Database Security: Policies and Mechanisms

  • H. H. Brüggemann
Part of the International Centre for Mechanical Sciences book series (CISM, volume 347)


An introduction into policies and mechanisms of database security is given. Three different policy classes for access control are distinguished: Owner driven access control (discretionary access control), organization driven access control (mandatory access control), and access control with security levels (multi-level access control). After giving intentions and characterizations for each policy class, we present mechanisms usually used with those policies. Thus the access control matrix is presented with their different views from a subject (capability list), from a granule (access control list), and from an operation (method control list). Further mechanisms which are considered in connection with owner driven access control are propagation of rights, database views, and query modification. Organization driven access control is studied with respect to classification and clearance, the relationship between confidentiality and integrity, and the appropriate granularity of classification. The dissemination control policy and -in more detail- the chinese wall policy are presented as examples for this class of policies. Mechanisms of the lattice-based access control with security levels include polyinstantiation (used for information hiding and cover stories) and trusted subjects. A final criticism points out the author’s view of the strengths and weaknesses of each class of policies.


Access Control Security Level Security Attribute Access Control Policy Grant Option 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. [1]
    Clark, D.D., Wilson, D.R.: A Comparison of Commercial and Military Computer Security Policies, in: IEEE Symposium on Security and Privacy, 1987, 184–194.Google Scholar
  2. [2]
    Brüggemann, H. H.: Concepts for Database Privacy, in this volume.Google Scholar
  3. [3]
    Department of Defense: Trusted Computer System Evaluation Criteria (Orange Book), Aug 1983 (revised 1985).Google Scholar
  4. [4]
    Commission of the European Communities, XIII-F: Information Technology Security Evaluation Criteria (ITSEC), Version 1. 2, June 1991.Google Scholar
  5. [5]
    Canadian System Security Centre: The Canadian Trusted Computer Product Evaluation Criteria, Version 3. 0, April 1992.Google Scholar
  6. [6]
    National Institute of Standards and Technology & National Security Agency: Federal Criteria for Information Technology Security, Version 1. 0, December 1992.Google Scholar
  7. [7]
    Brüggemann, H. H.: Object-oriented Authorization, in this volume.Google Scholar
  8. [8]
    Graubart, R.D., Woodward, J.P.L.: A preliminary naval surveillance dbms security model, in: IEEE Symposium on Security and Privacy, 1982, 21–37.Google Scholar
  9. [9]
    Denning, D., Akl, S.G., Morgenstern, M., Neumann, P.G., Schell, R.R., Heckman, M.: Views for multilevel database security, in: IEEE Symposium. on Security and Privacy, 1986, 156–172.Google Scholar
  10. [10]
    Brewer, D.F.C., Nash, M.J.: The Chinese Wall Security Policy, in: IEEE Symposium on Security and Privacy, 1989, 206–214.Google Scholar
  11. [11]
    Jensen McCollum, C., Messing, J.R., Notargiacomo, L.: Beyond the Pale of MAC and DAC–Defining New Forms of Access Control, in: IEÉE Symposium on Research in Security and Privacy, 1990, 190–200.Google Scholar
  12. [12]
    Bell, D.E., LaPadula, L.J.: Secure Computer Systems: Unified Exposition and Multics Interpretation, MTR-2997, The MITRE Corporation, Bedford, MA, July 1975 (ESD-TR-75–306).Google Scholar
  13. [13]
    Denning, D.E.R.: Cryptography and Data Security, Addison-Wesley, Reading, MA, 1982.MATHGoogle Scholar
  14. [14]
    Fernandez, E.B., Summers, R.C., Wood, C.: Database Security and Integrity, Addison-Wesley, Reading, MA, 1981.Google Scholar
  15. [15]
    Millen, J.K.: Models of Multilevel Computer Security, in: Advances in Computers, Vol. 29, 1989, 1–45.Google Scholar
  16. [16]
    Bell, D. E.: Putting Policy Commonalities to Work, in: Proc. 14th National Computer Security Conference, 1991, 456–471.Google Scholar
  17. [17]
    Biskup, J.: A general framework for database security, in: Proc. European Symposium on Research in Computer Security, Toulouse, Oct. 1990, 35–41.Google Scholar
  18. [18]
    Lunt, T.F., Fernandez, E.B.: Database Security, SIGMOD Record, Vol. 19, No. 4, (Dec 1990), 90–97.CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Wien 1994

Authors and Affiliations

  • H. H. Brüggemann
    • 1
  1. 1.University of HildesheimHildesheimGermany

Personalised recommendations