Abstract
As organizations increase their reliance on information systems for daily business, they become more vulnerable to security breaches. Though a number of techniques, such as encryption and electronic signatures, are currently available to protect data when transmitted across sites, a truly comprehensive approach for data protection must also include mechanisms for enforcing access control policies based on data contents, subject qualifications and characteristics, and other relevant contextual information, such as time. It is well understood today that the semantics of data must also be taken into account in order to specify effective access control policies. Also, techniques for data integrity and availability specifically tailored to database systems must be adopted. In this respect, over the years the database security community has developed a number of different techniques and approaches to assure data confidentiality, integrity, and availability. However, despite such advances, the database security area faces several new challenges. Factors such as the evolution of security concerns, the ‘disintermediation’ of access to data, new computing paradigms and applications, such as grid-based computing and on-demand business, have introduced both new security requirements and new contexts in which to apply and possibly extend current approaches. In this chapter, we first survey the most relevant concepts underlying the notion of database security and summarize the most well-known techniques. We then discuss current challenges for database security and some preliminary approaches that address some of these challenges.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
B. Iyer, S. Mehrotra, E. Mykletun, G. Tsudik, and Y. Wu. A framework for efficient storage security in rdbms. In Proceedings of 9th International Conference on Extending Database Technology (EDBT), March 2004.
E. Bertino, D. Leggieri, and E. Terzi. Securing dbms: Characterizing and detecting query flood. In Proceedings of 9th Information Security Conference (ISC), September 2004.
National Security Telecommunications and Information Systems Security Committee. The insider threat to U.S. government information systems, July 1999.
F. Schneider, editor. Trust in Cyberspace. National Academy Press, 1999.
Oracle Corporation. Oracle Database Security Guide 10g Release 2, June 2005. Available at www.oracle.com.
C. Kaufman, R. Perlman, and M. Speciner. Network Security: Private Communication in a Public World. Second Edition, Prentice Hall, 2002.
E.B. Fernandez, R.C. Summers, and T. Lang. Database Security and Integrity. Addison-Wesley, 1981.
P.G. Griffiths and B. Wade. An authorization mechanism for a relational database. ACM Transactions on Database Systems, 1(3):242–255, 1976.
R. Fagin. On an authorisation mechanism. ACM Transactions on Database Systems, 3(3):310–319, 1978.
E. Bertino, S. Jajodia, and P. Samarati. An extended authorization model. IEEE Transactions on Knowledge and Data Engineering, 9(1):85–101, 1997.
R. Sandhu, E.J. Coyne, H.L. Feinstein, and C.E. Youman. Role-based access control models. Computer, 29(2):38–47, 1996.
R. Thomas and R. Sandhu. Task-based authorization controls (TBAC) models for active and enterprise-oriented authorization management. Database Security XI: Status and Prospects, pages 262–275, 1998.
D. Ferraiolo, R. Sandhu, S. Gavrilaa, R. Kuhn, and R. Chandramouli. Proposed nist standard for role-based access control. ACM Transactions on Information and System Security, 4(3):224–274, 2001.
E. Bertino, C. Bettini, E. Ferrari, and P. Samarati. An access control model supporting periodicity constraints and temporal reasoning. ACM Transactions on Database Systems, 23(3):231–285, 1998.
Oracle Corporation. The Virtual Private Database in Oracle9iR2: An Oracle Technical White Paper, January 2002. Available at http://www.oracle.com.
R. Sandhu and F. Chen. The multilevel relational data model. ACM Transactions on Information and System Security, 1(1):93–132, 1998.
S. Jajodia, R. Sandhu, and B. Blaustein. Solutions to the polyinstantiation problem. Information Security: An Integrated Collection of Essays, 1994.
O. SamySayadjari. Multilevel security: Reprise. IEEE Security and Privacy, 2004.
E. Bertino, S. Castano, and E. Ferrari. Securing xml documents with author-x. IEEE Internet Computing, 5(3):21–30, 2001.
OASIS Consortium. eXtensible Access Control Markup Language (XACML) Committee Specification, Version 1.1, 2000. Available at: http://www.oasisopen.org/committees/xacml/.
S. Rizvi, A. Mendelzon, S. Sudarshan, and P. Roy. Extending query rewriting techniques for fine-grained access control. In Proceedings of ACM SIGMOD conference, June 2004.
F. Rabitti, E. Bertino, W. Kim, and D. Woelk. A model of authorization for next-generation database systems. ACM Transactions on Database Systems, 16(1):88–131, 1991.
B. Thuraisingham. Mandatory security in object-oriented database systems. In Proceedings of International Conference on Object-Oriented Programming Systems, Languages, and Applications (OOPSLA), 1989.
IBM. DB2 Information Center. Available at http://publib.boulder.ibm.com/infocenter/db2luw/v8//index.jsp.
MySQL. MySQL 5.1 Reference Manual, 2006. Available at http://dev.mysql.com/doc/refman/5.1/en.
ANSI. American national standard for information technology-role based access control. ANSI INCITS 359-2004, February 2004.
R. Agrawal, J. Kiernan, R. Srikant, and Y. Xu. Order-preserving encryption for numeric data. In Proceedings of ACM SIGMOD Conference, 2004.
S. Axelsson. Intrusion detection systems: A survey and taxonomy. Technical Report 99-15, Chalmers Univ., March 2000.
E. Bertino, A. Kamra, and E. Terzi. Intrusion detection in rbac-administered databases. In Proceedings of Annual Computer Security Applications Conference (ACSAC), 2005.
R. Sandhu. On five definitions of data integrity. In the IFIP WG11.3 Workshop on Database Security, 1993.
E. Bertino and R. Sandhu. Database security-concepts, approaches, and challenges. IEEE Transaction on dependable and secure computing, 2005.
R. Sandhu and S. Jajodia. Integrity mechanisms in database management systems. In NIST-NCSC National Computer Security Conference, 1990.
D.D. Clark and D.R. Wilson. A comparison of commercial and military computer security policies. In IEEE Symposium on Security and Privacy, 1987.
M. Bishop. Computer Security: Art and Science. Addison-Wesley, 2003.
K.J. Biba. Integrity considerations for secure computer systems. Technical Report TR-3153, Mitre, 1977.
R. Ramakrishnan and J. Gehrke. Database Management Systems. McGraw-Hill, 2000.
A.A. Alfantookh. An automated universal server level solution for sql injection security flaw. In Proceedings of International Conference on Electrical, Electronic and Computer Engineering (ICEEC), 2004.
K.K. Mookhey and N. Burghate. Detection of SQL Injection and Crosssite Scripting Attacks, 2003. Available at http://www.securityfocus.com/infocus/ 1768.
Imperva. Sql injection signatures evasion. Technical report, 2004.
B.M. Thuraisingham, W. Ford, M. Collins, and J. OKeeffe. Design and implementation of a database inference controller. Data Knowledge Engineering, 11(3):271–285, 1993.
D.E. Denning. Secure statistical databases with random sample queries. ACM Transactions on Database Systems, 5(3):291–315, 1980.
D.E. Denning and J. Schlorer. A fast procedure for finding a tracker in a statistical database. ACM Transactions on Database Systems, 5(1):88–102, 1980.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2007 Springer-Verlag Berlin Heidelberg
About this chapter
Cite this chapter
Bertino, E., Byun, JW., Kamra, A. (2007). Database Security. In: Petković, M., Jonker, W. (eds) Security, Privacy, and Trust in Modern Data Management. Data-Centric Systems and Applications. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-69861-6_7
Download citation
DOI: https://doi.org/10.1007/978-3-540-69861-6_7
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-69860-9
Online ISBN: 978-3-540-69861-6
eBook Packages: Computer ScienceComputer Science (R0)