Issue in Information System Operation Management (ISOM) Database security
Introduction
Increase in the use of internet has increased the vulnerabilities of databases for many corporations. Many organizations operate and maintain their brands through ensuring that databases containing client information is well protected. According to Bertino and Sandhu (1), the proliferation of web-based applications increases the risk of exposure of databases. Database security has been a challenge since the beginning of use of databases in the 1970s.
Every effort to improve technological advancement has led to an increase in the attacks on databases. Recent cases have been reported of hackers accessing private information from different databases of different organizations. Information accessed includes social security numbers and credit card information. With such information, the hackers are able to make credit cards and use it to gain millions of dollars from unsuspecting innocent individuals. Business applications interacting with databases increase the vulnerability of the databases.
Most organizations are employing the use of online systems. For instance, banking systems have implemented the use of online banking systems as a means of reducing costs. However, the accomplishment of such systems depends on the security protocols that are implemented in such a system. Even with different measures taken to reduce attacks, vulnerabilities continue to exist and thus organizations need to have a continuous way of ensuring that any attacks are handled as quickly as possible. A constant review of security policies in databases is important as threats to database security are expected to increase. Knowledge and information on database security is important for all personnel in organizations. Users of online systems also need to be aware of the risks they may encounter in using online services. A review of past efforts and current efforts in addressing database security are provided in the following sections. Additionally, emerging research in database security is also provided.
Past Efforts to Deal with the Issue
Prior to 1970s, much of the research and early work has been on the statistical database security (Thuraisingham 55). The most important accepts in statistical database security involve aggregation and inference (Gollmann 168). Aggregation relates to examining the differences in sensitivity levels of an aggregate computed over a group of values in a database and the sensitivity levels of individual elements. Attackers normally use the differences in sensitivity levels to have access to the sensitive items in the database. When it comes to inference, sensitive information is normally being obtained from non-sensitive data. Inference control mechanisms have been applied to handle security issues in statistical database security. This mechanism ensures that information on individuals cannot be accessed through inferring summary statistics from queries (Singh 115).
Preventing access to queries can also be referred to as query restriction approach. According to Adam and Jones (103), query restriction approach involves several measures. One of these measures involves restricting the query set size. In restricting the query size, a statistic is only released if the number of entities included in the response to the query surpasses a certain value set by the database administrator. Secondly, the query restriction approach may involve the restriction of overlapping entities among successive queries of a given user (Adams and Jones 103). Thirdly, a constant audit of the query logs may ensure that any possible compromises are detected in cases where new queries are issued.
The introduction of relational databases in the 1970s generated much attention to access control issues. Two of the most significant access control models include the discretionary access control model and the mandatory security models. In the discretionary access control model, access to users is only for data objects (Thuraisingham 56). The data objects include objects, files, relations, and data items. Bidgoli (381) notes that access rights on the objects are provided to other entities only if the object owner allows it. The discretionary access control model provides the least restrictions compared to the mandatory access control. Further, the discretionary access control model allows the object owner to have total control over all the objects they own and the programs that are associated with those objects (Ciampa 230). As such, the end user has a high level of privileges, which provides an avenue for attackers to exploit. One avenue is that the end user may fail to set proper security permissions, which can result to an unauthorized subject gaining access to the database. Secondly, certain programs may have the ability to inherit the permissions that have been set by the owner. Mostly this occurs in malware programs that have the ability to install themselves without the owner’s permission.
Flow control is applied to prevent information from flowing in a manner that will allow it to reach unauthorized users. Most of this flow of information occurs through covert channels. The covert channels develop mostly from Trojan horses (Bertino and Sandhu 4). Mostly, this affects the discretionary access control models. Limiting access to databases is also important to ensure that security is enhanced. Having a high number of personnel with access to a database may increase its vulnerability since certain users may fall victim to certain emails or updates received via email. Attackers normally use this avenue to lure unsuspecting victims. Security policies are normally modified to ensure that employees do not use company resources to access personal emails.
According to Hu, Kuhn, Xie and Hwang (103) mandatory access control mostly relates with controlling the activities of legitimate users and monitors every attempt the user uses to access a resource in the system. As such, the mandatory access control offers more restriction compared to the discretionary access control model. A mandatory access control uses three forms of control to ensure database security. These include policies, models, and mechanisms. The mandatory access control policies are used to provide information on the management of access to resources in the system. Consequently, this will include high-level requirements on who will access certain information and under what circumstances such information is to be accessed (Hu, Kuhn Xie and Hwang 104). The implementation of the mandatory access control policies is through mechanisms that utilize certain structures such as a table lookup, which can be used to deny or grant access. Mandatory access control models are used to ensure proper implementation of the policies set forth.
Rittinghouse and Hancock (66) indicate that mandatory access control is synonymous with resource security label. These security labels perform different functions such as providing protective measures or supplementing the handling instructions. As such, only specific labels can be used to initiate certain sessions. The security labels provide a very strong form of access control. However due to the complexity and cost, the security labels are best suited for very strict security requirements concerning information such as government, financial or research and development in different organizations. An advantage of the security labels is that they cannot be easily changed since they are permanently linked to specific information. Consequently, any user accessible data is not revealed following the users actions of copying information and changing access rights on a file to make it more accessible (Rittinghouse and Hancock 67). Thus, such properties of the security label help avoid human errors and malicious software problems, which may compromise data.
Current Efforts to Improve Database security
Modern innovations have led to the advancement of non-discretionary access control model. In this model, resource access depends on the policies and control objectives rather than the users’ access. A good example of non-discretionary access control model is the role-based access control. In this model, the users are assigned to specific roles. Additionally, each role has permission and thus the users can have the permissions as long as they become a member of a role (Rittinghouse and Hancock 69). Since the users’ access to objects depends on roles, users only can access limited number of roles. Consequently, authorization management is much more simplified. Users only need to be given authorization for a specific role rather than being provided with all the required authorizations. Once a user is changes their function in an organization, the next approach is to remove the permission of the user in a certain role. According to Bertino and Sandhu (8), the role-based access models normally have separation of duty constraints. Users with a large number of authorizations may be compromised, and this may cause the whole database to be compromised. Thus, application of separation of duty ensures that such a situation does not occur. Users having limited authorizations ensure that in case of a compromise only minimal damage can occur. Furthermore, the separation of different permissions can ensure that instances of fraud are reduced internally.
The advent of the internet and complexity of computer systems has resulted to an increase in security concerns for many databases. As such, new security approaches are being employed to ensure database security. Many organizations store their primary data in databases, which form good targets for attackers. These organizations currently employ database encryption to ensure the attacker’s time to access the database is increased. According to Bosworth (100), databases are placed in systems where they can only be accessed through secured connections and volume disk encryption has been used. Database-specific encryption provides stricter control regarding access since different keys and passwords may be required to access the different databases. Database encryption can be costly hence; legal and regulatory issues need to be taken into consideration with regard to the business risk. If the databases contain information that may lead to criminal and civil liabilities if they fall into the long hands, database encryption may be recommended even if the system may become slower.
Physical security of the database location needs also to be controlled. Only certain individuals need to have access to the physical location of the databases. Consequently, frequent backups of databases are necessary to ensure quick recovery in case of physical destruction (Burtescu 450).
Use of online services in different transactions has increased the threat to database security tremendously. Services that depend on online systems such as online banking and online payment services fall prey to attacks from unauthorized personnel. Attackers normally exploit failures in security systems in networks. Additionally, unauthorized access may occur internally from an unauthorized employee. Firewalls are responsible for establishing a chronological log of activities and transactions in the network environments of the company to develop a trail of documentation that can be useful in auditing any suspicious events. Any changes to a database can easily be detected, and authenticity can be checked to ensure that it is not malicious. Levine and Shim (250), note that firewalls validate the user and the application being requested before any updates to the databases are executed.
According to Vacca and Ellis (240), firewalls limits access to private networks from the internet and limits employee access to certain network areas. However, they may not be sufficient to prevent attacks to databases. Antivirus programs are currently being used to supplement firewall security in various databases. These come in handy with the increase in viruses, worms, and other malicious programs.
Two-factor authentication is also another current effort that improves security of databases (Stavroulakis 267). The use of single static passwords can be easily intercepted over networks. Two-factor authentication ensures that most of the problems related to single static passwords are eliminated. In a two-factor authentication or double authentication, two different factors are used to authenticate the user. Such a system is common in the online banking systems or networks. For example, users use an ATM card together with a personal identification number. The same can be applied in physical security of databases locations. Security personnel and other authorized cards with magnetic strips together with a personal identification number to gain access to the physical locations of the databases.
Companies are also implementing tracking and tracing measures once database security breaches occur (Gregory 236). Such measures are implemented by use of seed names, which are agents that appear to be customers normally inserted to view any unauthorized use in the database. Such as system allows an organization to be in a position to detect any abuse to the system before any complaints from customers develop. In the process, loss of reputation and damage to the brand can be prevented. Notification requirements of any data breaches are also significant. Certain law requires organizations to provide notifications of any data breaches to allow assistance to be provided to the personnel affected.
Emerging research in database security
Bertino and Sandhu (4) indicate emerging areas of research in database security. One of these areas of research is the consideration of databases as services that can be outsourced to external companies. Much of the effort is being focused on developing query-processing techniques for encrypted data. Additionally, research is being done on privacy-preserving techniques for databases.
Most of the databases contain private information of individuals and organizations and in some cases; such information may fall into the hands of third parties. As such, privacy-preserving techniques are employed to handle such cases. Prior to releasing such information, organizations can employ data anonymization where all data linking items to individuals are removed (Bertino and Sandhu 14). Information removed in this process may include social security numbers and names of individuals.
Data mining has provided more challenges to increasing database security. Bertino and Sandhu (16) propose a second technique of privacy preservation that can tackle data mining. Approaches used normally aim at reducing the confidence of sensitive association rules. However, such a technique may compromise the data and make it useless.
Resolution
There is no one perfect resolution that can enhance database security. Database security can be enhanced by a combination of different current efforts. One effort may lack the ability to handle a certain specific attack or vulnerability. As such, one needs to have certain best practices based on the current efforts discussed above. It may involve setting encryption levels to optimum especially in databases having very sensitive information. Additionally, any backups to the databases need to be encrypted. More importantly one needs to note that threats to databases can be external or internal thus, precaution in terms of encryption needs to be done at all levels.
Furthermore, it is important for the organizations to employ the use of web application firewalls and antivirus programs. There is a high number of web applications on the internet. Attackers normally deploy malicious programs through different web applications that are designed to cripple database security. Furthermore, antivirus programs need to be continually updated. Additionally, any patches in the databases need to be regularly updated to ensure security protocols are able to prevent attacks. Constant assessments of vulnerabilities need to be conducted to ensure that database patches are up to date.
Further, it is important not to ignore the physical security of databases. Security personnel can employ the concept of double authentication in accessing the databases. Importantly, in cases where the personnel misplace their security cards it is impossible for an unauthorized entry to occur without having knowledge of the personal identification number.
Informing client of any data breaches can be effective in reducing the effect of such breaches. For instance, in cases where attackers gain access to credit card information, customers can be able to cancel their credit card details with their respective banks. Additionally, banks can be able to put limits on ATM withdrawals to ensure customers are not adversely affected by the use of fake credit cards. Furthermore, organizations need to put in place tracking and tracing measures to ensure that the origin of data breaches is located. Additionally, the application and use of role-based access control can help limit the compromise to the database system. Having one user with many authorizations increases the risk of exposure in case the user is compromised.
Addressing database security needs to be at a multidimensional approach. Certain attacks may bypass the firewalls and antivirus programs installed in the database or networks. As such, the database needs to have multilevel layers of security, which can be effective in slowing down attackers’ access to sensitive company information. In addition, companies need to consider the emerging concepts such as data anonymization. Techniques employed to reduce access to sensitive company information need to ensure that the usefulness of the information is not distorted especially in situations where the aim is to control data mining.
New attacks will develop every day and the database administrator needs to be always prepared to handle such attacks. Every organization needs to make database security a top priority in the running of the organization. Lack of such support may cripple any little efforts that can enhance database security.
Works Cited
Adam, Nabil R., and Douglas H. Jones. "Security Of Statistical Databases With An Output Perturbation Technique." Journal Of Management Information Systems 6.1 (1989): 101-110. Business Source Complete. Web. 22 Nov. 2014. http://content.ebscohost.com/ContentServer.asp?T=P&P=AN&K=5757772&S=R&D=bth&EbscoContent=dGJyMNHX8kSeqLA4zOX0OLCmr0yep7NSsK%2B4SLKWxWXS&ContentCustomer=dGJyMPGntUmxrbRMuePfgeyx44Dt6fIA
Bertino, Elisa, and Ravi Sandhu. "Database Security—Concepts, Approaches, and Challenges." IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING 2.1 (2005): 2-19. Web. http://www.profsandhu.com/journals/ieee-depend-dbsec-05.pdf
Burtescu, Emil. "Database Security - Attacks And Control Methods." Journal Of Applied Quantitative Methods 4.4 (2009): 449-454.Academic Search Premier. Web. 22 Nov. 2014. http://eds.a.ebscohost.com/ehost/pdfviewer/pdfviewer?sid=1df80d2e-e476-489f-a694-593b1e9c8abb%40sessionmgr4003&vid=3&hid=4105
Bidgoli, Hossein. Handbook of Information Security Volume 3. Hoboken: John Wiley & Sons, 2006. Internet resource. http://books.google.co.ke/books?id=bdxJhKW0e8wC&printsec=frontcover&dq=Handbook+of+Information+Security+Volume+3&hl=en&sa=X&ei=8PJwVPzBLoGqPLuTgcAP&redir_esc=y#v=onepage&q=Handbook%20of%20Information%20Security%20Volume%203&f=false
Bosworth, Seymour, Michel E. Kabay, and Eric Whyne. Computer Security Handbook. Hoboken, N.J: John Wiley & Sons, 2009. Internet resource. http://books.google.co.ke/books?id=2yPcGF5HhaoC&printsec=frontcover&dq=Computer+Security+Handbook.&hl=en&sa=X&ei=JPNwVJbIEYGzPeLGgKgK&redir_esc=y#v=onepage&q=Computer%20Security%20Handbook.&f=false
Ciampa, Mark D. Security+ Guide to Network Security Fundamentals. Clifton Park, N.Y: Delmar Learning, 2008. Print. http://books.google.co.ke/books?id=VWsJAAAAQBAJ&printsec=frontcover&dq=Security%2B+Guide+to+Network+Security+Fundamentals&hl=en&sa=X&ei=VPNwVM2rKsqvPMy9gOgL&redir_esc=y#v=onepage&q=Security%2B%20Guide%20to%20Network%20Security%20Fundamentals&f=false
Gollmann, Dieter. Computer Security. Hoboken, N.J: Wiley, 2010. Print. http://books.google.co.ke/books?id=KTYxTfyjiOQC&printsec=frontcover&dq=Gollmann,+Dieter.+Computer+Security&hl=en&sa=X&ei=nPNwVOiwNcHNOKrJgdAG&redir_esc=y#v=onepage&q=Gollmann%2C%20Dieter.%20Computer%20Security&f=false
Gregory, Adrian. "Conserving Customer Value: Improving Data Security Measures In Business." Journal Of Database Marketing & Customer Strategy Management 15.4 (2008): 233-238. Business Source Complete. Web. 22 Nov. 2014. http://content.ebscohost.com/ContentServer.asp?T=P&P=AN&K=36091784&S=R&D=bth&EbscoContent=dGJyMNHX8kSeqLA4zOX0OLCmr0yep7NSsau4TLWWxWXS&ContentCustomer=dGJyMPGntUmxrbRMuePfgeyx44Dt6fIA
Hu, Vincent C., et al. "Model Checking For Verification Of Mandatory Access Control Models And Properties." International Journal Of Software Engineering & Knowledge Engineering 21.1 (2011): 103-127. Business Source Complete. Web. 22 Nov. 2014. http://content.ebscohost.com/ContentServer.asp?T=P&P=AN&K=61062334&S=R&D=bth&EbscoContent=dGJyMNHX8kSeqLA4zOX0OLCmr0yep7NSsay4TbaWxWXS&ContentCustomer=dGJyMPGntUmxrbRMuePfgeyx44Dt6fIA
Levine, Marc H., and Jae K. Shim. The International Handbook of Computer Networks. Barming, Kent: Trentop Management, 2004. Print. http://books.google.co.ke/books?id=Mj0fxtM89U0C&printsec=frontcover&dq=.+The+International+Handbook+of+Computer+Networks.&hl=en&sa=X&ei=XPRwVMjBEYXZPdv5gMAL&redir_esc=y#v=onepage&q=.%20The%20International%20Handbook%20of%20Computer%20Networks.&f=false
Rittinghouse, John W, and Bill Hancock. Cybersecurity Operations Handbook. Amsterdam: Elsevier Digital Press, 2003. Internet resource. http://books.google.co.ke/books?id=BKYSfjEsi78C&printsec=frontcover&dq=Cybersecurity+Operations+Handbook&hl=en&sa=X&ei=jfRwVJvbKYLAOdengfAG&redir_esc=y#v=onepage&q=Cybersecurity%20Operations%20Handbook&f=false
Singh, Brijendra. Network Security and Management. New Delhi: PHI Learning Pvt., 2011. Print. http://books.google.co.ke/books?id=lSSCZCk9_nEC&pg=PA239&dq=Network+Security+and+Management&hl=en&sa=X&ei=q_RwVJjKLsTiO5zagYAG&redir_esc=y#v=onepage&q=Network%20Security%20and%20Management&f=false
Stavroulakis, Peter, and Mark Stamp. Handbook of Information and Communication Security. Heidelberg: Springer, 2010. Print. http://books.google.co.ke/books?id=I-9P1EkTkigC&printsec=frontcover&dq=Handbook+of+Information+and+Communication+Security.&hl=en&sa=X&ei=5vRwVI3UPITPOJC5gagI&redir_esc=y#v=onepage&q=Handbook%20of%20Information%20and%20Communication%20Security.&f=false
Thuraisingham, Bhavani M. Database and Applications Security: Integrating Information Security and Data Management. Boca Raton, FL: Auerbach Publications, 2005. Print. http://books.google.co.ke/books?id=Htm0xlmn5ewC&printsec=frontcover&dq=Database+and+Applications+Security:+Integrating+Information+Security+and+Data+Management.&hl=en&sa=X&ei=CvVwVPegCILCOeOQgbgH&redir_esc=y#v=onepage&q=Database%20and%20Applications%20Security%3A%20Integrating%20Information%20Security%20and%20Data%20Management.&f=false
Vacca, John R, and Scott Ellis. Firewalls: Jumpstart for Network and Systems Administrators. Amsterdam: Elsevier Digital, 2005. Internet resource. http://books.google.co.ke/books?id=ipvoml8c9zcC&printsec=frontcover&dq=Firewalls:+Jumpstart+for+Network+and+Systems+Administrators.&hl=en&sa=X&ei=LfVwVJb3D8WrPNeCgbgB&redir_esc=y#v=onepage&q=Firewalls%3A%20Jumpstart%20for%20Network%20and%20Systems%20Administrators.&f=false