Chapter 2

Database
Security
 Database Security
 Database Security is the mechanisms that protect the database against
intentional or accidental threats.
 Database security is a very broad area that addresses many issues,
including the following:
– Legal and ethical issues regarding the right to access certain
information.
– Policy issues at the governmental, institutional, or corporate level as
to what kinds of information should not be made publicly available.
– System-related issues such as the system levels at which various
security functions should be enforced
– The need in some organizations to identify multiple security levels
and to categorize the data and users based on these classification.
 Database security aims to minimize losses caused by anticipated events
 Database Threat
 Threat is any situation or event, whether intentional or accidental, that
may adversely affect a system and consequently the organization.
 A threat may be caused by a situation or event involving a person, action, or
circumstance that is likely to bring harm to an organization. The harm may be
 Tangible, such as loss of hardware, software, or data, or
 Intangible, such as loss of credibility or client confidence.
 The problem facing any organization is to identify all possible threats.
 Therefore, as a minimum an organization should invest time and effort in
identifying the most serious threats.
 Threat can be either intentional or unintentional, the impact remains the same.
 Intentional threats involve people and may be commited by both authorized
users and unauthorized users, some of whom may be external to the
organization.
 Database Threat
 Any threat must be viewed as a potential breach of security which, if
successful, will have a certain impact.
 The following table presents examples of various types of threat, listed
under the area on which they may have an impact.
 Database Threat
 The extent that an organization suffers as a result of a threat’s
succeeding depends upon a number of factors, such as the
existence of countermeasures and contingency plans.
 For example, if a hardware failure occurs corrupting secondary
storage, all processing activity must cease until the problem is
resolved.
 The recovery will depend upon a number of factors, which
include when the last backups were taken and the time
needed to restore the system.
 An organization needs to identify the types of threat it may be
subjected to and initiate appropriate plans and
countermeasures
 Database Security and Database administrator
 The database administrator (DBA) is the central authority for
managing a database system.
 The DBA has a DBA account in the DBMS, sometimes called a system or
superuser account, which provides powerful capabilities that are not
made available to regular database accounts and users.
 Roles of DAS in database Security includes
- Account Creation: involves creating different accounts for different USERS
- Security Level Assignment: involves in assigning different users at
different categories of access levels.
- Privilege Grant: involves giving different levels of privileges for different
users and user groups.
- Privilege Revocation: involves denying or canceling previously granted
privileges for users due to various reasons.
- Account Deletion: involves in deleting an existing account of users or user
groups. Is similar with denying all privileges of users on the database.
 Countermeasures – Computer-Based Controls
 The types of countermeasure to threats on computer systems
range from physical controls to administrative
procedures.
 In this section we focus on the following computer-based
security control techniques
Authorization
Access controls
Views
Backup and recovery
Encryption
 Authorization
 Authorization the granting of a right or privilege that enables a subject
to have legitimate access to a system or a system’s object.
 The process of authorization involves Authentication of Subjects
requesting access to Objects, where
- Subject represents a user or program and
- Object represents a database table, view, procedure, trigger, or any
other object that can be created within the system.
 Authentication is a mechanism that determines whether a user is who
he or she claims to be.
 A system administrator is usually responsible for allowing users to have
access to a computer system by creating individual user accounts.
 Each user is given a unique identifier, which is used by the operating
system to determine who they are.
 Forms of Authorization
 User authorization on the data
– Read Authorization: the user with this privilege is allowed only to
read the content of the data object.
– Insert Authorization: the user with this privilege is allowed only to
insert new records or items to the data object.
– Update Authorization: users with this privilege are allowed to
modify content of attributes but are not authorized to delete the
records.
– Delete Authorization: users with this privilege are only allowed to
delete a record and not anything else.
 Forms of Authorization
 User authorization on the database schema
– Index Authorization: deals with permission to create as
well as delete an index table for relation.
– Resource Authorization: deals with permission to
add/create a new relation in the database.
– Alteration Authorization: deals with permission to add as
well as delete attribute.
– Drop Authorization: deals with permission to delete tables
in a database
 Access Controls
 The usual way of supplying access controls to a database system is
dependent on the Granting and Revoking of Privileges within the
database.
 A privilege allows a user to create or access (that is read, write, or modify)
some database object (such as a relation, view, or index) or to run certain
DBMS utilities.
 a privilege should only be granted to a user if that user cannot accomplish
his or her work without that privilege.
 A user who creates a database object such as a relation or a view
automatically gets all privileges on that object.
 The database provides various types of access controls:
 Discretionary Access Control (DAC) and
 Mandatory Access Control (MAC)
 Discretionary Access Controls
 In discretionary access control each user is given appropriate access
rights (or privileges) on specific database objects.
 This mechanism is based on the concepts of authorization identifiers,
ownership, and privileges.
 An Authorization Identifier is a normal SQL identifier that is used to
establish the identity of a user.
– Each database user is assigned an authorization identifier by the Database
Administrator (DBA).
– Usually, the identifier has an associated username and password.
 Each object that is created in SQL has an owner.
– The owner is identified by the authorization identifier defined in the
AUTHORIZATION clause of the schema to which the object belongs.
 Privileges are the actions that a user is permitted to carry out on a given
base table or view.
 Discretionary Access Controls
 When a user creates a table using the CREATE TABLE statement, he or
she automatically becomes the owner of the table and receives full
privileges for the table.
 Other users initially have no privileges on the newly created table.
 To give them access to the table, the owner must explicitly grant them
the necessary privileges using the GRANT statement.
 When a user creates a view with the CREATE VIEW statement, he or she
automatically becomes the owner of the view, but does not necessarily
receive full privileges on the view.
 To create the view, a user must have SELECT (Read) privilege on all the
tables that make up the view and REFERENCES privilege on the named
columns of the view.
 However, the view owner gets INSERT, UPDATE, and DELETE privileges
only if he or she holds these privileges for every table in the view.
 Discretionary Access Controls
 SQL supports only discretionary access control through the
GRANT and REVOKE statements.
 The GRANT statement is used to grant privileges on database
objects to specific users.
- Normally the GRANT statement is used by the owner of a
table to give other users access to the data.
 The REVOKE statement is used to take away privileges that
were granted with the GRANT statement.
 A REVOKE statement can take away all or some of the
privileges that were previously granted to a user.
 Mandatory Access Control (MAC)

 Mandatory Access Control (MAC) is based on system-wide policies

that cannot be changed by individual users.
 The discretionary access control technique of granting and
revoking privileges on relations has traditionally been the main security
mechanism for relational database systems.
 This is an all-or-nothing method: A user either has or does not have a
certain privilege.
 In mandatory access control approach each database object is assigned
a security class and each user is assigned a clearance for a security
class, and rules are imposed on reading and writing of database objects
by users.
 The DBMS determines whether a given user can read or write a given
object based on certain rules that involve the security level of the
object and the clearance of the user.
 The SQL standard does not include support for MAC.
 Mandatory Access Control (MAC)
 Typical security classes are Top secret (TS), Secret (S),
Confidential (C), and Unclassified (U), where TS is the
highest level and U the lowest.
 For simplicity, we will use the system with four security
classification levels, where TS > S > C > U, to illustrate our
discussion.
 A popular model for MAC is called Bell–LaPadula model (Bell
and LaPadula, 1974), which is described in terms of objects
(such as relations, views, tuples, and attributes), subjects
(such as users, account and programs), security classes, and
clearances.
 This model classifies each subject and object into one of
the security classifications TS, S, C, or U.
 Mandatory Access Control (MAC)
 We will refer to the clearance (classification) of a subject S as class
(S) and to the classification of an object o as class (o).
 The Bell–LaPadula model imposes two restrictions on all reads
and writes of database objects:
a. Simple Security Property: Subject S is allowed to read object
O only if class (S) >= class (O).
For example,
- a user with TS clearance can read a relation with C clearance,
but a user with C clearance cannot read a relation with TS
classification.
b. *_Property (Star Property): Subject S is allowed to write
object O only if class (S) <=class (O).
For example,
- a user with S clearance can only write objects with S or TS
 Multilevel Relations and Polyinstantiation
 In order to apply mandatory access control policies in a relational
DBMS, a security class must be assigned to each database object.
– The objects can be at the granularity of relations, tuples, or even
individual attribute values.
 Assume that each tuple is assigned a security class.
– This situation leads to the concept of a multilevel relation, which is
a relation that reveals different tuples to users with different security
clearances.
 For example:- consider the following employee multi level relation
with an additional attribute displaying the security class for each tuple is
shown in the table below
 Multilevel Relations and Polyinstantiation
 A multilevel relation will appear to contain different data to subjects (users)
with different clearance levels.
 Users with S and TS clearance will see all tuples in the employee relation.
However, a user with C clearance will only see the first two tuples and a
user with U clearance will see no tuples at all.
 Assume that a user with clearance C wishes to enter a tuple (Emp003,
meron, 2500, good ) into the employee relation, where the primary key of
the relation is emp_ID.
 This insertion is disallowed because it violates the primary key
constraint
 This problem of inference can be solved by including the security
classification attribute as part of the primary key for a relation.
- the above example, the insertion of the new tuple into the employee
relation is allowed, and the relation instance is modified as shown in the
next slide.
 Multilevel Relations and Polyinstantiation

 The employee relation with two tuples displaying emp_ID as Emp003. The
primary key for this relation is (emp_ID and securityClass).

 Now, users with clearance C see the first two tuples and the newly added
tuple, but users with clearance S or TS see all five tuples.
 The result is a relation with two tuples with a emp_ID as Emp003, which
can be confusing.
 The presence of data objects that appear to have different values to users
with different clearances is called polyinstantiation.
 Views
 View is dynamic result of one or more relational operations operating on
the base relations to produce another relation.
 A view is a virtual relation that does not necessarily exist in the database
but can be produced upon request by a particular user, at the time of
request.
 The view mechanism provides a powerful and flexible security mechanism
by hiding parts of the database from certain users.
 The user is not aware of the existence of any attributes or rows that are
missing from the view.
 A view can be defined over several relations with a user being granted the
appropriate privilege to use it, but not to use the base relations.
 In this way, using a view is more restrictive than simply having certain
privileges granted to a user on the base relation(s).
 Backup and Recovery

 Backup is the process of periodically taking a copy of the

database and log file (and possibly programs) on to offline
storage media.
 It is always advisable to make backup copies of the
database and log file at regular intervals and to ensure that
the copies are in a secure location.
 In the event of a failure that renders the database
unusable, the backup copy and the details captured in the
log file are used to restore the database to the latest
possible consistent state.
 Encryption
 Encryption is the process of encoding of the data by a special algorithm that
renders the data unreadable by any program without the decryption key.
 Suppose we communicate data, but our data falls into the hands of some non
legitimate user.
 In this situation, by using encryption we can disguise the message so that
even if the transmission is diverted, the message will not be revealed.
 To transmit data securely over insecure networks requires the use of a
cryptosystem (a system for encryption and decryption), which includes
 an encryption key to encrypt the data (plaintext);
 an encryption algorithm that, with the encryption key, transforms the plaintext into
ciphertext;
 a decryption key to decrypt the ciphertext;
 a decryption algorithm that, with the decryption key, transforms the ciphertext back into
plaintext.
 Encryption
 There are two types of encryption techniques
 Symmetric Encryption:- uses the same key for both
encryption and decryption.
- relies on safe communication lines for exchanging the
key.
 Asymmetric Encryption:- uses different keys for
encryption and decryption.
 DBMSs and Web Security
 In the previous slides we identified computer based security
mechanisms for database systems.
 However, the increasing accessibility of databases on the
public Internet and private intranets requires a re-
analysis and extension of these approaches.
 Some Measures include:
– Proxy servers
– Firewalls
– Message digest algorithms and digital signatures
– Digital certificates
– Kerberos
– Secure sockets layer (SSL) and Secure HTTP (S-HTTP)
– Secure Electronic Transactions (SET) and Secure Transaction
Technology (STT)
End
 Quiz
1. What is the difference between Symmetric and
Asymmetric Encryption? 2pts.
2. Consider the following two schedules. Are they conflict
Equivalent? Yes/ No.
- if yes, show. 3pts