Skip to main content
SpringerLink
Log in

Database Security

  • Chapter
Security, Privacy, and Trust in Modern Data Management

Part of the book series: Data-Centric Systems and Applications ((DCSA))

Abstract

As organizations increase their reliance on information systems for daily business, they become more vulnerable to security breaches. Though a number of techniques, such as encryption and electronic signatures, are currently available to protect data when transmitted across sites, a truly comprehensive approach for data protection must also include mechanisms for enforcing access control policies based on data contents, subject qualifications and characteristics, and other relevant contextual information, such as time. It is well understood today that the semantics of data must also be taken into account in order to specify effective access control policies. Also, techniques for data integrity and availability specifically tailored to database systems must be adopted. In this respect, over the years the database security community has developed a number of different techniques and approaches to assure data confidentiality, integrity, and availability. However, despite such advances, the database security area faces several new challenges. Factors such as the evolution of security concerns, the ‘disintermediation’ of access to data, new computing paradigms and applications, such as grid-based computing and on-demand business, have introduced both new security requirements and new contexts in which to apply and possibly extend current approaches. In this chapter, we first survey the most relevant concepts underlying the notion of database security and summarize the most well-known techniques. We then discuss current challenges for database security and some preliminary approaches that address some of these challenges.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 99.00
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 129.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 179.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. B. Iyer, S. Mehrotra, E. Mykletun, G. Tsudik, and Y. Wu. A framework for efficient storage security in rdbms. In Proceedings of 9th International Conference on Extending Database Technology (EDBT), March 2004.

    Google Scholar 

  2. E. Bertino, D. Leggieri, and E. Terzi. Securing dbms: Characterizing and detecting query flood. In Proceedings of 9th Information Security Conference (ISC), September 2004.

    Google Scholar 

  3. National Security Telecommunications and Information Systems Security Committee. The insider threat to U.S. government information systems, July 1999.

    Google Scholar 

  4. F. Schneider, editor. Trust in Cyberspace. National Academy Press, 1999.

    Google Scholar 

  5. Oracle Corporation. Oracle Database Security Guide 10g Release 2, June 2005. Available at www.oracle.com.

    Google Scholar 

  6. C. Kaufman, R. Perlman, and M. Speciner. Network Security: Private Communication in a Public World. Second Edition, Prentice Hall, 2002.

    Google Scholar 

  7. E.B. Fernandez, R.C. Summers, and T. Lang. Database Security and Integrity. Addison-Wesley, 1981.

    Google Scholar 

  8. P.G. Griffiths and B. Wade. An authorization mechanism for a relational database. ACM Transactions on Database Systems, 1(3):242–255, 1976.

    Article  Google Scholar 

  9. R. Fagin. On an authorisation mechanism. ACM Transactions on Database Systems, 3(3):310–319, 1978.

    Article  Google Scholar 

  10. E. Bertino, S. Jajodia, and P. Samarati. An extended authorization model. IEEE Transactions on Knowledge and Data Engineering, 9(1):85–101, 1997.

    Article  Google Scholar 

  11. R. Sandhu, E.J. Coyne, H.L. Feinstein, and C.E. Youman. Role-based access control models. Computer, 29(2):38–47, 1996.

    Article  Google Scholar 

  12. R. Thomas and R. Sandhu. Task-based authorization controls (TBAC) models for active and enterprise-oriented authorization management. Database Security XI: Status and Prospects, pages 262–275, 1998.

    Google Scholar 

  13. D. Ferraiolo, R. Sandhu, S. Gavrilaa, R. Kuhn, and R. Chandramouli. Proposed nist standard for role-based access control. ACM Transactions on Information and System Security, 4(3):224–274, 2001.

    Article  Google Scholar 

  14. E. Bertino, C. Bettini, E. Ferrari, and P. Samarati. An access control model supporting periodicity constraints and temporal reasoning. ACM Transactions on Database Systems, 23(3):231–285, 1998.

    Article  Google Scholar 

  15. Oracle Corporation. The Virtual Private Database in Oracle9iR2: An Oracle Technical White Paper, January 2002. Available at http://www.oracle.com.

    Google Scholar 

  16. R. Sandhu and F. Chen. The multilevel relational data model. ACM Transactions on Information and System Security, 1(1):93–132, 1998.

    Article  Google Scholar 

  17. S. Jajodia, R. Sandhu, and B. Blaustein. Solutions to the polyinstantiation problem. Information Security: An Integrated Collection of Essays, 1994.

    Google Scholar 

  18. O. SamySayadjari. Multilevel security: Reprise. IEEE Security and Privacy, 2004.

    Google Scholar 

  19. E. Bertino, S. Castano, and E. Ferrari. Securing xml documents with author-x. IEEE Internet Computing, 5(3):21–30, 2001.

    Article  Google Scholar 

  20. OASIS Consortium. eXtensible Access Control Markup Language (XACML) Committee Specification, Version 1.1, 2000. Available at: http://www.oasisopen.org/committees/xacml/.

    Google Scholar 

  21. S. Rizvi, A. Mendelzon, S. Sudarshan, and P. Roy. Extending query rewriting techniques for fine-grained access control. In Proceedings of ACM SIGMOD conference, June 2004.

    Google Scholar 

  22. F. Rabitti, E. Bertino, W. Kim, and D. Woelk. A model of authorization for next-generation database systems. ACM Transactions on Database Systems, 16(1):88–131, 1991.

    Article  Google Scholar 

  23. B. Thuraisingham. Mandatory security in object-oriented database systems. In Proceedings of International Conference on Object-Oriented Programming Systems, Languages, and Applications (OOPSLA), 1989.

    Google Scholar 

  24. IBM. DB2 Information Center. Available at http://publib.boulder.ibm.com/infocenter/db2luw/v8//index.jsp.

    Google Scholar 

  25. MySQL. MySQL 5.1 Reference Manual, 2006. Available at http://dev.mysql.com/doc/refman/5.1/en.

    Google Scholar 

  26. ANSI. American national standard for information technology-role based access control. ANSI INCITS 359-2004, February 2004.

    Google Scholar 

  27. R. Agrawal, J. Kiernan, R. Srikant, and Y. Xu. Order-preserving encryption for numeric data. In Proceedings of ACM SIGMOD Conference, 2004.

    Google Scholar 

  28. S. Axelsson. Intrusion detection systems: A survey and taxonomy. Technical Report 99-15, Chalmers Univ., March 2000.

    Google Scholar 

  29. E. Bertino, A. Kamra, and E. Terzi. Intrusion detection in rbac-administered databases. In Proceedings of Annual Computer Security Applications Conference (ACSAC), 2005.

    Google Scholar 

  30. R. Sandhu. On five definitions of data integrity. In the IFIP WG11.3 Workshop on Database Security, 1993.

    Google Scholar 

  31. E. Bertino and R. Sandhu. Database security-concepts, approaches, and challenges. IEEE Transaction on dependable and secure computing, 2005.

    Google Scholar 

  32. R. Sandhu and S. Jajodia. Integrity mechanisms in database management systems. In NIST-NCSC National Computer Security Conference, 1990.

    Google Scholar 

  33. D.D. Clark and D.R. Wilson. A comparison of commercial and military computer security policies. In IEEE Symposium on Security and Privacy, 1987.

    Google Scholar 

  34. M. Bishop. Computer Security: Art and Science. Addison-Wesley, 2003.

    Google Scholar 

  35. K.J. Biba. Integrity considerations for secure computer systems. Technical Report TR-3153, Mitre, 1977.

    Google Scholar 

  36. R. Ramakrishnan and J. Gehrke. Database Management Systems. McGraw-Hill, 2000.

    Google Scholar 

  37. A.A. Alfantookh. An automated universal server level solution for sql injection security flaw. In Proceedings of International Conference on Electrical, Electronic and Computer Engineering (ICEEC), 2004.

    Google Scholar 

  38. K.K. Mookhey and N. Burghate. Detection of SQL Injection and Crosssite Scripting Attacks, 2003. Available at http://www.securityfocus.com/infocus/ 1768.

    Google Scholar 

  39. Imperva. Sql injection signatures evasion. Technical report, 2004.

    Google Scholar 

  40. B.M. Thuraisingham, W. Ford, M. Collins, and J. OKeeffe. Design and implementation of a database inference controller. Data Knowledge Engineering, 11(3):271–285, 1993.

    Article  Google Scholar 

  41. D.E. Denning. Secure statistical databases with random sample queries. ACM Transactions on Database Systems, 5(3):291–315, 1980.

    Article  MATH  Google Scholar 

  42. D.E. Denning and J. Schlorer. A fast procedure for finding a tracker in a statistical database. ACM Transactions on Database Systems, 5(1):88–102, 1980.

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Purdue University, USA

    Elisa Bertino, Ji-Won Byun & Ashish Kamra

Authors
  1. Elisa Bertino
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Ji-Won Byun
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Ashish Kamra
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Philips Research Europe, High Tech Campus 34, 5656 AE, Eindhoven, The Netherlands

    Milan Petković

  2. Philips Research Europe, Philips Research / Twente University, High Tech Campus 34, 5656 AE, Eindhoven, The Netherlands

    Willem Jonker

Rights and permissions

Reprints and permissions

Copyright information

© 2007 Springer-Verlag Berlin Heidelberg

About this chapter

Cite this chapter

Bertino, E., Byun, JW., Kamra, A. (2007). Database Security. In: Petković, M., Jonker, W. (eds) Security, Privacy, and Trust in Modern Data Management. Data-Centric Systems and Applications. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-69861-6_7

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-69861-6_7

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-69860-9

  • Online ISBN: 978-3-540-69861-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation