Database Security

Lecture 3
 Access Control & User Accounts
• Whenever a person or a group of persons needs to access a database
system, the individual or group must first apply for a user account.
• The DBA will then create a new account number and password for the
user if there is a legitimate need to access the database.
• The user must log in to the DBMS by entering the account number and
password whenever database access is needed. The DBMS checks that
the account number and password are valid; if they are, the user is
permitted to use the DBMS and to access the database. Application
programs can also be considered users and are required to log in to the
database.
• It is straightforward to keep track of database users and their accounts
and passwords by creating an encrypted table or file with two fields:
Account Number and Password.
• This table can easily be maintained by the DBMS. Whenever a new
account is created, a new record is inserted into the table. When an
account is canceled, the corresponding record must be deleted from the
table.
 Access Control & User Accounts
• The database system must also keep track of all operations on the
database that are applied by a certain user throughout each login
session, which consists of the sequence of database interactions
that a user performs from the time of logging in to the time of
logging off.
• When a user logs in, the DBMS can record the user’s account
number and associate it with the computer or device from which
the user logged in.
• All operations applied from that computer or device are attributed
to the user’s account until the user logs off.
• It is particularly important to keep track of update operations that
are applied to the database so that, if the database is tampered
with, the DBA can determine which user did the tampering.
 Database Audits
• To keep a record of all updates applied to the database and of particular
users who applied each update, we can modify the system log.
• The system log includes an entry for each operation applied to the
database that may be required for recovery from a transaction failure or
system crash. We can expand the log entries so that they also include the
account number of the user and the online computer or device ID that
applied each operation recorded in the log.
• If any tampering with the database is suspected, a database audit is
performed, which consists of reviewing the log to examine all accesses
and operations applied to the database during a certain time period.
When an illegal or unauthorized operation is found, the DBA can
determine the account number used to perform the operation.
• Database audits are particularly important for sensitive databases that
are updated by many transactions and users, such as a banking database
that can be updated by thousands of bank tellers.
• A database log that is used mainly for security purposes serves as an
audit trail.
 Sensitive Data and Types of
Disclosures
• Sensitivity of data is a measure of the importance
assigned to the data by its owner for the purpose
of denoting its need for protection.
• Some databases contain only sensitive data
whereas other databases may contain no sensitive
data at all.
• Handling databases that fall at these two
extremes is relatively easy because such
databases can be covered by access control.
• The situation becomes tricky when some of the
data is sensitive whereas other data is not.
 Sensitive Data and Types of
Disclosures
• Several factors can cause data to be classified as sensitive:
1. Inherently sensitive. The value of the data itself may be so revealing or
confidential that it becomes sensitive—for example, a person’s salary or who
a patient has HIV/AIDS.
2. From a sensitive source. The source of the data may indicate a need for
secrecy—for example, an informer whose identity must be kept secret.
3. Declared sensitive. The owner of the data may have explicitly declared it as
sensitive.
4. A sensitive attribute or sensitive record. The particular attribute or record
may have been declared sensitive—for example, the salary attribute of an
employee or the salary history record in a personnel database.
5. Sensitive in relation to previously disclosed data. Some data may not be
sensitive by itself but will become sensitive in the presence of some other
data—for example, the exact latitude and longitude information for a location
where some previously recorded event happened that was later deemed
sensitive.
 Sensitive Data and Types of
Disclosures
• It is the responsibility of the database
administrator and security administrator to
collectively enforce the security policies of an
organization.
• This dictates whether access should or should not
be permitted to a certain database attribute (also
known as a table column or a data element) for
individual users or for categories of users.
• Several factors must be considered before
deciding whether it is safe to reveal the data.
 Sensitive Data and Types of
Disclosures
• The three most important factors are data availability, access
acceptability, and authenticity assurance.
• 1. Data availability. If a user is updating a field, then this field becomes
inaccessible and other users should not be able to view this data. This
blocking is only temporary and only to ensure that no user sees any
inaccurate data.
• 2. Access acceptability. Data should only be revealed to authorized users.
A database administrator may also deny access to a user request even if
the request does not directly access a sensitive data item, on the grounds
that the requested data may reveal information about the sensitive data
that the user is not authorized to have.
• 3. Authenticity assurance. Before granting access, certain external
characteristics about the user may also be considered. For example, a user
may only be permitted access during working hours.
• The system may track previous queries to ensure that a combination of
queries does not reveal sensitive data.
 Relationship between Information
Security and Information Privacy
• The rapid advancement of the use of information
technology (IT) in industry, government, and academia
raises challenging questions and problems regarding
the protection and use of personal information.
• Questions of who has what rights to information
about individuals for which purposes become more
important as we move toward a world in which it is
technically possible to know just about anything about
anyone.
• There is a considerable overlap between issues related
to access to resources (security) and issues related to
appropriate use of information (privacy).
 Information Security

• Security in information technology refers to

many aspects of protecting a system from
unauthorized use, including authentication of
users, information encryption, access control,
firewall policies, and intrusion detection. For
our purposes here, we will limit our treatment
of security to the concepts associated with
how well a system can protect access to
information it contains.
 Information Privacy

• The concept of privacy goes beyond security.

Privacy examines how well the use of personal
information that the system acquires about a user
conforms to the explicit or implicit assumptions
regarding that use.
• Privacy can be considered from two different
perspectives:
• preventing storage of personal information versus
ensuring appropriate use of personal information.
 Information Privacy

• A simple but useful definition of privacy is the

ability of individuals to control the terms under
which their personal information is acquired
and used. In summary, security involves
technology to ensure that information is
appropriately protected. Security is a required
building block for privacy.