Abstract
This research paper is about the importance of Database Security. What security models are available? How are they essential in preventing unwanted or unintended activities? This research answers these questions. This study is very significant because this issue affects overall computer security. There have been various research carried out by individual researchers as well as other institutions on this topic. The scholars have more or less agreed about my topic, and my paper argues for a better interpretation. For a better understanding of the topic, Database Security entails the system, processes, and procedures used in protecting a database from any unintended activity (Bertino & Kamra, 2007). This study also looks into various security models, security implementation, and their relationship to web databases. Database security can be attained through a properly organized organization of the specifications; however, its uniqueness is not affected. This study covers the specifications. This research also looks into the execution of security methods in a database system that is object oriented. Generally, in computer security, authorization specifications are essential. Authorization manages admission to the system. This study also looks into ways of authorization specification methods that are out there.
Methodology
This study utilizes a comparative case study as a methodology. Moreover, this research utilizes the benefits attached to the use of comparative case studies in discussion of the topic, Database Security. Information dealing with this research topic is in abundance. The fact that this research previews other preceding researches gives it an added advantage. It ascertains different information put forward, which deals with Database Security.
Research findings
For a better understanding of Database Security, this research defines what database is and what it entails. A database is a computerized record keeping system that involves data, hardware, and software to store data, provide a systematic method of retrieving or changing the data, and the users who finally turn the obtained data into information (Bertino & Kamra, 2007). Databases are essential in that they solve problems dealing with file-oriented systems. Databases are secure, compact, accurate, fast, current, easy to use, and allowed easy sharing of data between multiple users.
A database could be simple, for example, a collection of electronic business cards on a laptop, or they can be complex and demanding, for example, an account tracking system employed by banks to manage changing accounts of its customers; it all depends with the use or business. Database allows storage of data and its modification so that it can be easy to store it. Previously, database ran on large and powerful mainframes for numerous applications. However, with the coming of small and powerful personal computers, the databases have become easier to use. Databases have become vital in the design, development, and services offered by web sites.
Over the years, databases have been successful in keeping unauthorized individuals from seeing the data. In today's world, there is an increase in the importance of privacy of any data stored. Many people always want an assurance that their data is cannot be accessed. When data is put into the database, it can be encrypted by the use of an encryption password, which is supplied by the user. The password given must be supplied to decrypt the data in any case that the data has been retrieved.
As defined earlier, Database Security is the system, Processes, as well as procedures that prevent a database from any unintended activity. Unintended activities could include malicious attacks, authenticated misuse, inadvertent mistakes that can be made by authorized processes or individuals. It is significant to note that Database Security is a specialty within computer security.
Over time, databases have always been protected from any external connections by routers or firewalls on the network perimeter. This happens with the environment surrounding the database existing on the internal network, and not within a demilitarized zone. Moreover, there were additional network security devices that were able to detect and alert on any malicious database protocol traffic. They included network intrusion detection systems together with intrusion detection systems that were hot-based.
It is also essential to note that Database Security becomes more critical when networks become more open (Bertino & Sandhu, 2005). Databases usually provide numerous layers and kinds of information security as specified in the data dictionary. They include auditing, access control, integrity controls, authentication and encryption.
Database Security is a process that could possibly begin with the creation and publishing of recommended security standards for the database environment. The standards could include specific controls for the different database platforms; linkages of these standards to high-level policies as well as governmental regulations; and practices that cross over platforms mentioned earlier.
In the evaluation of database security, it is vital to perform vulnerability assessments against the database (Bertino & Sandhu, 2005). A vulnerability assessment is aimed at attempting to find vulnerability holes, which could be significant in the event of breaking into the database. Information security administrators or database administrators usually run vulnerability scans on databases to find out any misconfiguration of controls within the layers as mentioned earlier. This is done together with known vulnerabilities that might be within database software. It then follows that any intruder can use the results from the scans in the event of hardening the database to mitigate the threat of compromise.
Another essential assignment for mission critical database environments is the program of continual monitoring aimed at making sure that they comply with database security standards. There are two significant aspects of database security compliance, the review and management of public permissions granted to objects that are within the database, and patch management (Yang, 2009). Database objects may comprise table or objects that have been listed in the table link. All permissions that have been granted for SQL language commands on various objects are usually considered in this process. It is essential to note that, compliance monitoring looks similar to vulnerability assessment. The only difference arises from the results of the vulnerability assessments, which drive the security standards that end up in the continuous monitoring program. Vulnerability assessment is an essential procedure in determining risk in cases where compliance program is an on-going risk assessment.
The compliance program is supposed to take into account any existing dependencies at the application software level. This is because any change at the database level may affect the application server or the application software. It is imperative that authorization mechanisms and application level authentication be taken into consideration as an essential way of providing abstraction from the database layer. The foremost benefit attached to abstraction is that of a mono sign-on capability across multiple database platforms or databases themselves. A single sign-on system is supposed to store the database credentials of the users, that is, the login id and password, in addition to authenticating to the database in place of the user.
Another addition to the security layer of a sophisticated nature is a real-time database activity monitoring. This can take place by observing local database activity on each of the servers by using software agents, analyzing protocol traffic over the network, or both. It is imperative that one uses agents or native logging to capture activities that have been executed on the database server. This can include the activities captured or undertaken in the database administrator. Agents usually allow this information to be captured in a manner that cannot be disabled by the database administrator. The database administrator has the capability of modifying or disabling native audit logs.
In order for policy breaches or known exploits to be captured or identified, an analysis can be performed. Moreover, baselines can be captured over time to build a normal pattern, which can then be used to detect any anomalous activity that could indicate intrusion. These types of systems are capable of providing a comprehensive Database audit trail as well as the mechanism that could detect intrusion. In addition to all these, some systems can provide protection quarantining users that demonstrate any suspicious behavior or terminating user sessions. There are systems that also support separation of duties (SOD). This is an essential requirement by auditors. It requires that the database administrators who are under surveillance as part of the DAM do not alter or disable the DAM functionally. This will then require that DAM audit trail be stored in a secure and separate system that cannot be administered by the database administration group.
For numerous database platforms, native database audit capabilities are available in addition to the use of external tools for auditing or monitoring. The native audit trails are usually removed regularly and then transferred to a security system where database administrators cannot access them. In the event of turning on native, the performance of the server is always impacted. It is assumed that the native audit trails of database do not usually give enough controls to separate duties. It is then that the network provides a much higher degree of confidence for the purpose of forensics and preservation of existing evidence.
A database security program is presumed to include the regular review of permissions, which have been granted accounts that are individually owned as well as those used by automated processes (Bertino & Sandhu, 2005). Those accounts used by automated processes are required to have appropriate controls dealing with password storage, for example, access controls that reduce the risk of compromise and sufficient encryption. In cases of individual accounts, a system that is characterized by two-factor authentication should be considered. The database environment should be that where risk is same as the expenditure for the authentication system.
Together with a sound database security program, the correct disaster recovery program should be in place to make sure that service is never interrupted in case of a security incident or any other that end in an outage of the primary database environment. An excellent example is the replication for primary databases to sites that are in different geographical regions.
In case an incident takes place, the use of database forensics should be put to use to determine the magnitude of the breach, in addition identifying the necessary changes to the systems or processes aimed at preventing incidents like those ones to take place.
Of late, issues surrounding database security have been doing the rounds on internet news-wires and the media. Criminals accessing a huge number of credit card numbers (Baker & Hutton, 2009). While the use of internet has been on the increase, it seems that people have relaxed in the implementation of basic security practices. More often than not, security administrators are left to do their own business. Any higher security administrator leaves them to manage security issues of the systems with no oversight. By this, who makes sure that these system administrators follow the laid security guidelines? How will an organization then make sure that all of its system administrators follow up with the latest patches?
In general, database security can be integrated into a number of various key points such as Database Connections, Server Security, Restricting Database Access, and Table Access Control (Bertino & Sandhu, 2005). Server Security is the process that involves limiting the actual access to the Database Server; this is the most vital security angle that should be planned carefully. It is imperative that, every server be configured to allow only IP addresses. If in any case the database server supplies information to an application that is homegrown, which runs on an internal network, then it is essential that it answers to addresses that are within the internal network only. It is not advisable to host a database on the same server, which houses internal database information. While it is tempting to allow immediate updates to a database that have no authentication, one should be strict. All updates should be validated to ensure that all updates are safe and warranted.
Table Access Control is among forms of database security that have been overlooked. This is because it is not easy to apply it. The proper use of Table access control will demand that both system administrator and database developer cooperate. It is essential to note that all applications that are web-enable have ports that they have continuous communication. The main question that arises from this topic is should businesses trust their employees to protect sensitive corporate information? Survey has it that most of database security breaches have always involved insiders. The most significant challenge for most companies today is to balance between protecting sensitive information and providing workers with the necessary and appropriate access.
Security Models
For many companies, a multi-factored security approached in ensuring safety. This approach has been built on what is known as the defense-in-depth principle. It introduces the use of multiple mechanisms to replace the role security model and the traditional user. This translates to controls, restrictions as well as boundaries set up so that not all with database access can use freely, or alter any sensitive information. These mechanisms can be broken down further to four categories: rules, realms, roles and policies.
Realms are always established for encapsulating an existing application or a set of database objects within a protection zone. The advantage with a consolidated database is that information silos are eliminated and economies of scale increased. However, any information that is within a database may require a different level of protection. If a company segments a database into mini-virtual databases that are private, then employees will only gain access to information that is essential for their jobs only (Jaquith, 2007). Companies can then monitor and control the application of sensitive information as well as retrieve data usage records for auditing as wanted.
In the application of rules, they restrict operations basing upon specific needs and requirements. This is done by the use of domain specific or environmental decision factors such as machine, database, authentication modes, time-of-day, and IP addresses. A good example is that, a corporation can prevent an administrator from making any change to the database system when it is outside normal working hours or from outside corporate intranet. Such types of rules can be vital because employees usually require remote access to corporate information. It is imperative to note that companies can only be able to restrict select information flow over IP addresses that have been pre-approved (Knox, 2004).
By viewing system policies, it is essential to note that, the schema of a database usually defines the type and structure of contents that is contained in each of the data element within the structure. New database security technologies have made restrictions easier. Restrictions can be set to prevent employees who have access to sensitive information from attempts to modifying the schema. By separating data management and the schema, the policy supports the separation of duties principle, which then allows DBAs to do their database management duties while the security administrator is left to protect the database infrastructure.
Companies should target striking an efficient balance between the required workflow practices, needs of the employees, and corporate security policies. Most organizations nowadays are faced with the challenges of evolving technologies, changing business needs, shifting economic pressures and changing business needs. A security model that is multi-factored can be used as among the best defense in protecting a company. This is done with the support of the appropriate technologies and comprehensive policies. Companies could also think of using a Comprehensive Database Security Model. This is a security model that does not require any elevated privilege for code, but allows host sharing multiple applications, full table security, and structural immunity to SQL injection (Zellan, 2003).
If a developer wants to host multiple database applications on a server, the applications will have numerous needs. Some will allow surfers to enter the site and create accounts while others will be private where administrators are the ones to make user accounts. Some of the applications will not have sensitive data; however, in all the cases administrators must have the capacity to manage the accounts by themselves. It is essential that the system be structurally immune to any SQL injection. With all these requirements, the question is will there be enough security? The answer is yes. There are models that can be made to cope with all the above demands.
Security Implementation
Two methods can be used in handling connections to a database. The first is to provide users with real database accounts, and then use a single account in signing in to the database. However, a security model like single sign-on has issues by itself. Single sign-on entirely prevents the requirement that authorized agents can connect to the database, read and write values. Single Sign-on requires the existence of a connection at the top most privilege level that a system user might have. This completely violates the requirement that code usually runs at the lowest privilege level. Single Sign-on is the main architectural flaw that makes SQL injection a possibility.
If the public users are granted with database accounts and they end up connecting to them, then the security must be taken care of within the database by itself. It then breaks down to a number of issues. First, groups are defined as collections of users that are supposed to share permissions at the table level. Secondly, it is to be decided which groups are to be allowed privileges such as select, update, insert, and delete on which tables. It then follows that there can be granting or revoking of the above privileges on the server when the database is being built. To finish, column security could come in handy.
It is imperative to note that many of public sites allow users to view all information when they have not yet logged on, for example an eCommerce site. A social site may allow limited viewing of member profiles, however, a finance application is not supposed to share anything to the public. For a solution that takes care of both named cases, a deny-by-default model can be applied. It allows each application to have an option of having anonymous account.
In deny-by-default, databases are usually built to ensure that no group has permission on any of the tables. It is then that when programming a social site, certain permission has to be granted to the anonymous account. On the other hand, finance programming does not require any other application, since the system is already secured. It is essential to keep in mind that a social site allows anyone to sign up and create an account. This means that the application has to create accounts on the database server.
Relation to Web Databases
The Internet and the Web would not be useful if users were not able to access databases online. The Web allows browsers to search and find information in databases. Organizations can conduct Web-bases businesses by giving browsers outside the organization an access to their database. The corporations must link their databases to the Internet. There are numerous uses of databases. They can be used catalogs. Catalog databases usually allow users to look for items by keywords or combinations of them. Many sites do provide a local search engine, which scours the pages that are of a particular site.
Web databases could also be used as libraries of articles, movie clips, books, and CDs. These sites include local search engine that allows its users to search for keywords in an entire article, author name or a title. Most of these databases are not owned by schools, however, they are operated by other organizations specialized in the running of library databases. Thirdly, Web databases can be used in directories. It could include names, telephone numbers, addresses, and e-mail addresses. Another use of Web databases is in client lists and profiles. More often than not, users do access databases only for updating or inserting their personal records.
Technically, online databases used through Web browsers are the same as other databases; however, an interface must be present to work in conjunction with the web. The user is given a form to enter keywords or queries to gain information from the database. The interface design must then provide a mechanism to parse information that users fill in the online forms. This is to ensure that data can be put in the proper fields in the database.
Conclusion
A database can be described as a record keeping system that is computerized. It is a system that involves data, hardware, and software to store data, provide a systematic method of retrieving or changing the data, and the users who finally turn the obtained data into information. Databases help in solving problems dealing with file-oriented systems. Databases came in handy because they were secure, compact, accurate, fast, current, easy to use, and allowed easy sharing of data between multiple users.
A database could be simple or complex and demanding; it all depends with the use or business. Database allows storage of data and its modification so that it can be easy to store it. Previously, database ran on large and powerful mainframes for numerous applications. However, with the coming of small and powerful personal computers, the databases have become easier to use. Databases have become vital in the design, development, and services being offered by web sites.
It is also essential to note that, over the years, databases have been successful in keeping unauthorized individuals from seeing the data. In today's world, there is an increase in the importance of privacy of any data that has been stored. Many people always want an assurance that their data will not be accessed. When data is put into the database, it can be encrypted by the use of an encryption password, which is supplied by the user. The password given must be supplied to decrypt the data in any case that the data has been retrieved.
Database Security is the system, Processes, and procedures that prevent a database from unintended activities (Bertino & Kamra, 2007). Unintended activities could include malicious attacks, authenticated misuse, inadvertent mistakes that can be made by authorized processes or individuals. It is significant to note that Database Security is a specialty within computer security.
There has been debate on database security. This is because most recent criminals have been able to access a huge number of credit card numbers. With the rise in the use of internet, it seems that people have relaxed in the implementation of basic security practices. It is therefore imperative that businesses make sure that their databases are secure. They should ensure that system administrators follow the laid security guidelines and they follow up with the latest patches.