Integrity and Security:Security and Authorization
Security and Authorization
The data stored in the database need protection from unauthorized access and malicious destruction or alteration, in addition to the protection against accidental introduction of inconsistency that integrity constraints provide. In this section, we examine the ways in which data may be misused or intentionally made inconsistent. We then present mechanisms to guard against such occurrences.
Security Violations
Among the forms of malicious access are:
• Unauthorized reading of data (theft of information)
• Unauthorized modification of data
• Unauthorized destruction of data
Database security refers to protection from malicious access. Absolute protection of the database from malicious abuse is not possible, but the cost to the perpetrator can be made high enough to deter most if not all attempts to access the database without proper authority.
To protect the database, we must take security measures at several levels:
• Database system. Some database-system users may be authorized to access only a limited portion of the database. Other users may be allowed to issue queries, but may be forbidden to modify the data. It is the responsibility of the database system to ensure that these authorization restrictions are not vi- olated.
• Operating system. No matter how secure the database system is, weakness in operating-system security may serve as a means of unauthorized access to the database.
• Network. Since almost all database systems allow remote access through terminals or networks, software-level security within the network software is as important as physical security, both on the Internet and in private networks.
• Physical. Sites with computer systems must be physically secured against armed or surreptitious entry by intruders.
• Human. Users must be authorized carefully to reduce the chance of any user giving access to an intruder in exchange for a bribe or other favors.
Security at all these levels must be maintained if database security is to be ensured. A weakness at a low level of security (physical or human) allows circumvention of strict high-level (database) security measures.
In the remainder of this section, we shall address security at the database-system level. Security at the physical and human levels, although important, is beyond the scope of this text.
Security within the operating system is implemented at several levels, ranging from passwords for access to the system to the isolation of concurrent processes running within the system. The file system also provides some degree of protection. The bibliographical notes reference coverage of these topics in operating-system texts. Finally, network-level security has gained widespread recognition as the Internet has evolved from an academic research platform to the basis of international electronic commerce. The bibliographic notes list textbook coverage of the basic principles of network security. We shall present our discussion of security in terms of the relational-data model, although the concepts of this chapter are equally applicable to all data models.
Authorization
We may assign a user several forms of authorization on parts of the database. For example,
• Read authorization allows reading, but not modification, of data.
• Insert authorization allows insertion of new data, but not modification of existing data.
• Update authorization allows modification, but not deletion, of data.
• Delete authorization allows deletion of data.
We may assign the user all, none, or a combination of these types of authorization.
In addition to these forms of authorization for access to data, we may grant a user authorization to modify the database schema:
• Index authorization allows the creation and deletion of indices.
• Resource authorization allows the creation of new relations.
• Alteration authorization allows the addition or deletion of attributes in a relation.
• Drop authorization allows the deletion of relations.
The drop and delete authorization differ in that delete authorization allows deletion of tuples only. If a user deletes all tuples of a relation, the relation still exists, but it is empty. If a relation is dropped, it no longer exists.
We regulate the ability to create new relations through resource authorization. A user with resource authorization who creates a new relation is given all privileges on that relation automatically.
Index authorization may appear unnecessary, since the creation or deletion of an index does not alter data in relations. Rather, indices are a structure for performance enhancements. However, indices also consume space, and all database modifications are required to update indices. If index authorization were granted to all users, those who performed updates would be tempted to delete indices, whereas those who is- sued queries would be tempted to create numerous indices. To allow the database administrator to regulate the use of system resources, it is necessary to treat index creation as a privilege.
The ultimate form of authority is that given to the database administrator. The database administrator may authorize new users, restructure the database, and so on. This form of authorization is analogous to that of a superuser or operator for an operating system.
Authorization and Views
In Chapter 3, we introduced the concept of views as a means of providing a user with a personalized model of the database. A view can hide data that a user does not need to see. The ability of views to hide data serves both to simplify usage of the system and to enhance security. Views simplify system usage because they restrict the user’s attention to the data of interest. Although a user may be denied direct access to a relation, that user may be allowed to access part of that relation through a view. Thus, a combination of relational-level security and view-level security limits a user’s access to precisely the data that the user needs.
In our banking example, consider a clerk who needs to know the names of all customers who have a loan at each branch. This clerk is not authorized to see information regarding specific loans that the customer may have. Thus, the clerk must be denied direct access to the loan relation. But, if she is to have access to the information needed, the clerk must be granted access to the view cust-loan, which consists of only the names of customers and the branches at which they have a loan. This view can be defined in SQL as follows:
Clearly, the clerk is authorized to see the result of this query. However, when the query processor translates it into a query on the actual relations in the database, it produces a query on borrower and loan. Thus, the system must check authorization on the clerk’s query before it begins query processing.
Creation of a view does not require resource authorization. A user who creates a view does not necessarily receive all privileges on that view. She receives only those privileges that provide no additional authorization beyond those that she already
had. For example, a user cannot be given update authorization on a view without having update authorization on the relations used to define the view. If a user creates a view on which no authorization can be granted, the system will deny the view creation request. In our cust-loan view example, the creator of the view must have read authorization on both the borrower and loan relations.
Granting of Privileges
A user who has been granted some form of authorization may be allowed to pass on this authorization to other users. However, we must be careful how authorization may be passed among users, to ensure that such authorization can be revoked at some future time.
Consider, as an example, the granting of update authorization on the loan relation of the bank database. Assume that, initially, the database administrator grants update authorization on loan to users U1, U2, and U3, who may in turn pass on this authorization to other users. The passing of authorization from one user to another can be represented by an authorization graph. The nodes of this graph are the users.
The graph includes an edge Ui → Uj if user Ui grants update authorization on loan to Uj . The root of the graph is the database administrator. In the sample graph in Figure 6.6, observe that user U5 is granted authorization by both U1 and U2; U4 is granted authorization by only U1.
A user has an authorization if and only if there is a path from the root of the authorization graph (namely, the node representing the database administrator) down to the node representing the user.
Suppose that the database administrator decides to revoke the authorization of user U1. Since U4 has authorization from U1, that authorization should be revoked as well. However, U5 was granted authorization by both U1 and U2. Since the database administrator did not revoke update authorization on loan from U2, U5 retains update authorization on loan. If U2 eventually revokes authorization from U5, then U5 loses the authorization.
A pair of devious users might attempt to defeat the rules for revocation of authorization by granting authorization to each other, as shown in Figure 6.7a. If the database administrator revokes authorization from U2, U2 retains authorization through U3, as in Figure 6.7b. If authorization is revoked subsequently from U3, U3 appears to retain authorization through U2, as in Figure 6.7c. However, when the database administrator revokes authorization from U3, the edges from U3 to U2 and from U2 to U3 are no longer part of a path starting with the database administrator.
We require that all edges in an authorization graph be part of some path originating with the database administrator. The edges between U2 and U3 are deleted, and the resulting authorization graph is as in Figure 6.8.
Notion of Roles
Consider a bank where there are many tellers. Each teller must have the same types of authorizations to the same set of relations. Whenever a new teller is appointed, she will have to be given all these authorizations individually.
A better scheme would be to specify the authorizations that every teller is to be given, and to separately identify which database users are tellers. The system can use these two pieces of information to determine the authorizations of each person who is a teller. When a new person is hired as a teller, a user identifier must be allocated to him, and he must be identified as a teller. Individual permissions given to tellers need not be specified again.
The notion of roles captures this scheme. A set of roles is created in the database. Authorizations can be granted to roles, in exactly the same fashion as they are granted to individual users. Each database user is granted a set of roles (which may be empty) that he or she is authorized to perform.
In our bank database, examples of roles could include teller, branch-manager, auditor, and system-administrator.
A less preferable alternative would be to create a teller userid, and permit each teller to connect to the database using the teller userid. The problem with this scheme is that it would not be possible to identify exactly which teller carried out a transaction, leading to security risks. The use of roles has the benefit of requiring users to connect to the database with their own userid.
Any authorization that can be granted to a user can be granted to a role. Roles are granted to users just as authorizations are. And like other authorizations, a user may also be granted authorization to grant a particular role to others. Thus, branch
managers may be granted authorization to grant the teller role.
Audit Trails
Many secure database applications require an audit trail be maintained. An audit trail is a log of all changes (inserts/deletes/updates) to the database, along with in- formation such as which user performed the change and when the change was per- formed.
The audit trail aids security in several ways. For instance, if the balance on an account is found to be incorrect, the bank may wish to trace all the updates performed on the account, to find out incorrect (or fraudulent) updates, as well as the persons who carried out the updates. The bank could then also use the audit trail to trace all the updates performed by these persons, in order to find other incorrect or fraudulent updates.
It is possible to create an audit trail by defining appropriate triggers on relation updates (using system-defined variables that identify the user name and time). How ever, many database systems provide built-in mechanisms to create audit trails, which are much more convenient to use. Details of how to create audit trails vary across database systems, and you should refer the database system manuals for details.
Comments
Post a Comment