Abstract – Database security issues and challenges
Database security assures the security of databases against threats. It is concerned with information security control that involves data protection, database applications or stored functions protection, database systems protection, database servers, and the associated network link protection. Recently, security threats in mobile databases have become popular and we need to develop a solution to avoid those threats. A mobile database is a specialized class of distributed systems. Due to hardware constraints and its distributed nature, security challenges in mobile development have been raised. Security should be assured in its operating system, database and network. Traditional database security cannot deal with malicious attacks by persons with legal entities and is not cost-effective for users having different security requirements. The multilayer security model with user, OS, DBMS and transaction level intrusion tolerance integrates redundancy and various technology by adopting integral security strategy and service-oriented intrusion tolerance technology. Several techniques, such as encryption and electronic signatures, protect data transmissions across websites. For data protection enforcement of access control policies based on data contents, subject qualifications and characteristics, and other relevant contextual information, such as time mechanisms, are used. The semantics of data is considered to specify active access control policies.
The network database system provides an open environment for information storage and management with massive data. A significant loss will occur once data loss, illegal tampering or code loss also happens within the network database. The central database security risks are unauthorized or unintended activity or misuse by authorized database users, database administrators, or network or system managers, or by unauthorized users or hackers, inappropriate access to sensitive data, metadata or functions within databases, or inappropriate changes to the database programs, structures or security configurations. Also, malware infections causing incidents such as unauthorized access, leakage or disclosure of personal or proprietary data, deletion of or damage to the data or programs, interruption or denial of authorized access to the database, attacks on other systems and the unanticipated failure of database services may occur in the database. The performance overload constraints and capacity issues result in the inability of authorized users to use databases as intended. The physical damage to database servers caused by computer room fires or floods, overheating, lightning, accidental liquid spills, static discharge, electronic breakdowns or equipment failures and obsolescence also contribute as risks. The design flaws and programming bugs in databases and the associated programs and systems create various security vulnerabilities for unauthorized privilege escalation, data loss or corruption, and performance degradation that may occur in databases. Also, data corruption and loss caused by the entry of invalid data or commands, mistakes in database or system administration processes, and criminal damage pose security problems in databases.
Database Security Issues- case studies.
Issues depend on Security types and database threats.
Security Types include:
1. Legal and ethical issues regarding the right to access certain information. Some information may be private and cannot be accessed by unauthorized persons.
2. Policy issues at the governmental, institutional, or corporate level as to what kinds of information should not be made publicly available, for example, credit ratings.
3. System-related issues include system levels at which various security functions should be enforced, for example, whether a security function should be handled at the physical hardware, operating system, and DBMS levels.
4. The need in some organizations to identify multiple security levels and to categorize the data and users based on these classifications, for example, top secret, secret, confidential, and unclassified. The organisation’s security policy concerning permitting access to various data types must be enforced.
Database Threats include:
1. Loss of integrity – Database integrity refers to the requirement that information is protected from improper modification, including creation, insertion, modification, changing data status, and deletion. Innocence is lost if authorized changes are made to the data by either intentional or accidental acts. If the loss of system or data integrity is not corrected, continued use of the contaminated system or corrupted data will result in inaccuracy, fraud or erroneous decisions.
2. Loss of availability – Database availability refers to making objects available to a human user or a program to which they have a legitimate right.
3. Loss of confidentiality – Data confidentiality refers to data protection from unauthorized disclosure. The impact is of confidential information can range from violation of the data privacy act. Unauthorized, unanticipated or unintentional disclosure could result in a loss of public confidence or legal action against the organization.
Database Security Control Measures
Four main control measures are used to provide data security in databases. They are :
1. Access control – The security mechanism of a DBMS must include provisions for restricting access to the database as a whole. This function is called access control and is handled by creating user accounts and passwords to control the DBMS’s log-in process.
2. Inference control – Statistical databases provide statistical information or summaries of values based on various criteria. Security for statistical databases must ensure that information about individuals cannot be accessed. It is possible to deduce or infer specific facts concerning individuals from queries that involve only summary statistics on groups. Consequently, this must not be permitted either. This problem is called statistical database security, and corresponding control measures are called
inference control measures.
3. Flow control – It prevents the information from flowing so that it reaches unauthorized users. C covert channels allow information to flow implicitly in ways that violate an organisation’s security policy.
4. Data encryption protects sensitive data transmitted via some communication network. Encryption can provide additional protection for sensitive portions of a database. The data is encoded using some coding algorithm. An unauthorized user who accesses encoded data will have difficulty deciphering it, but authorized users are given decoding or decryption algorithms to interpret data. Encrypting techniques are complicated to decode without a key and have been developed for military applications.
Here are a few additional ideas for database security control measures.
- Implementing multi-factor authentication for database access
- Regularly updating and patching the database software
- Conducting regular security audits and vulnerability assessments
- Limiting user access to the database to only those who require it
- Encrypting sensitive data within the database
- Implementing role-based access control (RBAC) to ensure users only have access to necessary data
- Monitoring database activity for suspicious behaviour
- Protecting the database from SQL injection attacks
- Implementing database backup and recovery procedures
- Creating and enforcing strong password policies for database users
Challenges of Database Security
Due to the vast growth in the speed of threats to databases, research efforts need to be devoted to issues like :
1. Data quality
The database community needs techniques and organizational solutions to assess and attest to data quality. These techniques include simple mechanisms such as quality stamps posted on websites. It also requires techniques to provide more effective integrity semantics verification and tools for assessing data quality based on techniques such as record linkage. Application-level recovery techniques are also needed for automatically repairing incorrect data. The Extract Transform Load tools widely used to load data in data warehouses are grappling with these issues.
2. Intellectual property rights
With the widespread use of the Internet and Intranets, data’s legal and informational aspects are becoming organisations’ primary concerns. Watermarking techniques for relational data have recently been proposed to address these concerns. The primary purpose of digital watermarking is to protect content from unauthorized duplication and
distribution by enabling provable ownership of the content. It has traditionally relied upon the availability of a large noise domain within which the object can be altered while retaining its essential properties. However, research is needed to assess the robustness of such techniques and investigate different approaches to preventing intellectual property rights violations.
3. Database Survivability
Database systems must operate and continue their functions despite disruptive events such as information warfare attacks, even with reduced capabilities. A DBMS makes every effort to prevent an attack and detecting one in the event of occurrence should be able to do the following:
a. Confinement – Take immediate action to eliminate the attackers’ access to the system and to isolate or contain the problem to prevent further spread.
b. Damage assessment – Determine the extent of the problem, including failed functions and corrupted data.
c. Reconfiguration – Reconfigure to allow the operation to continue in a degraded mode while recovery proceeds.
d. Repair – Repair corrupted or lost data and repair or reinstall failed system functions to reestablish an average level of operation.
e. Fault treatment – To the extent possible, identify the weakness exploited in the attack and take steps to prevent a recurrence.
The goal of the information warfare attacker is to damage the organization’s operation and fulfil its mission through the disruption of its information systems. The target of an attack may be the system itself or its data. While the attacks that bring the system down outright are severe and dramatic, they must also be well timed to achieve the attackers’ goal since attacks will receive immediate and concentrated attention to get the system back to operational condition, diagnose how the attack took place
and install preventive measures.
Factors such as security concerns evolution, the disintermediation of data access, and new computing paradigms and applications, such as grid-based computing and on-demand business, introduced new security requirements and new contexts to apply and possibly extend current approaches to achieve data security. These information security measures include access control, auditing, authentication, encryption, integrity controls, backups and application security. The security designs for specific database systems specify security administration and management functions such as administration and reporting of user access rights, log management and analysis, database replication or synchronization and backups, along with various business-driven information security controls within the database programs and functions, for example, data entry validation and audit trails. Also, various security-related activities, such as manual controls, are generally incorporated into the procedures and guidelines relating to database design, development, configuration, use, management and maintenance.
Collegelib.com prepared and published this seminar report on Database security for Engineering degree students’ seminar topic preparation. Before shortlisting your topic, you should do your research in addition to this information. Please include Reference: Collegelib.com and link back to Collegelib in your work.
- First published in Collegelib.com: March / 2013
- Updated with recent trends: March / 2023