See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/340680715

Security of Relational Database Management System: Threats and Security

Techniques

Article · December 2018

CITATIONS READS

0 3,002

1 author:

Aurang Zeb
Government College University Faisalabad
1 PUBLICATION 0 CITATIONS

SEE PROFILE

All content following this page was uploaded by Aurang Zeb on 16 April 2020.

The user has requested enhancement of the downloaded file.

 Security of Relational Database Management System:
Threats and Security Techniques
Aurang Zeb
Department of Software Engineering
Govt. College University Faisalabad
Abstract
The field of the database has a history
longer than 30 years in which the concept
of a relational database developed and
became the most fundamental strategy of
organizations. With the evolution of
technology more advanced systems were
developed that directly affect the economy
in the recent era.
Organizations make sure the security and
confidentiality of their important data.
Therefore they implement the applications
and systems that provide the services,
functions and tools for data management
and maintenance at the same time named
Relational Database Management System
(RDBMS). Such functions consist of
services and privileges for authorization to
keep the legal users (authorized) to use the
database. The database must be secured.
RDBMS means relational database
management systems that are developed
using the model of scientist Codd at IBM
lab.
Database protection refers to preventing
unauthorized users from accessing the
database and its core information whether
accidental or intentional [4]. Therefore all
the organizations are paying special
attention to possible threats as steps to
database systems. This paper addresses the
possible threats to relational database and
prevention techniques including the
situations: threats, prevention strategies
(computer-based controls) and database
security techniques.
Introduction
As known in the recent few years,
hardware ability and capacity of volumes,
the growing use of information systems
World Wide Web platforms have forced to
use the relational database systems as
basic infrastructure to the data repository.
A large amount of information and data
has become a core concern of security
challenges because the information
management is not centralized.
CIA security triangle that mentions the
availability, confidentiality and integrity
commonly is the basic concept of
relational database security. The
application process must contain these
processes to assure the security and safety
of data.
Fraud and theft have an impact on the
database environment and hence affect the
whole corporation. It doesn’t make
changes to the data itself, but it may
compromise the integrity and privacy of
data. Confidentiality means to keep the
data secret; usually, this is the only critical
task for an organization. Violations of
security measures result in loss of
confidentiality may lead to
competitiveness and privacy loss. Integrity
failure means the data is modified and
corrupt. Most organizations are achieving
the 24/7 availability (7 days a week, 24
hours in a day). Availability loss means
the data, or system, or both cannot be
accessed. Therefore relational database
management system aims to minimize the
losses that are caused by anticipated events
or threats. Threat is an event or situation that
may negatively affect a system, and hence the
whole organization. Organizations must invest
time and effort to identify and detect the most
serious threat [1, 8, 9].
Millions of online activities are performed via
untrusted Internet connections like electronic
banking and electronic commerce. Those types
of transactions place kind of exposing
information and sensitive assets [2]. This is a
big challenge for service providers to trust of
users. Therefore a strong protection is
mandatory for data containers such an
RDBMS. Not all type of data needs strong
protection, but the most private and critical
data of users and funds transactions.
Organizations may specify the nature of data
needs encryption with a high level of security
like defense ministry [8, 9].
This paper shows some important redresses
that are computer-control nature such as
access control, authorization, encryption, and
recovery and backup. It must be taken into
account the encryption technique needs high
performance of the system because it will
require the decrypting of those data.
Therefore, the programmer must make sure to
use optimized security algorithms to code the
application.
1. What are Attacks?
The rapid trend of violations of security
measures urged the SME organizations to
adopt advanced security measures like the
CIA triangle (Confidentiality, Integrity,
Availability). However, it requires
maturity due to multiple types of attacks
either indirect or direct.
The unorganized user can have legal
authorization to use public information of
the database but he may expose the
classified information. There are three
different attack levels to the relational
database: indirect, direct and by tracking.
The direct attack is clear. The attacking
person can easily enter into your system if
it doesn’t use any prevention mechanism.
An indirect attack is implemented by
guessing the desired authorization from
given query combinations. The tracking
attack is performed by suppression of
influential results [3].
RDBMS security threats can be
summarized as:
The DBA could be granted the
unnecessary user privileges. Abusive use
of these privileges may lead to indirect
access to the application.
The user has been granted the legal
privileges to use the database. He/She may
utilize the system with abusively with bad
intentions.
One of the most critical threats is the
accountability of the operating system or
software. This facilitates the attacker to
violate the sensitive information as indirect
access.
1.1. Mechanisms of Attack Control [3]
 Rejection without providing any
response statement when a user or
attacker accesses the database to show
the results of core data.
 The inability of the attacker to expect
the real values or information because
the system will show the responsive
statements close to real sensitive data.
 When the core data will be identified,
the system should place limits to resist
the intruder to reveal data.
 Different result combinations will
confuse the attack about revealing
sensitive information.
2. Security Measures (Computer-based
Control)
These kinds of security measures range
from physical access to administrative
strategies. It can be categorized into
different types of controls as [1]:
 Authorization
 Access Levels
 Views
 Integrity
 Backup Process
Authorization is providing the rights or
access privileges to a legitimate program
or user to have legal access to the system’s
objects or system. It includes the subject
authentication by requesting object access.
The administrator normally creates the
access accounts with particular usage
privileges taking into count the security
level of the respective user.
Access Controls into RDBMS can
disallow/allow the user/program to get
access of the system. Relational Database
Management System saves track of
privileges process.
Views are results or effects of extensible
operations were being performed on the
main database management system. It is
the structure of dynamic security
processes, in which it displays the specific
parts of the system and hides others
according to the privileges of the user.
Backup Process as we know, backup
refers to taking a copy of the relational
database and log files of instance
processes and saving either on cloud
storage or external storage to use later.
Integrity means keeping the Relational
Database Management System secure by
the prevention of data from being useless.
3. Techniques of RDBMS Security
 Encryption is a process of
encoding/converting the sensitive data
into an unreadable format. Most of
RDBMS use this technique to secure
their sensitive data [4].
 The concept of encryption possesses
four major factors defined as [5]:
 A specific encryption key to encrypt
sensitive data (plaintext).
 An encryption algorithm that uses an
encryption key to encode or convert
the plain text into cipher text.
 A decryption algorithm uses the key to
decode or transform the plain text from
the cipher text.
There are two encryption techniques
known as asymmetric and symmetric. The
symmetric encryption relies on the secure
channel during the exchange of the key,
more on, the encryption key is similar to
the decryption key being used for a
particular instance, (IDEA) International
Data Encryption Algorithm) [6,7]. The
symmetric algorithm is very fast as
compare to the Asymmetric algorithm that
used two separate keys for encryption and
decryption (Public and Private keys) like
RSA (the name was given on the names of
researchers Ron Rivest, Adi Shamir, and
Leonard Adleman). Normally they are
applied at the same time in which public
key (asymmetric) encrypts a randomly
created key and that random key encrypts
the actual text (by using a symmetric
algorithm). The encryption to secure the
database system should enable the data
sharing within the database without
compromising the privacy of data [2, 6-9].
In order to improve the performance of the
encryption algorithm, data should be
classified into two categories insensitive
data and sensitive data. Sensitive data
should be encrypted using encryption
algorithms while insensitive data can be
accessed rapidly.
Web-based database security: the data
must be transferred securely from a server
to a client machine. The authentication of
a client must be performed via a HIP (Host
Identity Protocol). It establishes the trusted
relationship between the internet and hosts
by communicating with the webserver.
The web server and HIP both contribute to
the authentication procedure [2].
To monitor and online occurring activities
and operations log files is an important
source. It saves the activity status after
specific intervals to identify the
modifications caused by system failures. It
also accommodates with an audit
component to track the user’s log files to
assure the security of web databases.
Negative Database: this operation depends
on the addition of false data to the original
to confuse the malicious users, and make it
available only to the legit users. It has four
components database cache, encryption
algorithm, virtual database and conversion
of negative database. The initial three
produce the required data for the
conversion to produce the false data [2].
4. How to develop a strategy to encrypt
relational database?
It is a structure to enhance the ability of
data prevention. There are multiple factors
to enhance the secure encryption into
Relational Database Management
Systems.
 The encryption must be applied to the
application or database.
 The access to the unique encryption
key.
 The data amount that needs encryption.
 Is there any factor affecting the
performance.
There are more duties of the developer and
programmer through developing or
creating DBMS.
The developer must avoid creating the
loopholes that can be produced during
creating the procedures and policies.
There are two strategies for database
encryption that has its pros and cons.
Encrypting the Relational Database
Management Systems.
Applying the encryption from outside of
the database.
1. Encryption fundamentals:
The encryption algorithm and key size
being used for encryption are major factors
to encrypt data within the Relational
Database Management System.
Application administrator may allocate
legitimate usage to authorized persons for
need.
2. Effect of data encryption on RDBMS
Data encryption involves highly process
procedures. This results increase in
RDBMS size, then affecting the
performance or utility. Consequently
encryption of sensitive data.
3. Data Stream into application:
Data commonly flows across the internet
and over an internal network. Therefore
the chances of risk are high.
4. The key management:
It narrates how to handle the key being
used into RDBMS in terms of multiple
keys, the location and security of the keys
while accessing the encrypted keys
4.1. Solutions of enforcing encryption:
1. Inside the Relational Database
Management System (RDBMS)
It is a simple process of applying the
encryption/decryption technique in
RDBMS. It is extremely transparent to
database applications. Data will be
encrypted while inserting in RDBMS and
will be decrypted while retrieving from
RDBMS.
 A disadvantage of using this technique in
RDBMS is the additional processing
burden and decrease in performance.
2. Out-side the Relational Database
Management System (RDBMS)
This protection technique varies from one
application to another. In this process a
client/server security protocol (SSL)
secure server layer is used for data
encryption or decryption in destination or
source. This technique of using the
encryption server facilitates the centralized
encryption services for the overall
database. Its drawback involves the
administration of more servers and
applications and communication overhead.
Conclusion
This paper explains different database
security techniques. Exposure of data is
increases the security threats to database.
RDBMS programmers are responsible to
enhance and improve security measures to
databases without compromising the
performance factor. Further-more, it is
ethical responsibility of user for legitimate
usage of sensitive data. We have pointed
out the possible threats to Relational
Database Management Systems. Then, it
explained some security mechanisms of
attack control. It has mentioned about
computer-based countermeasures and
focused on encryption technique. In the
same way, it has explained security
techniques or procedures for database. The
last part describes the pros and drawbacks
of applying encryption either outside or
inside the Relational Database
Management System.
References:
[1] T.Connolly, C. Begg. “Database
Systems A Practical Approach to Design,
View publication stats
Implementation, and Management”, 4th
ed., Ed. England: Person Education
Limited, 2005, pp. 542-547, 550-551.
[2] Burtescu, E. (2009). Database
Security-Attacks and Control Methods.
Journal of Applied Quantitative Methods,
4(4), 449-454.
[3] Kayarkar, H. (2012). Classification of
Various Security Techniques in Databases
and their Comparative Analysis. arXiv
preprint arXiv:1206.4124.
[4] Kahate, A. (2013). Cryptography and
network security. Tata McGraw-Hill
Education.
[5] Stallings, W., & Brown, L. (2008).
Computer security. Principles and
Practice.
[6] Shaefer, E. F. (1996). A Simplified
Data Encryption Standard Algorithm.
Journal of Cryptologia, 20 (1), 77-84.
[7] Chang, H. S. (2004). International Data
Encryption Algorithm. Retrieved from
http://scholar.googleusercontent.com/schol
ar?q=cach
e:WXJPT0eEM7EJ:scholar.google.com/+I
nternation
al+Data+Encryption+Algorithm&hl=en&a
s_sdt=0,5 on 15 February 2013.
[8] Almasri, O., & Jani, H. M. Introducing
an Encryption Algorithm based on IDEA.
[9] Almasri, O., Jani, H. M., Ibrahim, Z.,
& Zughoul, O. (2013). Improving Security
Measures of ELearning Database.
International Organization of Scientific
Research-Journal of Computer
Engineering (IOSR-JCE), 10(4), 55-62.