Essay: A Survey on Security of Database

Abstract’ for the last few decades, security had become a real concern in all aspects of life. As the world is becoming more digitized, organizations had to maintain several databases for their routine work. The concept of database was not in count for past some years, but now multiplicity it is growing. Permitting users to possess entree to the data of their esteemed organization in many ways. The bigger the organization or institution is the bigger is a database. The database of an organization or institution increases continuously. As complex the databases, go more security measures are needed. Unfortunate leak of the sensitive information into the wrong hands can provide the organization with some serious social, legal and regulatory concerns. In this report, we review the different methods for security on the database. In all these approaches data’s confidentiality, integrity and availability (CIA Model) are to be ensured.
Index Terms’ database-backed, Cryptography, Databases, Security, Steganography, Network Intrusion, CIA-Model, major security concerns for the database
I. INTRODUCTION
A database of an organization, enterprise or institution comprises of certain confidential and sensitive information. That is to be just accessed by the authorized personnel only. By the vast growth of internet Era mostly databases provide facilities to their employees via internet online. A database may also be interconnected with other branches of the same organization via the internet and hence can be intruded via different loopholes. Certain cases had risen in last decades concerning security of databases of organizations, including Spy agencies, high profile criminal case records, and databases of Defense systems of a country, databases for Universities/colleges, airlines, banks, etc. To overcome such intrusions different techniques are used either in Physical way or through Network Intrusion are discussed in this survey paper. The database environments where threats are to be understood or learn are Oracle, DB2/UDB, Microsoft SQL Server, MySQL, and Sybase.
The Management of organizations or institutions having larger databases always has concerns about the confidentiality of the data or information in their database. Also that it is not accessible to those who are not authorized for it. They also want to secure their data from accidental and malicious advancement to their data. Figure 1 below shows the basic properties [4] of how making a secure data base.
The center of security of database revolves around three basic concepts represented by CIA model. The CIA is Confidentiality, Integrity and Availability [2]. An organization having implemented CIA model can guarantee a secured database.
Figure 1: Properties to ensure a Secure Database [4]
The information in the database must be kept private and secret by those who have access to it making it confidential. The basic technique used for confidentiality is to apply encryption, in which the data is encoded in such a way so as only authorized personnel can have access to it following certain procedures.
Integrity includes not populating that secret information or changing the state of valuable information. User Access Control (UAC) is a technique which gives some rights to the users to only view the necessary files not to alter or fabricate information about the database.
Availability refers to avoiding and recover database from errors came into count due to hardware or software, and from malicious data access denials making it unavailable.
II. DATABASE SECURITY. WHY?
The need of securing a database is very essential. If a database is not secured in efficient manner it can be accessed by unauthorized personnel’s who might use that confidential information of a particular organization in a negative way. To ensure a secure database, the person trying to access it must be verified and content in that particular database must also have a protective shield. Thus, unauthorized persons can be stopped accessing confidential information of an organization by this dual approach [1].
III. LITERATURE REVIEW
Let us see some key terms regarding security of a database as discussed in [5], [6]:
Asset: Important information about an organization.
Stakeholder: A particular value placed on asset of an organization.
Threat: A particular harm for an asset.
Attack: Action performed to violate security of an asset.
Attacker: Someone who performs an attack.
Vulnerability: A flaw or weakness that can lead to security breaches.
Countermeasure: Steps taken to secure asset from threats and attacks.
Risk: The probability of a successful violation or impact of attack.
84% of companies that feel database security is adequate, 56% of the same companies that experienced a breach in a year, 73% of companies that predict database attacks will increase.
A. Understanding Security Risk Database can come across:
A white paper published by Imperva’s Application Defense Center focused to the major security concerns a database of an organization can come across. These are:
Figure 2: Security Risk for Databases
1) Excessive Privilege Abuse:
Some of the users in organizations are provided with extra rights to database than others. Which are also not included in their job rights that might be hazardous for the sensitive information of an organization. Such an access rights can lead to misuse of information, as a database of bank accounts, where using excessive privileges a user can get personal information of customers and may temper that also the bank statements of that customer.
2) Legitimate Privilege Abuse:
It deals with the exploitation of data by a user having authentic rights to access the database. Although it includes in its job functions, but in such a workplace where customers can have access to client machines it can lead to data theft, as the user for his regular work stores a large amount of data on his end machine.
3) Privilege Elevation:
This risk includes the changing the access rights of an ordinary user to an administrator, by the weaknesses present in the software that is maintaining that database. Flaws may be found in stored procedures, built-in functions, protocol implementations, and even SQL statements [].
So if an ordinary user has illegal admin access rights so he might create bogus accounts, transfer of funds, misinterpretation of certain sensitive analytical information [].
4) Platform Privilege Vulnerabilities:
Since certain platforms are needed to run database servers, like [ _].Vulnerabilities in such platforms or operating systems, leading to data corruption, data loss and service denial states [ ].
It usually is at the time of the updates provided and implemented by enterprises/vendors in periodic cycles essential for operating systems so as to lower the compatibility factor. The database is the most vulnerable during such update periodic cycle.
5) SQL Injections:
To have unrestricted access of whole database, SQL injection may be used. Using this technique an attacker attacks a weaker and exposed data channel by inserting or injecting illegal database statements on it. Those data channels are targeted having stored procedures and web application input parameters. These statements have to be validated by the server if it does not, then they are executed causing database to be unavailable.
6) Weak Audit Trail:
Implementing a database, it must be assured that future incoming and outgoing data or information either important or non-important must have autonomous recording. Taking in such recordings prevents that organization from dangerous security threats. If an attacker is successful in bypassing security levels, auditing and recordings of data flow can clear that attack unsuccessful. So the erstwhile state of database can be achieved if that organization possesses a strong auditing trail. Either weak audit trail as well named the last defense of a database can do nothing when an organization faces an onslaught.
7) Denial Of Service (DOS):
Denial of service deals with the attempt in which a user’s request having access rights to data or information of a database is denied.
B. Attacker’s Might Be:
At the start of the Literature Review attacker was defined, a person who performs an attack. In database data might be attacked by two types of persons [9] described below:
1) Outside Attackers [9]:
A person outside an organization wants to have access gain or provides harm to data is an outside attacker. This might be done directly or indirectly/ The purpose of these attackers might be to offend a fraud temper the secret information of database, bank looting, credit transferring or removing criminal offenses etc.
2) Inside Attackers [9]:
An inside attacker is a personnel who try to gain access or rights of a database having a job position within that organization. In inside attackers two sub categories can be made.
First category of those individuals who have access to the classified database. But they somehow misuse their job level to interfere in genuine transactions of data or create false or fake transactions.
The second is those insiders who have full or administrative access to the database. Who upon exceeding their job positions do later the sensitive information or data, in the database, alter it, and give access to those who must not be given access rights.
C. Database Security Levels:
To make sensitive data secure certain security layers are implemented or deployed. Each layer has allocated policies for authenticating data coming from outside or the internet. Some security levels discussed in [] are:-
1) Database Administrator (DBA):
The basic responsibility of the DBA is to maintain and have an eye on the system linked to the database. That is designed to give access and authorize the users to have rights to access database.
2) System Administrator:
Computer systems in an organization are interconnected with one another over a network. That network and all computers needed to be maintained so as to keep them up to standards.
3) Security Officers:
They create user defined policies to give to users or groups.
4) Developers:
They have roles to gives designs and develop the database.
5) Employee:
Employees use the different utility of database and web applications for their routine work.
D. Securing Databases:
E. Techniques for Securing Databases:
IV. KEY FINDINGS:
The database is the backbone of all digital data working of an organization. Large amount of anything needs security, when it comes to secret and valuable information it get increased. To learn or managed databases there are several software’s like oracle, MySQL, DB2. Many risks have been discussed in this paper like Denial of Service (DOS), Weak Audit Trail, Excessive privilege abuse, SQL injection, etc. About last couple of years organizations are claiming that database attacks are increased. Attacks in the database might be from an insider or an outsider. Most attacks are performed from inside the organization.
VI. RESEARCH TREND
VII. ACKNOWLEDGMENT
REFERENCES
[1] Markus and Fernandez-Buglioni, Eduardo and Hybertson, Duane and Buschmann, Frank and Sommerlad, Peter Schumacher, Security Patterns: Integrating security and systems engineering.: John Wiley & Sons, 2013.
[2] Elisa and Sandhu, Ravi Bertino, “Database security-concepts, approaches, and challenges,” IEEE Transactions on Dependable and Secure Computing, vol. 02, pp. 2-19, 2005.
[3] Hironori Washizaki and Katsuhisa Maruyama Nobukazu Yoshioka, “A survey on security patterns,” , vol. Volume 05, 2008, pp. 35-47.
[4] Amichai and Co-founder, CTO Shulman, “Top Ten Database Security Threats,”
[5] S. S., and Ms SM Mundada Asole, “A Survey on Securing Databases From Unauthorized Users,” INTERNATIONAL JOURNAL OF SCIENTIFIC & TECHNOLOGY RESEARCH, vol. Volume 2, no. Issue 4, April 2013.
[6] Adam Chlipala, Static Checking of Dynamically-Varying Security Policies in Database-Backed Applications, 2010.
[7] and Farooque Azam, and Abdul Wahab Muzaffar Iqra Basharat, “Database Security and Encryption: A Survey Study,” International Journal of Computer Applications (0975 ‘ 888), vol. Volume 47, no. Issue 12, June 2012.
[8] Toshiyuki Amagasa, Hiroyuki Kitagawa Hasan Kadhem, “A Novel Framework for Database Security based on Mixed Cryptography,” in Fourth International Conference on Internet and Web Applications and Services, Tsukuba, Japan, 2009, pp. 163-170.
[9] Jayant Shekhar, Nitesh Kumar, K.P. Yadav Khaleel Ahmad, “Policy Levels Concerning Database Security,” International Journal of Computer Science And Emerging Technologies, vol. 02, no. 03, Jube 2011.