Chapter 6

Database Security
 Outline
 Objectives of Database security
 Scope of database security
 Countermeasures: computer based controls
 Access Control Policies
 DAC
 MAC
 RBAC

Advanced Database System – Ch6: Database Security Slide 2

 Objectives of Database Security
 Confidentiality: Information should not be
disclosed to unauthorized users.
 For example, a student should not be allowed
to examine other students’ grades.
 Integrity: Only authorized users should be
allowed to modify data.
 For example, students may be allowed to see
their grades, yet not allowed to modify them.
 Availability: Authorized users should not be
denied access.
 For example, an instructor who wishes to change a
grade should be allowed to do so.
Advanced Database System – Ch6: Database Security Slide 3
 Scope of database security
 “Database security”:
 The mechanisms that protect the
database against intentional or
accidental threats.
• Includes:
• hardware
• software
• people
• data

Advanced Database System – Ch6: Database Security Slide 4

Scope of database security
Threats

Slide 5/24
 Countermeasures: computer based
controls
“BRAVE”
 B ackup and Journaling
 R AID technology
 A uthorization Types of countermeasures
range from:
 V iews – Physical controls to
– Administrative procedures
 E ncryption
NB: despite the wide range of
controls, generally a DBMS is only
as secure as its operating system!

Advanced Database System – Ch6: Database Security

Slide 6/24 Slide 6
 Backup and recovery
 Backup: the process of periodically (at frequent
and regular intervals) taking a copy of the
database (and possibly programs) on to offline
storage media kept in a secure location, suitable
for rapid recovery from a fault.
 Journaling: the process of keeping and
maintaining online a log file (journal) containing
all the changes made to the database to enable
recovery to be undertaken effectively in the
event of failure.

Advanced Database System – Ch6: Database Security Slide 7

 RAID Technology
 DBMS hardware needs to be fault tolerant:
 Disk drives, disk controllers, CPU, power supplies and
cooling fans.
 Disk drives are the most vulnerable.
 RAID (Redundant Array of Independent Disks)
 several independent unreliable disks “look like” one big
reliable disk
 organized to increase performance and improve
reliability.
 Performance is increased through data striping:
 Data is segmented into equal-size partitions (the
striping unit).
 These are spread across multiple disks
 Striping improves overall I/O performance via
parallelism.

Advanced Database System – Ch6: Database Security Slide 8

 Authorization
 Authorization: the granting of a right or privilege that
enables a subject to have legitimate access to a system or a
systems object.
 Authorization controls (access controls) are built into the
software. They govern:
• what systems or objects a specified user can access (e.g.
database tables, views, procedures, triggers) and
• what the user may do with them.
 Authentication: a mechanism that determines whether a user
is who he or she claims to be.
 A system administrator (DBA) is usually responsible for
allowing users access by creating user accounts. Each user
is given a unique identifier. The identifier has a password
associated with it.

Advanced Database System – Ch6: Database Security Slide 9

 Views
 View: a view is the dynamic result of the interaction
of one or more relational operations with the base
relations, which produce another relation.
 It is a virtual relation in that it does not exist in the
database but is produced upon request by a given
user at a particular time.

 The view is a powerful and flexible security

mechanism as it hides parts of the databases from
certain users.

Advanced Database System – Ch6: Database Security Slide 10

 Encryption
 “Masks” data for secure transmission or
storage
 Used to protect highly confidential or sensitive
data
 Encrypt(data, encryption key) = encrypted data
 Decrypt(encrypted data, decryption key) =
original data
 Without decryption key, the encrypted data is
meaningless gibberish
 Data must be decrypt before the receiver read it

Advanced Database System – Ch6: Database Security Slide 11

 Access Control
 Its function is to control which (active) subject
have access to a which (passive) object with
some specific access operation.
 Elements of access control: subject, object and
access operations or rights

subject Access object

Operation

Advanced Database System – Ch6: Database Security Slide 12

 Access Control
 Subject: active entity that requests access to an
object
 e.g., user or program

 Object: passive entity accessed by a subject

 e.g., record, relation, file

 Access right (privileges)/operation: how a

subject is allowed to access an object
- e.g., subjects can read object o

Advanced Database System – Ch6: Database Security Slide 13

 Access Control Matrix
objects (entities)
o1 o2 …………………… om  Subjects S = { s ,
1
s1 …,sn }
s2  Objects O = { o1,
subjects

…,om }
…  Rights R = { r1,
…,rk }
sn  Entries A[si, oj] 
R
 A[si, oj] = { rx, …,
ry } means subject
si has rights rx, …,
ry over object oj

Advanced Database System – Ch6: Database Security Slide 14

 Access Control Policies
 Discretionary Access Control (DAC)

 Mandatory Access Control (MAC)

 Role-Based Access Control (RBAC)

Advanced Database System – Ch6: Database Security Slide 15

 Discretionary Access Control (DAC)
 For each subject(user) access right to
the objects are defined by the
individual user owner of the object.
 User/individual based
 The typical method of enforcing DAC in
a database system is based on the
granting and revoking privileges.
 GRANT= give right/privilege
 REVOKE= cancel given right
 Problems:
- Propagation of access rights
- Revocation of propagated access rights
Advanced Database System – Ch6: Database Security Slide 16
 DAC by Grant and Revoke

GRANT SELECT ON Employee GRANT SELECT ON Employee

TO Black TO Red
Black Red
WITH GRANT OPTION
?
Brown revokes grant
given to Black
?
Brown does not want
Brown (owner) Red to access the
Employee relation
GRANT UPDATE(Salary) ON
Employee TO White

White

Advanced Database System – Ch6: Database Security Slide 17

 Propagation of Privileges
 Whenever the owner A of a relation R grants a
privilege on R to another account B, privilege can be
given to B with or without the GRANT OPTION.
 If the GRANT OPTION is given, this means that B can
also grant that privilege on R to other accounts.
 Suppose that B is given the GRANT OPTION by A and
that B then grants the privilege on R to a third account
C, also with GRANT OPTION. In this way, privileges on
R can propagate to other accounts without the
knowledge of the owner of R.
 If the owner account A now revokes the privilege
granted to B, all the privileges that B propagated based
on that privilege should automatically be revoked by
the system.

Advanced Database System – Ch6: Database Security Slide 18

 DAC
 Restricts access to objects
based solely on the
identity of users who are
trying to access them.
Individuals Resources

Server 1

Server 2

Server 3

Advanced Database System – Ch6: Database Security Slide 19

 An Example
 Suppose that the DBA creates four accounts
 A1, A2, A3, A4
 E.g CREATE USER A1 IDENTIFIED BY passA1;

 and wants only A1 to be able to create base relations.

Then the DBA must issue the following GRANT
command in SQL

GRANT CREATETAB TO A1;

Advanced Database System – Ch6: Database Security Slide 20

 An Example(2)
 Suppose that A1 creates the two base relations
EMPLOYEE and DEPARTMENT

 A1 is then owner of these two relations and hence all

the relation privileges on each of them.
 Suppose that A1 wants to grant A2 the privilege to
insert and delete tuples in both of these relations, but
A1 does not want A2 to be able to propagate these
privileges to additional accounts:
GRANT INSERT, DELETE ON
EMPLOYEE, DEPARTMENT TO A2;
Advanced Database System – Ch6: Database Security Slide 21
 An Example(3)
 Suppose that A1 wants to allow A3 to retrieve
information from either of the two tables and also to
be able to propagate the SELECT privilege to other
accounts.
 A1 can issue the command:
GRANT SELECT ON EMPLOYEE, DEPARTMENT
TO A3 WITH GRANT OPTION;
 A3 can grant the SELECT privilege on the
EMPLOYEE relation to A4 by issuing:
GRANT SELECT ON EMPLOYEE TO A4;
 Notice that A4 can’t propagate the SELECT privilege
because GRANT OPTION was not given to A4

Advanced Database System – Ch6: Database Security Slide 22

 An Example(4)
 Suppose that A1 decides to revoke the
SELECT privilege on the EMPLOYEE relation
from A3; A1 can issue:
REVOKE SELECT ON EMPLOYEE FROM A3;
 The DBMS must now automatically revoke
the SELECT privilege on EMPLOYEE from
A4, too, because A3 granted that privilege
to A4 and A3 does not have the privilege
any more.

Advanced Database System – Ch6: Database Security Slide 23

 An Example(5)
 Suppose that A1 wants to give back to A3 a limited
capability to SELECT from the EMPLOYEE relation and
wants to allow A3 to be able to propagate the
privilege.
 The limitation is to retrieve only the NAME, BDATE, and
ADDRESS attributes and only for the tuples with DNO=5.
 A1 then create the view:
CREATE VIEW A3EMPLOYEE AS
SELECT NAME, BDATE, ADDRESS
FROM EMPLOYEE
WHERE DNO = 5;
 After the view is created, A1 can grant SELECT on the view
A3EMPLOYEE to A3 as follows:
GRANT SELECT ON A3EMPLOYEE TO A3
WITH GRANT OPTION;

Advanced Database System – Ch6: Database Security Slide 24

 An Example(6)
 Finally, suppose that A1 wants to allow A4 to update
only the SALARY attribute of EMPLOYEE;
 A1 can issue:
GRANT UPDATE ON EMPLOYEE (SALARY) TO A4;

 The UPDATE or INSERT privilege can specify

particular attributes that may be updated or inserted in
a relation.

Advanced Database System – Ch6: Database Security Slide 25

 RBAC
• Roles permit common privileges for a
class of users can be specified just once
by creating a corresponding “role”
• E.g CREATE ROLE teacher;
• Privileges can be granted to or revoked
from roles
• E.g GRANT SELECT,INSERT,UPDATE,DELETE
ON grades TO teacher;
• Roles can be assigned to users, and even
to other roles
• E.g GRANT teacher TO user1;

Advanced Database System – Ch6: Database Security Slide 26

 RBAC

Individuals Roles Resources

Role 1
Server 1

Role 2 Server 2

Server 3
Role 3

Users change frequently, Roles don’t

Advanced Database System – Ch6: Database Security Slide 27
 MAC
 Access control is specified by a central
system administrator, not by users

 Rigid and most secured security policy

mostly used in military offices.

 Based on multilevel security :

 Top secrete > secrete > confidential >
restricted > unclassified

Advanced Database System – Ch6: Database Security Slide 28

 MAC

Advanced Database System – Ch6: Database Security Slide 29

 MAC
 Access rights: defined by comparing the
security classification of the requested objects
with the security clearance of the subject
 Two required properties for confidentiality:
 No read up: Subject can only read an object of less
or equal security level
 No write down: subject can only write into object
of greater or equal security level
 Clearance and classification is determined by
administrator, users can not override security
policy

Advanced Database System – Ch6: Database Security Slide 30