Lecture 10

Database Security and Administration

Copyright © 2007 Ramez Elmasri and Shamkant B. Navathe

Chapter Outline
 Database Security and Authorization
 1.1 Introduction to Database Security Issues
 1.2 Types of Security
 1.3 Database Security and DBA
 1.4 Access Protection, User Accounts, and Database Audits
 Discretionary Access Control Based on Granting Revoking
Privileges
 Mandatory Access Control and Role-Based Access Control
for Multilevel Security
 Introduction to Statistical Database Security
 Introduction to Flow Control
 DBMSs and Web Security
Copyright © 2007 Ramez Elmasri and Shamkant B. Navathe Slide 23- 3
Database Security
 Database Security - Mechanisms that protect the
database against intentional or accidental threats.

 Data is a valuable resource that must be strictly controlled

and managed, as with any corporate resource.
 Part or all of the corporate data may have strategic
importance and therefore needs to be kept secure and
confidential.

 Security considerations do not only apply to the data held

in a database.
 Breaches of security may affect other parts of the system,
which may in turn affect the database.
Copyright © 2007 Ramez Elmasri and Shamkant B. Navathe Slide 23- 4
Introduction to Database Security Issues
 Threats to databases
 Loss of integrity
 Loss of availability
 Loss of confidentiality
 Theft and fraud
 Loss of privacy
 To protect databases against these types of threats four
kinds of countermeasures can be implemented:
 Access control
 Inference control
 Flow control
 Encryption
Copyright © 2007 Ramez Elmasri and Shamkant B. Navathe Slide 23- 5
Database Security Issues

Copyright © 2007 Ramez Elmasri and Shamkant B. Navathe Slide 23- 6

Summary of Threats to Computer Systems

Copyright © 2007 Ramez Elmasri and Shamkant B. Navathe Slide 23- 7

Introduction to Database
Security Issues (2)

 A DBMS typically includes a database security

and authorization subsystem that is responsible
for ensuring the security portions of a database
against unauthorized access.

 Two types of database security mechanisms:

 Discretionary security mechanisms
 Mandatory security mechanisms

Copyright © 2007 Ramez Elmasri and Shamkant B. Navathe Slide 23- 8

Introduction to Database
Security Issues (3)

 The security mechanism of a DBMS must include

provisions for restricting access to the database
as a whole
 This function is called access control and is
handled by creating user accounts and passwords
to control login process by the DBMS.

Copyright © 2007 Ramez Elmasri and Shamkant B. Navathe Slide 23- 9

Introduction to Database
Security Issues (4)

 The security problem associated with databases

is that of controlling the access to a statistical
database, which is used to provide statistical
information or summaries of values based on
various criteria.

 The countermeasures to statistical database

security problem is called inference control
measures.

Copyright © 2007 Ramez Elmasri and Shamkant B. Navathe Slide 23- 10

Introduction to Database
Security Issues (5)

 Another security is that of flow control, which

prevents information from flowing in such a way
that it reaches unauthorized users.

 Channels that are pathways for information to

flow implicitly in ways that violate the security
policy of an organization are called covert
channels.

Copyright © 2007 Ramez Elmasri and Shamkant B. Navathe Slide 23- 11

Introduction to Database
Security Issues (6)

 A final security issue is data encryption, which is

used to protect sensitive data (such as credit card
numbers) that is being transmitted via some type
communication network.
 The data is encoded using some encoding
algorithm.
 An unauthorized user who access encoded data
will have difficulty deciphering it, but authorized
users are given decoding or decrypting algorithms
(or keys) to decipher data.

Copyright © 2007 Ramez Elmasri and Shamkant B. Navathe Slide 23- 12

1.2 Database Security and the DBA
 The database administrator (DBA) is the central
authority for managing a database system.
 The DBA’s responsibilities include
 granting privileges to users who need to use the
system
 classifying users and data in accordance with the
policy of the organization
 The DBA is responsible for the overall security of
the database system.

Copyright © 2007 Ramez Elmasri and Shamkant B. Navathe Slide 23- 13

1.2 Database Security and the DBA (2)
 The DBA has a DBA account in the DBMS
 Sometimes these are called a system or superuser account
 These accounts provide powerful capabilities such as:
 1. Account creation
 2. Privilege granting
 3. Privilege revocation
 4. Security level assignment
 Action 1 is access control, whereas 2 and 3 are
discretionarym and 4 is used to control mandatory
authorization

Copyright © 2007 Ramez Elmasri and Shamkant B. Navathe Slide 23- 14

1.3 Access Protection, User Accounts,
and Database Audits

 Whenever a person or group of persons need to

access a database system, the individual or
group must first apply for a user account.
 The DBA will then create a new account id and
password for the user if he/she deems there is a
legitimate need to access the database
 The user must log in to the DBMS by entering
account id and password whenever database
access is needed.

Copyright © 2007 Ramez Elmasri and Shamkant B. Navathe Slide 23- 15

1.3 Access Protection, User Accounts,
and Database Audits(2)

 The database system must also keep track of all

operations on the database that are applied by a
certain user throughout each login session.
 To keep a record of all updates applied to the
database and of the particular user who applied
each update, we can modify system log, which
includes an entry for each operation applied to the
database that may be required for recovery from a
transaction failure or system crash.

Copyright © 2007 Ramez Elmasri and Shamkant B. Navathe Slide 23- 16

1.3 Access Protection, User Accounts,
and Database Audits(3)

 If any tampering with the database is suspected,

a database audit is performed
 A database audit consists of reviewing the log to
examine all accesses and operations applied to
the database during a certain time period.
 A database log that is used mainly for security
purposes is sometimes called an audit trail.

Copyright © 2007 Ramez Elmasri and Shamkant B. Navathe Slide 23- 17

Discretionary Access Control (DAC)
 A method of enforcing DAC in a database system is
based on granting and revoking privileges.
 Supported by most DBMS.
 SQL standard supports DAC through the GRANT
and REVOKE commands.
 The GRANT command gives privileges to users
 The REVOKE command takes away privileges.
 DAC while effective has certain weaknesses.
 an unauthorized user can trick an authorized user
into disclosing sensitive data.
Copyright © 2007 Ramez Elmasri and Shamkant B. Navathe Slide 23- 18
2.2 Specifying Privileges Using Views
 The mechanism of views is an important discretionary
authorization mechanism in its own right.
 For example,
 If the owner A of a relation R wants another account B to be
able to retrieve only some fields of R, then A can create a
view V of R that includes only those attributes and then
grant SELECT on V to B.
 The same applies to limiting B to retrieving only certain
tuples of R; a view V’ can be created by defining the view by
means of a query that selects only those tuples from R that
A wants to allow B to access.

Copyright © 2007 Ramez Elmasri and Shamkant B. Navathe Slide 23- 19

3 Mandatory Access Control (MAC)

 The DAC techniques of granting and revoking privileges

on relations has traditionally been the main security
mechanism for relational database systems.
 This is an all-or-nothing method:
 A user either has or does not have a certain privilege.
 In many applications, and additional security policy is
needed that classifies data and users based on security
classes.
 This approach as MAC, would typically be combined with
the DAC mechanisms.

 The SQL standard does not include e support for

MAC.
Copyright © 2007 Ramez Elmasri and Shamkant B. Navathe Slide 23- 20
3 Mandatory Access Control (2)

 Typical security classes are top secret (TS), secret (S),

confidential (C), and unclassified (U), where TS is the
highest level and U the lowest: TS ≥ S ≥ C ≥ U

 The commonly used model for multilevel security, known

as the Bell-LaPadula model, classifies each subject
(user, account, program) and object (relation, tuple,
column, view, operation) into one of the security
classifications, T, S, C, or U:
 Clearance (classification) of a subject S as class(S) and to
the classification of an object O as class(O).

Copyright © 2007 Ramez Elmasri and Shamkant B. Navathe Slide 23- 21

3 Mandatory Access Control (3)

 Two restrictions are enforced on data access

based on the subject/object classifications:
 Simple security property: A subject S is not
allowed read access to an object O unless
class(S) ≥ class(O).

 Star property (or * property): A subject S is not

allowed to write an object O unless class(S) ≤
class(O).

Copyright © 2007 Ramez Elmasri and Shamkant B. Navathe Slide 23- 22

3.1 Comparing Discretionary Access
Control and Mandatory Access Control

 Discretionary Access Control (DAC) policies

are characterized by a high degree of flexibility,
which makes them suitable for a large variety of
application domains.
 The main drawback of DAC models is their
vulnerability to malicious attacks, such as Trojan
horses embedded in application programs.

Copyright © 2007 Ramez Elmasri and Shamkant B. Navathe Slide 23- 23

3.1 Comparing Discretionary Access
Control and Mandatory Access Control(2)

 By contrast, mandatory policies ensure a high

degree of protection in a way, they prevent any
illegal flow of information.
 Mandatory policies have the drawback of being
too rigid and they are only applicable in limited
environments.
 In many practical situations, discretionary policies
are preferred because they offer a better trade-off
between security and applicability.

Copyright © 2007 Ramez Elmasri and Shamkant B. Navathe Slide 23- 24

4 Introduction to Statistical
Database Security

 Statistical databases are used mainly to

produce statistics on various populations.
 The database may contain confidential data on
individuals, which should be protected from user
access.
 Users are permitted to retrieve statistical
information on the populations, such as
averages, sums, counts, maximums,
minimums, and standard deviations.

Copyright © 2007 Ramez Elmasri and Shamkant B. Navathe Slide 23- 25

4 Introduction to Statistical
Database Security(2)

 A population is a set of tuples of a relation

(table) that satisfy some selection condition.
 Statistical queries involve applying statistical
functions to a population of tuples.

Copyright © 2007 Ramez Elmasri and Shamkant B. Navathe Slide 23- 26

4 Introduction to Statistical
Database Security(3)
 For example, we may want to retrieve the number of
individuals in a population or the average income in the
population.
 However, statistical users are not allowed to retrieve
individual data, such as the income of a specific person.
 Statistical database security techniques must prohibit the
retrieval of individual data.
 This can be achieved by prohibiting queries that retrieve
attribute values and by allowing only queries that involve
statistical aggregate functions such as COUNT, SUM,
MIN, MAX, AVERAGE, and STANDARD DEVIATION.
 Such queries are sometimes called statistical queries.

Copyright © 2007 Ramez Elmasri and Shamkant B. Navathe Slide 23- 27

4 Introduction to Statistical
Database Security(4)
 It is DBMS’s responsibility to ensure confidentiality of
information about individuals, while still providing useful
statistical summaries of data about those individuals to
users.
 Provision of privacy protection of users in a statistical
database is paramount.
 In some cases it is possible to infer the values of
individual tuples from a sequence statistical queries.
 This is particularly true when the conditions result in a
population consisting of a small number of tuples.

Copyright © 2007 Ramez Elmasri and Shamkant B. Navathe Slide 23- 28

5 Introduction to Flow Control
 Flow control regulates the distribution or flow of
information among accessible objects.
 A flow between object X and object Y occurs when a
program reads values from X and writes values into Y.
 Flow controls check that information contained in some
objects does not flow explicitly or implicitly into less
protected objects.
 A flow policy specifies the channels along which
information is allowed to move.
 The simplest flow policy specifies just two classes of
information:
 confidential (C) and nonconfidential (N)
 and allows all flows except those from class C to class N.

Copyright © 2007 Ramez Elmasri and Shamkant B. Navathe Slide 23- 29

6.3 Digital Signatures
 A digital signature is an example of using encryption techniques to
provide authentication services in e-commerce applications.
 A digital signature is a means of associating a mark unique to an
individual with a body of text.
 The mark should be unforgettable, meaning that others should be
able to check that the signature does come from the originator.
 A digital signature consists of a string of symbols.
 Signature must be different for each use.

 This can be achieved by making each digital signature a function of

the message that it is signing, together with a time stamp.
 Public key techniques are the means creating digital signatures.

Copyright © 2007 Ramez Elmasri and Shamkant B. Navathe Slide 23- 30

7 DBMSs and Web Security
 Internet communication relies on TCP/IP as the
underlying protocol.

 However, TCP/IP and HTTP were not designed

with security in mind.

 Without special software, all Internet traffic travels

‘in the clear’ and anyone who monitors traffic can
read it.

Copyright © 2007 Ramez Elmasri and Shamkant B. Navathe Slide 23- 31

7 DBMSs and Web Security (2)
 Must ensure while transmitting information over
the Internet that:
 inaccessible to anyone but sender and receiver
(privacy);
 not changed during transmission (integrity);
 receiver can be sure it came from sender
(authenticity);
 sender can be sure receiver is genuine (non-
fabrication);
 sender cannot deny he or she sent it (non-
repudiation).

Copyright © 2007 Ramez Elmasri and Shamkant B. Navathe Slide 23- 32

7 DBMSs and Web Security (3)

Copyright © 2007 Ramez Elmasri and Shamkant B. Navathe Slide 23- 33

7 DBMSs and Web Security (3)
 Measures include:
 Proxy servers
 Firewalls
 Message digest algorithms and digital signatures
 Digital certificates
 Kerberos
 Secure sockets layer (SSL) and Secure HTTP (S-
HTTP)
 Secure Electronic Transactions (SET) and Secure
Transaction Technology (SST)
 Java security
 ActiveX security
Copyright © 2007 Ramez Elmasri and Shamkant B. Navathe Slide 23- 34
How Secure Electronic
Transactions (SET) Works

35
Copyright © 2007 Ramez Elmasri and Shamkant B. Navathe
Summary
 1 Database Security and Authorization
 2 Discretionary Access Control
 3 Mandatory Access Control and Role-Based
Access Control for Multilevel Security
 4 Statistical Database Security
 5 Flow Control
 6 Encryption and Public Key Infrastructures

Copyright © 2007 Ramez Elmasri and Shamkant B. Navathe Slide 23- 36