Security Requirements
The basic security
requirements of database systems are not unlike those of other computing
systems we have studied. The basic problemsaccess control, exclusion of
spurious data, authentication of users, and reliabilityhave appeared in many
contexts so far in this book. Following is a list of requirements for database
security.
·
Physical database integrity. The data of a database are immune to
physical problems, such as power failures, and someone can reconstruct the
database if it is destroyed through a catastrophe.
·
Logical database integrity. The structure of the database is
preserved. With logical integrity of a database, a modification to the value of
one field does not affect other fields, for example.
·
Element integrity. The data contained in each
element are accurate.
·
Auditability. It is possible to track who
or what has accessed (or modified) the elements in the database.
·
Access control. A user is allowed to access only authorized data,
and different users can be restricted to different modes of access (such as
read or write).
·
User authentication. Every user is positively
identified, both for the audit trail and for permission to access certain data.
·
Availability. Users can access the database in general and all the
data for which they are authorized.
We briefly examine each of
these requirements.
Integrity of the Database
If a database is to serve as
a central repository of data, users must be able to trust the accuracy of the
data values. This condition implies that the database administrator must be
assured that updates are performed only by authorized individuals. It also
implies that the data must be protected from corruption, either by an outside
illegal program action or by an outside force such as fire or a power failure.
Two situations can affect the integrity of a database: when the whole database
is damaged (as happens, for example, if its storage medium is damaged) or when
individual data items are unreadable.
Integrity of the database as
a whole is the responsibility of the DBMS, the operating system, and the
(human) computing system manager. From the perspective of the operating system
and the computing system manager, databases and DBMSs are files and programs,
respectively. Therefore, one way of protecting the database as a whole is to
regularly back up all files on the system. These periodic backups can be
adequate controls against catastrophic failure.
Sometimes it is important to be able to
reconstruct the database at the point of a failure. For instance, when the
power fails suddenly, a bank's clients may be in the middle of making
transactions or students may be in the midst of registering online for their
classes. In these cases, we want to be able to restore the systems to a stable
point without forcing users to redo their recently completed transactions. To
handle these situations, the DBMS must maintain a log of transactions. For
example, suppose the banking system is designed so that a message is generated
in a log (electronic or paper or both) each time a transaction is processed. In
the event of a system failure, the system can obtain accurate account balances
by reverting to a backup copy of the database and reprocessing all later
transactions from the log.
Element Integrity
The integrity of database
elements is their correctness or accuracy. Ultimately, authorized users are
responsible for entering correct data into databases. However, users and
programs make mistakes collecting data, computing results, and entering values.
Therefore, DBMSs sometimes take special action to help catch errors as they are
made and to correct errors after they are inserted.
This corrective action can be
taken in three ways. First, the DBMS can apply field checks, activities that test for appropriate values in a
position. A field might be required to be numeric, an uppercase letter, or one
of a set of acceptable characters. The check ensures that a value falls within
specified bounds or is not greater than the sum of the values in two other
fields. These checks prevent simple errors as the data are entered. (Sidebar 6-1 demonstrates the importance of
element integrity.)
A second integrity action is provided by access control. To see why, consider
life without databases. Data files may contain data from several sources, and
redundant data may be stored in several different places. For example, a
student's home address may be stored in many different campus files: at class
registration, for dining hall privileges, at the bookstore, and in the
financial aid office. Indeed, the student may not even be aware that each
separate office has the address on file. If the student moves from one
residence to another, each of the separate files requires correction. Without a
database, there are several risks to the data's integrity. First, at a given time,
there could be some data files with the old address (they have not yet been
updated) and some simultaneously with the new address (they have already been
updated). Second, there is always the possibility that the data fields were
changed incorrectly, again leading to files with incorrect information. Third,
there may be files of which the student is unaware, so he or she does not know
to notify the file owner about updating the address information. These problems
are solved by databases. They enable collection and control of this data at one
central source, ensuring the student and users of having the correct address.
Sidebar
6-1: Element Integrity Failure Crashes Network
Crocker and Bernstein [CRO89]
studied catastrophic failures of what was then known as the ARPANET, the
predecessor of today's Internet. Several failures came from problems with the
routing tables used to direct traffic through the network.
A 1971 error was called the "black
hole." A hardware failure caused one node to declare that it was the best
path to every other node in the network. This node sent this declaration to
other nodes, which soon propagated the erroneous posting throughout the
network. This node immediately became the black hole of the network because all
traffic was routed to it but never made it to the real destination.
The
ARPANET used simple tables, not a full-featured database management system, so
there was no checking of new values prior to their being installed in the
distributed routing tables. Had there been a database, integrity checking
software could have performed error checking on the newly distributed values
and raised a flag for human review.
However, the centralization
is easier said than done. Who owns this shared central file? Who has
authorization to update which elements? What if two people apply conflicting
modifications? What if modifications are applied out of sequence? How are
duplicate records detected? What action is taken when duplicates are found?
These are policy questions that must be resolved by the database administrator.
Sidebar 6-2 describes how these issues are addressed for managing the
configuration of programs; similar formal processes are needed for managing changes in databases.
The third means of providing
database integrity is maintaining a change
log for the database. A change log lists every change made to the database;
it contains both original and modified values. Using this log, a database
administrator can undo any changes that were made in error. For example, a
library fine might erroneously be posted against Charles W. Robertson, instead
of Charles M. Robertson, flagging Charles W. Robertson as ineligible to
participate in varsity athletics. Upon discovering this error, the database
administrator obtains Charles W.'s original eligibility value from the log and
corrects the database.
Auditability
For some applications it may be desirable to generate an audit
record of all access (read or write) to a database. Such a record can help to
maintain the database's integrity, or at least to discover after the fact who
had affected which values and when. A second advantage, as we see later, is
that users can access protected data incrementally; that is, no single access reveals
protected data, but a set of sequential accesses viewed together reveals the
data, much like discovering the clues in a detective novel. In this case, an
audit trail can identify which clues a user has already been given, as a guide
to whether to tell the user more.
As we noted in Chapters
4 and 5, granularity becomes
an impediment in auditing. Audited events in operating systems are actions like
open file or call procedure; they are seldom as specific as write record 3 or
execute instruction I. To be useful for maintaining integrity, database audit
trails should include accesses at the record, field, and even element levels.
This detail is prohibitive for most database applications.
Furthermore, it is possible for a record to be
accessed but not reported to a user, as when the user performs a select
operation. (Accessing a record or an element without transferring to the user
the data received is called the pass-through
problem.) Also, you can determine the values of some elements without
accessing them directly. (For example, you can ask for the average salary in a
group of employees when you know the number of employees in the group is only
one.) Thus, a log of all records accessed directly may both overstate and
understate what a user actually knows.
Sidebar
6-2: Configuration Management and Access Control
Software engineers must address access
control when they manage the configurations of large computer systems. The code
of a major system and changes to it over time are actually a database. In many
instances multiple programmers make changes to a system at the same time; the
configuration management database must help ensure that the correct and most
recent changes are stored.
There are three primary ways to control
the proliferation of versions and releases [PFL06a].
Separate files: A separate file can be kept for each different version
or release. For instance, version 1 may exist for machines that store all data
in main memory, and version 2 is for machines that must put some data out to a
disk. Suppose the common functions are the same in both versions, residing in
components C1 through Ck, but memory management is done by component M1 for version 1 and M2 for version 2. If new
functionality is to be added to the memory management routines, keeping both
versions current and correct may be difficult; the results must be the same
from the user's point of view.
Deltas: One version of the system is deemed the main version, and all
other versions are considered to be variations from the main version. The
database keeps track only of the differences, in a file called a delta file.
The delta contains commands that are "applied" to the main version to
transform it into the alternative version. This approach saves storage space
but can become unwieldy.
Conditional compilation: All versions are handled by a single file,
and conditional statements are used to determine which statements apply under
which conditions. In this case, shared code appears only once, so only one correction
is needed if a problem is found. But the code in this single file can be very
complex and difficult to maintain.
In any of
these three cases, it is essential to control access to the configuration
files. It is common practice for two different programmers fixing different
problems to need to make changes to the same component. If care is not taken in
controlling access, then the second programmer can inadvertently
"undo" the changes made by the first programmer, resulting in not
only recurrence of the initial problems but also introduction of additional
problems. For this reason, files are controlled in several ways, including
being locked while changes are made by one programmer, and being subject to a
group of people called a configuration control board who ensure that no changed
file is put back into production without the proper checking and testing. More
information about these techniques can be found in [PFL06a].
Access Control
Databases are often separated
logically by user access privileges. For example, all users can be granted
access to general data, but only the personnel department can obtain salary
data and only the marketing department can obtain sales data. Databases are
very useful because they centralize the storage and maintenance of data.
Limited access is both a responsibility and a benefit of this centralization.
The database administrator
specifies who should be allowed access to which data, at the view, relation,
field, record, or even element level. The DBMS must enforce this policy,
granting access to all specified data or no access where prohibited.
Furthermore, the number of modes of access can be many. A user or program may
have the right to read, change, delete, or append to a value, add or delete
entire fields or records, or reorganize the entire database.
Superficially, access control for a database
seems like access control for operating systems or any other component of a
computing system. However, the database problem is more complicated, as we see
throughout this chapter. Operating system objects, such as files, are unrelated
items, whereas records, fields, and elements are related. Although a user
cannot determine the contents of one file by reading others, a user might be
able to determine one data element just by reading others. The problem of
obtaining data values from others is called inference, and we consider it in
depth later in this chapter.
It is important to notice
that you can access data by inference without needing direct access to the
secure object itself. Restricting inference may mean prohibiting certain paths
to prevent possible inferences. However, restricting access to control
inference also limits queries from users who do not intend unauthorized access
to values. Moreover, attempts to check requested accesses for possible
unacceptable inferences may actually degrade the DBMS's performance.
Finally, size or granularity
is different between operating system objects and database objects. An access
control list of several hundred files is much easier to implement than an
access control list for a database with several hundred files of perhaps a
hundred fields each. Size affects the efficiency of processing.
User Authentication
The DBMS can require rigorous
user authentication. For example, a DBMS might insist that a user pass both
specific password and time-of-day checks. This authentication supplements the
authentication performed by the operating system. Typically, the DBMS runs as
an application program on top of the operating system. This system design means
that there is no trusted path from the DBMS to the operating system, so the
DBMS must be suspicious of any data it receives, including user authentication.
Thus, the DBMS is forced to do its own authentication.
Availability
A DBMS has aspects of both a
program and a system. It is a program that uses other hardware and software
resources, yet to many users it is the only application run. Users often take
the DBMS for granted, employing it as an essential tool with which to perform
particular tasks. But when the system is not availablebusy serving other users
or down to be repaired or upgradedthe users are very aware of a DBMS's
unavailability. For example, two users may request the same record, and the
DBMS must arbitrate; one user is bound to be denied access for a while. Or the
DBMS may withhold unprotected data to avoid revealing protected data, leaving
the requesting user unhappy. We examine these problems in more detail later in
this chapter. Problems like these result in high availability requirements for
a DBMS.
Integrity/Confidentiality/Availability
The three aspects of computer
securityintegrity, confidentiality, and availabilityclearly relate to database
management systems. As we have described, integrity applies to the individual
elements of a database as well as to the database as a whole. Thus, integrity
is a major concern in the design of database management systems. We look more
closely at integrity issues in the next section.
Confidentiality is a key
issue with databases because of the inference problem, whereby a user can
access sensitive data indirectly. Inference and access control are covered
later in this chapter.
Finally, availability is important because of
the shared access motivation underlying database development. However,
availability conflicts with confidentiality. The last sections of the chapter
address availability in an environment in which confidentiality is also
important.
Related Topics
Privacy Policy, Terms and Conditions, DMCA Policy and Compliant
Copyright © 2018-2023 BrainKart.com; All Rights Reserved. Developed by Therithal info, Chennai.