can also be restricted to specific
    attributes of R
  • Please notice that to create a view, the account
    must have SELECT privilege on all relations
    involved in the view definition

41
Specifying Privileges Using Views
  • The mechanism of views is an important
    discretionary authorization mechanism in its own
    right. For example,
  • If the owner A of a relation R wants another
    account B to be able to retrieve only some fields
    of R, then A can create a view V of R that
    includes only those attributes and then grant
    SELECT on V to B
  • The same applies to limiting B to retrieving only
    certain tuples of R a view V can be created by
    defining the view by means of a query that
    selects only those tuples from R that A wants to
    allow B to access

42
Revoking Privileges
  • In some cases it is deemed necessary to grant a
    privilege to a user only temporarily to make good
    control of security and access rights. For
    example,
  • The owner of a relation may want to grant the
    SELECT privilege to a user for a specific task
    and then revoke that privilege once the task is
    completed.
  • Hence, a mechanism for revoking privileges is
    necessary. In SQL, a REVOKE command is included
    for the purpose of canceling privileges.

43
Propagation of Privileges using the GRANT OPTION
  • Whenever the owner A of a relation R grants a
    privilege on R to another account B, privilege
    can be given to B with or without the GRANT
    OPTION
  • If the GRANT OPTION is given, this means that B
    can also grant that privilege on R to other
    accounts
  • Suppose that B is given the GRANT OPTION by A and
    that B then grants the privilege on R to a third
    account C, also with GRANT OPTION. In this way,
    privileges on R can propagate to other accounts
    without the knowledge of the owner of R
  • If the owner account A now revokes the privilege
    granted to B, all the privileges that B
    propagated based on that privilege should
    automatically be revoked by the system

44
Specifying Limits on Propagation of Privileges
  • Techniques to limit the propagation of privileges
    have been developed, although they have not yet
    been implemented in most DBMSs and are not a part
    of SQL
  • Limiting horizontal propagation to an integer
    number i means that an account B given the GRANT
    OPTION can grant the privilege to at most i other
    accounts
  • Vertical propagation is more complicated it
    limits the depth of the granting of privileges

45
An Example(1/8)
  • Suppose that the DBA creates four accounts
  • A1, A2, A3, A4, A5
  • and wants only A1 to be able to create base
    relations Then the DBA must issue the following
    GRANT command in SQL
  • GRANT CREATETAB TO A1
  • The same effect can be accomplished by DBA
    issuing a CREATE SCHEMA command as follows
  • CREATE SCHEMA EXAMPESCHEMA AUTHORIZATION A1

46
An Example(2/8)
  • User account A1 can create tables under the
    schema called EXAMPESCHEMA
  • Suppose that A1 creates the two base relations
    EMPLOYEE and DEPARTMENT
  • A1 is then owner of these two relations and hence
    all the relation privileges on each of them
  • Suppose that A1 wants to grant A2 the privilege
    to insert and delete tuples in both of these
    relations, but A1 does not want A2 to be able to
    propagate these privileges to additional
    accounts
  • GRANT INSERT, DELETE ON
  • EMPLOYEE, DEPARTMENT TO A2

47
An Example(3/8)
  • Suppose that A1 wants to grant A5 the privilege
    to insert and delete tuples in both of these
    relations, and A1 wants A5 to be able to
    propagate these privileges to additional
    accounts
  • GRANT INSERT, DELETE ON EMPLOYEE, DEPARTMENT TO
    A5 WITH GRANT OPTION
  • A5 then can propagate the acquired privileges to
    others

48
An Example(4/8)
Figure 5
49
An Example(5/8)
  • Suppose that A1 wants to allow A3 to retrieve
    information from either of the two tables and
    also to be able to propagate the SELECT privilege
    to other accounts
  • A1 can issue the command
  • GRANT SELECT ON EMPLOYEE, DEPARTMENT
  • TO A3 WITH GRANT OPTION
  • A3 can grant the SELECT privilege on the EMPLOYEE
    relation to A4 by issuing
  • GRANT SELECT ON EMPLOYEE TO A4
  • Please notice that A4 cant propagate the SELECT
    privilege because GRANT OPTION was not given to
    A4

50
An Example(6/8)
  • Suppose that A1 decides to revoke the SELECT
    privilege on the EMPLOYEE relation from A3 A1
    can issue
  • REVOKE SELECT ON EMPLOYEE FROM A3
  • The DBMS must now automatically revoke the SELECT
    privilege on EMPLOYEE from A4, too, because A3
    granted that privilege to A4 and A3 does not have
    the privilege any more

51
An Example(7/8)
  • Suppose that A1 wants to give back to A3 a
    limited capability to SELECT from the EMPLOYEE
    relation and wants to allow A3 to be able to
    propagate the privilege
  • The limitation is to retrieve only the NAME,
    BDATE, and ADDRESS attributes and only for the
    tuples with DNO5
  • A1 then create the view
  • CREATE VIEW A3EMPLOYEE AS
  • SELECT NAME, BDATE, ADDRESS
  • FROM EMPLOYEE
  • WHERE DNO 5
  • After the view is created, A1 can grant SELECT on
    the view A3EMPLOYEE to A3 as follows
  • GRANT SELECT ON A3EMPLOYEE TO A3
  • WITH GRANT OPTION

52
An Example(8/8)
  • Finally, suppose that A1 wants to allow A4 to
    update only the SALARY attribute of EMPLOYEE
  • A1 can issue
  • GRANT UPDATE ON EMPLOYEE (SALARY) TO A4
  • The UPDATE or INSERT privilege can specify
    particular attributes that may be updated or
    inserted in a relation
  • Other privileges (SELECT, DELETE) are not
    attribute specific

53
Outline (2/2)
  • Mandatory Access Control and Role-Based Access
    Control for Multilevel Security
  • Comparing Discretionary Access Control and
    Mandatory Access Control
  • Role-Based Access Control
  • Access Control Policies for E-Commerce and the
    Web
  • Statistical Database Security
  • Flow Control
  • Covert Channels
  • Encryption and Public Key Infrastructures
  • The Data and Advanced Encryption Standards
  • Public Key Encryption
  • Digital Signatures

54
Mandatory Access Control and Role-Based Access
Control for Multilevel Security(1/8)
  • The discretionary access control techniques of
    granting and revoking privileges on relations has
    traditionally been the main security mechanism
    for relational database systems
  • This is an all-or-nothing method
  • A user either has or does not have a certain
    privilege
  • In many applications, and additional security
    policy is needed that classifies data and users
    based on security classes
  • This approach as mandatory access control, would
    typically be combined with the discretionary
    access control mechanisms

55
Mandatory Access Control and Role-Based Access
Control for Multilevel Security(2/8)
  • Typical security classes are top secret (TS),
    secret (S), confidential (C), and unclassified
    (U), where TS is the highest level and U the
    lowest TS S C U
  • The commonly used model for multilevel security,
    known as the Bell-LaPadula model, classifies each
    subject (user, account, program) and object
    (relation, tuple, column, view, operation) into
    one of the security classifications, T, S, C, or
    U
  • Clearance (classification) of a subject S as
    class(S) and to the classification of an object O
    as class(O)

56
Mandatory Access Control and Role-Based Access
Control for Multilevel Security(3/8)
  • Two restrictions are enforced on data access
    based on the subject/object classifications
  • Simple security property A subject S is not
    allowed read access to an object O unless
    class(S) class(O)
  • A subject S is not allowed to append/write an
    object O unless class(S) class(O). This known
    as the star property (or property)
  • -property(S, O, append) has class(S) class(O)
    and (S, O, write) has class(S) class(O)
  • Third restriction are enforced on data access
    bases on discretionary security

57
Mandatory Access Control and Role-Based Access
Control for Multilevel Security(4/8)
  • To incorporate multilevel security notions into
    the relational database model, it is common to
    consider attribute values and tuples as data
    objects
  • Hence, each attribute A is associated with a
    classification attribute C in the schema, and
    each attribute value in a tuple is associated
    with a corresponding security classification
  • In addition, in some models, a tuple
    classification attribute TC is added to the
    relation attributes to provide a classification
    for each tuple as a whole
  • Hence, a multilevel relation schema R with n
    attributes would be represented as
  • R(A1,C1,A2,C2, , An,Cn,TC)
  • TCt Max(C1t, , Cnt)
  • where each Ci represents the classification
    attribute associated with attribute Ai

58
Mandatory Access Control and Role-Based Access
Control for Multilevel Security(5/8)
  • The value of the TC attribute in each tuple t
    which is the highest of all attribute
    classification values within t
  • TC provides a general classification for the
    tuple itself
  • Ci provides a finer security classification for
    each attribute value within the tuple
  • The apparent key of a multilevel relation is the
    set of attributes that would have formed the
    primary key in a regular(single-level) relation

59
Mandatory Access Control and Role-Based Access
Control for Multilevel Security(6/8)
  • A multilevel relation will appear to contain
    different data to subjects (users) with different
    clearance levels
  • In some cases, it is possible to store a single
    tuple in the relation at a higher classification
    level and produce the corresponding tuples at a
    lower-level classification through a process
    known as filtering
  • In other cases, it is necessary to store two or
    more tuples at different classification levels
    with the same value for the apparent key
  • This leads to the concept of polyinstantiation
    where several tuples can have the same apparent
    key value but have different attribute values for
    users at different classification levels

60
Mandatory Access Control and Role-Based Access
Control for Multilevel Security(7/8)
  • The entity integrity rule for multilevel
    relations states that all attributes that are
    members of the apparent key must not be null and
    must have the same security classification within
    each individual tuple
  • All other attribute values in the tuple must have
    a security classification greater than or equal
    to that of the apparent key
  • This constraint ensures that a user can see the
    key if the user is permitted to see any part of
    the tuple at all

61
Mandatory Access Control and Role-Based Access
Control for Multilevel Security(8/8)
  • Null and interinstance integrity rules informally
    ensure that if a tuple value at some security
    level can be filtered (derived) from a
    higher-classified tuple, then it is sufficient to
    store the higher-classified tuple in the
    multilevel relation

62
An Example
a) EMPLOYEE
Name Salary JobPerformance TC
Smith U 40000 C Fair S S
Brown C 80000 S Good C S
Figure 6 A multilevel relation to illustrate a
multilevel security. (a) The original EMPLOYEE
tuples. (b) Appearance of EMPLOYEE after
filtering of classification C users. (c)
Appearance of EMPLOYEE after filtering for
classification U users. (d) Polyinstantiation of
the Smith tuple.
b) EMPLOYEE
Name Salary JobPerformance TC
Smith U 40000 C NULL C C
Brown C NULL C Good C C
c) EMPLOYEE
Name Salary JobPerformance TC
Smith U NULL U NULL U U
d) EMPLOYEE
Name Salary JobPerformance TC
Smith U 40000 C Fair S S
Smith C 40000 C Excellent C C
Brown C 80000 S Good C S
63
Outline (2/2)
  • Mandatory Access Control and Role-Based Access
    Control for Multilevel Security
  • Comparing Discretionary Access Control and
    Mandatory Access Control
  • Role-Based Access Control
  • Access Control Policies for E-Commerce and the
    Web
  • Statistical Database Security
  • Flow Control
  • Covert Channels
  • Encryption and Public Key Infrastructures
  • The Data and Advanced Encryption Standards
  • Public Key Encryption
  • Digital Signatures

64
Comparing Discretionary Access Control and
Mandatory Access Control (1/2)
  • Discretionary Access Control (DAC) policies are
    characterized by a high degree of flexibility,
    which makes them suitable for a large variety of
    application domains
  • The main drawback of DAC models is their
    vulnerability to malicious attacks, such as
    Trojan horses embedded in application programs
  • DAC does not impose any control on how
    information is propagated and used once it has
    been accessed by users authorized to do so

65
Comparing Discretionary Access Control and
Mandatory Access Control(2/2)
  • Mandatory access control (MAC) policies ensure a
    high degree of protection
  • MAC prevents any illegal flow of information
  • MAC has the drawback of being too rigid and they
    are only applicable in limited environments
  • Discretionary policies are preferred in many
    cases because they offer a better trade-off
    between security and applicability

66
Outline (2/2)
  • Mandatory Access Control and Role-Based Access
    Control for Multilevel Security
  • Comparing Discretionary Access Control and
    Mandatory Access Control
  • Role-Based Access Control
  • Access Control Policies for E-Commerce and the
    Web
  • Statistical Database Security
  • Flow Control
  • Covert Channels
  • Encryption and Public Key Infrastructures
  • The Data and Advanced Encryption Standards
  • Public Key Encryption
  • Digital Signatures

67
Role-Based Access Control(1/4)
  • Role-based access control (RBAC) emerged rapidly
    in the 1990s
  • a proven technology for managing and enforcing
    security in large-scale enterprise wide systems
  • Its basic notion is that permissions are
    associated with roles then users are assigned to
    appropriate roles
  • Roles can be created using the CREATE ROLE and
    DESTROY ROLE commands
  • The GRANT and REVOKE commands discussed under DAC
    can then be used to assign and revoke privileges
    from roles

68
Role-Based Access Control(2/4)
  • RBAC appears to be a viable alternative to
    traditional discretionary and mandatory access
    controls
  • RBAC ensures that only authorized users are given
    access to certain data or resources
  • Many DBMSs have allowed the concept of roles,
    where privileges can be assigned to roles
  • Role hierarchy in RBAC is a natural way of
    organizing roles to reflect the organizations
    lines of authority and responsibility

69
Role-Based Access Control(3/4)
  • Another important consideration in RBAC systems
    is the possible temporal constraints that may
    exist on roles, such as
  • time and duration of role activations
  • timed triggering of a role by an activation of
    another role
  • Using an RBAC model is highly desirable goal for
    addressing the key security requirements of
    Web-based applications

70
Role-Based Access Control(4/4)
  • In contrast, DAC and MAC models lack capabilities
    needed to support the security requirements
    emerging enterprises and Web-based applications
  • RBAC becomes a superset model that can run, mimic
    the behavior of DAC and MAC
  • RBAC works well for DBMS
  • Eases admin burden, improves security
  • Addresses the security issues related to the
    execution of tasks and workflows

71
Outline (2/2)
  • Mandatory Access Control and Role-Based Access
    Control for Multilevel Security
  • Comparing Discretionary Access Control and
    Mandatory Access Control
  • Role-Based Access Control
  • Access Control Policies for E-Commerce and the
    Web
  • Statistical Database Security
  • Flow Control
  • Covert Channels
  • Encryption and Public Key Infrastructures
  • The Data and Advanced Encryption Standards
  • Public Key Encryption
  • Digital Signatures

72
Access Control Policies for E-Commerce and the
Web(1/2)
  • E-Commerce environments require elaborate
    policies that go beyond traditional DBMSs
  • In an e-commerce environment the resources to be
    protected are not only traditional data but also
    knowledge and experience
  • The access control mechanism should be flexible
    enough to support a wide spectrum of
    heterogeneous protection objects
  • A related requirement is the support for
    content-based access-control

73
Access Control Policies for E-Commerce and the
Web(2/2)
  • Another requirement is related to the
    heterogeneity of subjects, which requires access
    control policies based on user characteristics
    and qualifications
  • A possible solution, to better take into account
    user profiles in the formulation of access
    control policies, is to support the notion of
    credentials
  • A credential is a set of properties concerning a
    user that are relevant for security purposes
  • For example, age, position within an organization
  • It is believed that the XML language can play a
    key role in access control for e-commerce
    applications

74
XML Access Control
  • Efforts are underway to develop security
    standards
  • Digital signature and encryption for XML
  • Can support signing some parts of the XML tree
    rather than the complete document
  • XML encryption applies to parts of documents and
    to documents in persistent storage

75
Outline (2/2)
  • Mandatory Access Control and Role-Based Access
    Control for Multilevel Security
  • Comparing Discretionary Access Control and
    Mandatory Access Control
  • Role-Based Access Control
  • Access Control Policies for E-Commerce and the
    Web
  • Statistical Database Security
  • Flow Control
  • Covert Channels
  • Encryption and Public Key Infrastructures
  • The Data and Advanced Encryption Standards
  • Public Key Encryption
  • Digital Signatures

76
Introduction to Statistical Database Security(1/6)
  • Statistical databases are used mainly to produce
    statistics on various populations
  • The database may contain confidential data on
    individuals, which should be protected from user
    access
  • Users are permitted to retrieve statistical
    information on the populations, such as averages,
    sums, counts, maximums, minimums, and standard
    deviations

77
Introduction to Statistical Database Security(2/6)
  • A population is a set of tuples of a relation
    (table) that satisfy some selection condition
  • Statistical queries involve applying statistical
    functions to a population of tuples
  • For example, we may want to retrieve the number
    of individuals in a population or the average
    income in the population
  • However, statistical users are not allowed to
    retrieve individual data, such as the income of a
    specific person

78
Introduction to Statistical Database Security(3/6)
  • Statistical database security techniques must
    prohibit the retrieval of individual data
  • This can be achieved by prohibiting queries that
    retrieve attribute values and by allowing only
    queries that involve statistical aggregate
    functions such as COUNT, SUM, MIN, MAX, AVERAGE,
    and STANDARD DEVIATION
  • Such queries are sometimes called statistical
    queries

79
Introduction to Statistical Database Security(4/6)
  • It is DBMSs responsibility to ensure
    confidentiality of information about individuals,
    while still providing useful statistical
    summaries of data about those individuals to
    users. Provision of privacy protection of users
    in a statistical database is paramount
  • In some cases it is possible to infer the values
    of individual tuples from a sequence statistical
    queries
  • This is particularly true when the conditions
    result in a population consisting of a small
    number of tuples

80
Introduction to Statistical Database Security(5/6)
  • Inference counter measures include
  • inference detection at database design
  • alter database structure or access controls
  • Runtime inference detection and prevention
  • No statistical queries are permitted whenever the
    number of tuples in population falls below some
    threshold
  • Prohibit sequence of queries that refer
    repeatedly to the same population of tuples
  • Inference detection algorithm

81
Introduction to Statistical Database Security(6/6)
  • add slight inaccuracies or noise to statistics
    generated from data
  • will result in differences in statistics
  • Partitioning of the database
  • Reject queries to subset of data
  • data perturbation techniques
  • data swapping
  • output perturbation techniques
  • random-sample query
  • must minimize loss of accuracy in results

82
Outline (2/2)
  • Mandatory Access Control and Role-Based Access
    Control for Multilevel Security
  • Comparing Discretionary Access Control and
    Mandatory Access Control
  • Role-Based Access Control
  • Access Control Policies for E-Commerce and the
    Web
  • Statistical Database Security
  • Flow Control
  • Covert Channels
  • Encryption and Public Key Infrastructures
  • The Data and Advanced Encryption Standards
  • Public Key Encryption
  • Digital Signatures

83
Flow Control
  • Flow control regulates the distribution or flow
    of information among accessible objects
  • A flow between object X and object Y occurs when
    a program reads values from X and writes values
    into Y
  • Flow controls check that information contained in
    some objects does not flow explicitly or
    implicitly into less protected objects
  • A flow policy specifies the channels along which
    information is allowed to move
  • The simplest flow policy specifies just two
    classes of information
  • confidential (C) and non-confidential (N)
  • and allows all flows except those from class C to
    class N

84
Covert Channels(1/2)
  • A covert channel allows a transfer of information
    that violates the security or the policy
  • A covert channel allows information to pass from
    a higher classification level to a lower
    classification level through improper means

85
Covert Channels(2/2)
  • Covert channels can be classified into two broad
    categories
  • Storage channels do not require any temporal
    synchronization, in that information is conveyed
    by accessing system information or what is
    otherwise inaccessible to the user
  • Timing channel allow the information to be
    conveyed by the timing of events or processes
  • Some security experts believe that one way to
    avoid covert channels is for programmers to not
    actually gain access to sensitive data that a
    program is supposed to process after the program
    has been put into operation

86
Outline (2/2)
  • Mandatory Access Control and Role-Based Access
    Control for Multilevel Security
  • Comparing Discretionary Access Control and
    Mandatory Access Control
  • Role-Based Access Control
  • Access Control Policies for E-Commerce and the
    Web
  • Statistical Database Security
  • Flow Control
  • Covert Channels
  • Encryption and Public Key Infrastructures
  • The Data and Advanced Encryption Standards
  • Public Key Encryption
  • Digital Signatures

87
Encryption and Public Key Infrastructures
  • Encryption is a mean of maintaining secure data
    in an insecure environment
  • Encryption consists of applying an encryption
    algorithm to data using some pre-specified
    encryption key
  • The resulting data has to be decrypted using a
    decryption key to recover the original data

88
The Data and Advanced Encryption Standards(1/3)
  • The Data Encryption Standard (DES) is a system
    developed by the U.S. government in 1976 for use
    by the general public
  • It has been widely accepted as a cryptographic
    standard both in the United States and abroad
  • DES can provide end-to-end encryption on the
    channel between the sender A and receiver B

89
The Data and Advanced Encryption Standards(2/3)
  • DES algorithm is a careful and complex
    combination of two of the fundamental building
    blocks of encryption
  • substitution and permutation (transposition)
  • The DES algorithm derives its strength from
    repeated application of these two techniques for
    a total of 16 cycles
  • Plaintext (the original form of the message) is
    encrypted as blocks of 64 bits
  • Only 56 of these are actually used by the
    algorithm

90
The Data and Advanced Encryption Standards(3/3)
  • After questioning the adequacy of DES, the
    National Institute of Standards (NIST) introduced
    the Advanced Encryption Standards (AES)
  • This algorithm has a block size of 128 bits and
    thus takes longer time to crack
  • AES-192 and AES-256
  • Key sizes of 192 and 256 bits respectively

91
Outline (2/2)
  • Mandatory Access Control and Role-Based Access
    Control for Multilevel Security
  • Comparing Discretionary Access Control and
    Mandatory Access Control
  • Role-Based Access Control
  • Access Control Policies for E-Commerce and the
    Web
  • Statistical Database Security
  • Flow Control
  • Covert Channels
  • Encryption and Public Key Infrastructures
  • The Data and Advanced Encryption Standards
  • Public Key Encryption
  • Digital Signatures

92
Public Key Encryption(1/8)
  • Diffie and Hellman In 1976 proposed a new kind of
    cryptosystem, which they called public key
    encryption
  • Public key algorithms are based on mathematical
    functions rather than operations on bit patterns
  • They involve the use of two separate keys
  • Conventional encryption uses only one key
  • The use of two keys can have profound
    consequences in the areas of confidentiality, key
    distribution, and authentication

93
Public Key Encryption(2/8)
  • The two keys used for public key encryption are
    referred to as the public key and the private key
  • the private key is kept secret, but it is
    referred to as private key rather than a secret
    key (to avoid confusion with conventional
    encryption)
  • The public key of the pair is made public for
    others to use

94
Public Key Encryption(3/8)
  • A public key encryption scheme, or
    infrastructure, has six ingredients
  • 1. Plaintext This is the data or readable
    message that is fed into the algorithm as input
  • 2. Encryption algorithm The encryption algorithm
    performs various transformations on the plaintext
  • 3 4 Public and private keys These are pair of
    keys that have been selected so that if one is
    used for encryption, the other is used for
    decryption
  • The exec transformations performed by the
    encryption algorithm depend on the public or
    private key that is provided as input

95
Public Key Encryption(4/8)
  • 5. Ciphertext
  • This is the scrambled message produced as
    output. It depends on the plaintext and the key
  • For a given message, two different keys will
    produce two different ciphertexts
  • 6. Decryption algorithm
  • This algorithm accepts the ciphertext and the
    matching key and produces the original plaintext

96
Public Key Encryption(5/8)
  • Public key is made for public and private key is
    known only by owner
  • A general-purpose public key cryptographic
    algorithm relies on
  • one key for encryption and
  • a different but related key for decryption

97
Public Key Encryption(6/8)
  • The essential steps are as follows
  • Each user generates a pair of keys to be used for
    the encryption and decryption of messages
  • Each user places one of the two keys in a public
    register or other accessible file. This is the
    public key. The companion key is kept private
    (private key)
  • If a sender wishes to send a private message to
    a receiver, the sender encrypts the message using
    the receivers public key
  • When the receiver receives the message, he or she
    decrypts it using the receivers private key
  • No other recipient can decrypt the message
    because only the receiver knows his or her
    private key

98
Public Key Encryption(7/8)
  • The RSA Public Key Encryption algorithm, one of
    the first public key schemes was introduced in
    1978 by Ron Rivest (R), Adi Shamir (S), and Len
    Adleman (A) at MIT and is named after them
  • The RSA encryption algorithm incorporates results
    from number theory, such as the difficulty of
    determining the large prime factors of a large
    number
  • The RSA algorithm also operates with modular
    arithmetic mod n, where n is the product of two
    large prime numbers

99
Public Key Encryption(8/8)
  • Two keys, d and e, are used for decryption and
    encryption
  • An important property is that d and e can be
    interchanged
  • n is chosen as a large integer that is a product
    of two large distinct prime numbers, a and b
  • The encryption key e is a randomly chosen number
    between 1 and n that is relatively prime to (a-1)
    x (b-1)
  • The plaintext block P is encrypted as Pe mod n
  • Because the exponentiation is performed mod n,
    factoring Pe to uncover the encrypted plaintext
    is difficult
  • However, the decryption key d is carefully chosen
    so that (Pe)d mod n P
  • The decryption key d can be computed from the
    condition that d x e 1 mod
    ((a-1)x(b-1))
  • Thus, the legitimate receiver who knows d simply
    computes (Pe)d mod n P and
    recovers P without having to factor Pe

100
Digital Signatures
  • A digital signature is an example of using
    encryption techniques to provide authentication
    services in e-commerce applications
  • A digital signature is a mean of associating a
    mark unique to an individual with a body of text
  • The mark should be unforgettable, meaning that
    others should be able to check that the signature
    does come from the originator
  • A digital signature consists of a string of
    symbols
  • Signature must be different for each use
  • This can be achieved by making each digital
    signature a function of the message that it is
    signing, together with a time stamp
  • Public key techniques are the means creating
    digital signatures

101
Outline (3/3)
  • Privacy Issues and Preservation
  • Database Survivability
  • Oracles EnterpriseOne DB Security Features
  • Summary
  • References

102
Privacy Issues and Preservation (1/2)
  • Is growing issue for database security and
    privacy experts
  • Should limit performing large-scale data mining
    and analysis
  • Violating only single repositorys data security
    could expose all data
  • Common techniques to address this issue
  • Avoid building mammoth central warehouse as a
    mingle repository of vital information
  • Intentionally modify or perturb data

103
Privacy Issues and Preservation (2/2)
  • Common techniques to address this issue
  • Avoid building mammoth central warehouse as a
    mingle repository of vital information
  • Intentionally modify or perturb data
  • Avoiding central warehouses and using distributed
    data mining algorithms minimize the exchange of
    data needed to develop globally valid model
  • Complicated due to its multidisciplinary nature
    and the issues related to the subjectivity in the
    interpretation of privacy, trust and so on

104
Database Survivability (1/3)
  • Database systems need to operate and continue
    their function, even with reduced capabilities,
    despite disruptive events from warfare attack
  • DBMS should be able to do the following
  • Confinement
  • Take immediate action to eliminate the attackers
    access
  • Isolate and contain the problem from further
    spread
  • Damage assessment
  • Determine the extend of the problem, including
    failed functions and corrupted data

105
Database Survivability (2/3)
  • Reconfiguration
  • Reconfigure to allow operations to continue in a
    degraded mode while recovery proceeds
  • Repair
  • Recover corrupted or lost data and repair or
    reinstall failed system functions to reestablish
    a normal level of operations
  • Fault treatment
  • To the extend possible, identify the weaknesses
    exploited in the attack and take steps to prevent
    a recurrence

106
Database Survivability (3/3)
  • Issues related to DB survivability have not been
    sufficiently investigated
  • Much more research need to be devoted for
    techniques and methodologies that insure database
    system survivability

107
Outline (3/3)
  • Privacy Issues and Preservation
  • Database Survivability
  • Oracles EnterpriseOne DB Security Features
  • Summary
  • References

108
Oracle's EnterpriseOne
  • Oracle's JD Edwards EnterpriseOne is
  • an integrated applications suite of comprehensive
    enterprise resource planning software
  • S/W that combines business value, standards-based
    technology, and deep industry experience into a
    business solution with a low total cost of
    ownership
  • offers a choice of databases, operating systems,
    and hardware so client can build and expand their
    IT solution to meet business requirements
  • S/W that offers a set of modules to support a
    diverse set of business operations and rapid
    deployment

109
EnterpriseOne database security
  • No direct access to database by users
  • Database access through Proxy users
  • Security is handled by security middleware module
  • Supports multilevel security
  • Supports role based security
  • SQL access is limited only to DBA users

110
Multilevel of Security
Security Levels/Types Security Levels/Types
Application Exclusive Application
Action Exclusive Inclusive Row
Row (User, Group, Public) External Calls
Column Miscellaneous
Processing Options Solution Explorer
Tab Portal
Exit Data Browser
Push Buttons Link
Images Media Objects
Use version Address Book Data
Business Unit security Batch Approval
Additional Security Additional Security
Use version Address Book Data
Business Unit security Batch Approval
Figure 7 A multilevel security available in
Enterpriseone
111
Roles Example
Figure 8 Roles Example
112
Enterprise One Auditing
  • Auditing is the monitoring and recording of
    selected user database actions
  • Provides the capability to select specific
    columns in a table for auditing
  • Enterprise One is configurable to
  • generate audit when table records are inserted,
    updated, or deleted
  • Require an electronic signature approval when a
    user tries to change the data on an application
    or submit a report

113
Summary
  • Database Security and Authorization
  • Discretionary Access Control
  • Mandatory Access Control and Role-Based Access
    Control for Multilevel Security
  • Statistical Database Security
  • Flow Control
  • Encryption and Public Key Infrastructures
  • Database Survivability and the need for further
    research

114
References
  • Ramez Elmasri and Shamkant B. Navathe,
    Fundamentals of database systems, Addison
    Wesley 4 edition (July 23, 2003)
  • Stallings, W., Brown, L., Computer Security
    Principles and Practice, Prentice Hall, NJ,
    2008.
  • Feikis, J. , "Secure database management
    systems," Potentials, IEEE , vol.18, no.1,
    pp.17-19, Feb/Mar 1999
  • Giuri, L. Iglio, P. , "A role-based secure
    database design tool," Computer Security
    Applications Confere
About PowerShow.com