Chapter 2: Database Security and

Authorization

Introduction to Database Security Issues

Types of Security
Database security is a broad area that addresses many
issues, including the following:
 Legal and ethical issues: legal right to access certain
information.
 Policy issues: what kinds of information should not be
made publicly available.
 System-related issues: such as the system levels at which
various security functions should be enforced.
 The need to identify multiple security levels: categorize
the data and users based on
Prepared by their
Elisaye classifications
B. @WSU-DTC 1
 Threats to Databases

 Threats to databases can result in the loss or degradation of

some or all of the following commonly accepted security
goals: integrity, availability, and confidentiality.
 Loss of integrity:- Database integrity refers to the
requirement that information be protected from improper
modification.
 Loss of availability:- Database availability refers to making
objects available to a human user and program to which they
have a legitimate right.
 Loss of confidentiality:- Database confidentiality refers to
the protection of data from unauthorized disclosure.
 Unauthorized, unanticipated, or unintentional disclosure
could result in loss of public confidence, embarrassment, or
legal action against thePrepared
organization.
by Elisaye B. @WSU-DTC 2
 Two types of database security mechanisms:
Discretionary security mechanisms. These are used to grant
privileges to users, including the capability to access specific
data files, records, or fields in a specified mode (such as read,
insert, delete, or update).
Mandatory security mechanisms. These are used to enforce
multilevel security by classifying the data and users into
various security classes (or levels) and then implementing the
appropriate security policy of the organization.
 For example, a typical security policy is to permit users at a
certain classification (or clearance) level to see only the data
items classified at the user’s own (or lower) classification
level. An extension of this is role-based security, which
enforces policies and privileges based on the concept of
organizational roles. Prepared by Elisaye B. @WSU-DTC 3
 Control Measures

• Four main control measures are used to provide security of data

in databases:
 Access control
 Inference control
 Flow control
 Data encryption
 Access control
 The security mechanism of a DBMS must include provisions for
restricting access to the database system as a whole. This function,
called access control, is handled by creating user accounts and
passwords to control the login process by the DBMS.
 Inference control
 Security for statistical databases must ensure that information
about individuals cannotPrepared
be accessed.
by Elisaye B. @WSU-DTC 4
 Control Measures
Flow control
 Which prevents information from flowing in such a way
that it reaches unauthorized users.
 Channels that are pathways for information to flow
implicitly in ways that violate the security policy of an
organization are called covert channels.
Data encryption
 Which is used to protect sensitive data (such as credit
card numbers) that is transmitted via some type of
communications network.
 Encryption can be used to provide additional protection
for sensitive portions of a database as well.
 The data is encoded using some coding algorithm.
5
Prepared by Elisaye B. @WSU-DTC
 Database Security and the DBA
 The database administrator (DBA) is the central authority for
managing a database system.
 The DBA is responsible for the overall security of the database system.
 DBA-privileged commands include commands for granting and
revoking privileges to individual accounts, users, or user groups and
for performing the following types of actions:
1. Account creation. This action creates a new account and password
for a user or a group of users to enable access to the DBMS.
2. Privilege granting. This action permits the DBA to grant certain
privileges to certain accounts.
3. Privilege revocation. This action permits the DBA to revoke (cancel)
certain privileges that were previously given to certain accounts.
4. Security level assignment. This action consists of assigning user
accounts to the appropriate security clearance level.
Prepared by Elisaye B. @WSU-DTC 6
Access Control, User Accounts, and Database Audits
 Access Control: is a method of allowing access to
sensitive data only to those people (database users) who
are allowed to access such data and to restrict access to
unauthorized persons.
 User Accounts: for users to access database, DBA must
create user accounts and grants appropriate database access
privileges to those accounts.
 User accounts are unique name and passwords used to
identify a person or client application that connects to your
database.
 Database Audits: is monitoring and recording of selected
user database action based on individual action such as
type of SQL statement executed and combination of other
Prepared by Elisaye B. @WSU-DTC 7
factors.
 Sensitive Data
Sensitivity of data is a measure of the importance
assigned to the data by its owner, for the purpose of
denoting its need for protection.
Several factors can cause data to be classified as
sensitive:
 Inherently sensitive.
 From a sensitive source.
 Declared sensitive.
 A sensitive attribute or sensitive record.
 Sensitive in relation to previously disclosed data.
Prepared by Elisaye B. @WSU-DTC 8
 Discretionary Access Control Based on
Granting and Revoking Privileges
 The typical method of enforcing discretionary
access control in a database system is based on the
granting and revoking of privileges.
Types of Discretionary Privileges
I. The account level: At this level, the DBA
specifies the particular privileges that each
account holds independently of the relations in
the database.
II. The relation (or table) level: At this level, the
DBA can control the privilege to access each
Prepared by Elisaye B. @WSU-DTC 9
The privileges at the account level apply to the
capabilities provided to the account itself and can
include:
 The CREATE SCHEMA or CREATE TABLE privilege, to
create a schema or base relation;
 The CREATE VIEW privilege;
 The ALTER privilege, to apply schema changes such
as adding or removing attributes from relations;
 The DROP privilege, to delete relations or views
 The MODIFY privilege, to insert, delete, or update
tuples; and
 The SELECT privilege, to retrieve information from
the database by using a SELECT query.
Prepared by Elisaye B. @WSU-DTC 10
The second level of privileges applies to the relation level,
whether they are base relations or virtual (view) relations.
The granting and revoking of privileges generally follow
an authorization model for discretionary privileges known
as the access matrix model, Where
 The rows of a matrix M represent subjects (users,
accounts, programs) and
 The columns represent objects (relations, records,
columns, views, operations).
 Each position M(i, j) in the matrix represents the types of
privileges (read, write, update) that subject i holds on
object j.
Owner account is used to control the granting and
revoking of relation privileges.
Prepared by Elisaye B. @WSU-DTC 11
In SQL the following three types of privileges can
be granted on each individual relation R:
1. SELECT (retrieval or read) privilege on R: this
gives the account the privilege to use the SELECT
statement to retrieve tuples from R.
2. Modification privileges on R: This gives the
account the capability to modify the tuples of R. In
SQL this includes three privileges: UPDATE,
DELETE, and INSERT.
3. References privilege on R: This gives the account
the capability to reference (or refer to) a relation R
when specifying integrity constraints.
Prepared by Elisaye B. @WSU-DTC 12
 Specifying Privileges using Views
The mechanism of views is an important
discretionary authorization mechanism in its own
right. For example:
If the owner A of a relation R wants another
account B to be able to retrieve only some fields of
R, then A can create a view V of R that includes only
those attributes and then grant SELECT on V to B.
The same applies to limiting B to retrieving only
certain tuples of R; a view V can be created by
defining the view by means of a query that selects
only those tuples from R that A wants to allow B to
access. Prepared by Elisaye B. @WSU-DTC 13
 Revoking of Privileges
• In some cases it is desirable to grant a privilege to
a user temporarily.
• For example, the owner of a relation may want to
grant the SELECT privilege to a user for a specific
task and then revoke that privilege once the task is
completed. Hence, a mechanism for revoking
privileges is needed. In SQL a REVOKE command
is included for the purpose of canceling privileges

Prepared by Elisaye B. @WSU-DTC 14

 Example:
 Suppose that the DBA creates four accounts—A1, A2, A3, and A4
—and wants only A1 to be able to create base relations. To do
this, the DBA must issue the following GRANT command in SQL:
 GRANT CREATETAB TO A1;
 GRANT INSERT, DELETE ON EMPLOYEE, DEPARTMENT TO A2;
 GRANT SELECT ON EMPLOYEE, DEPARTMENT TO A3 WITH GRANT OPTION;
 GRANT SELECT ON EMPLOYEE TO A4;
 REVOKE SELECT ON EMPLOYEE FROM A3;

 Next, suppose that A1 wants to give back to A3 a limited capability to

SELECT from the EMPLOYEE relation and wants to allow A3 to be able
to propagate the privilege. The limitation is to retrieve only the Name,
Bdate, and Address attributes and only for the tuples with Dno = 5. A1 then
can create the following view:
CREATE VIEW A3EMPLOYEE AS
SELECT Name, Bdate, Address
FROM EMPLOYEE
WHERE Dno = 5;

 After the view is created, A1 can grant SELECT on the view A3

EMPLOYEE to A3 as follows:
Prepared by Elisaye B. @WSU-DTC 15
 Mandatory Access Control for Multilevel
Security
 The discretionary access control technique of
granting and revoking privileges on relations has
traditionally been the main security mechanism
for relational database systems.
 A user either has or does not have a certain
privilege. In many applications, an additional
security policy is needed that classifies data and
users based on security classes.
 This approach, known as mandatory access
control (MAC), would typically be combined
with the discretionary access control mechanisms
Prepared by Elisaye B. @WSU-DTC 16
 Typical security classes are top secret (TS), secret (S),
confidential (C), and unclassified (U), where TS is the highest
level and U the lowest: TS ≥ S ≥ C ≥ U
 The commonly used model for multilevel security, known as the
Bell-LaPadula model, classifies each subject (user, account,
program) and object (relation, tuple, column, view, operation)
into one of the security classifications TS, S, C, or U.
 clearance (classification) of a subject S as class(S) and to the
classification of an object O as class(O).
 Two restrictions are enforced on data access based on the
subject/object classifications:
1. A subject S is not allowed read access to an object O unless
class(S) ≥ class(O). This is known as the simple security
property.
2. A subject S is not allowed to write an object O unless class(S) ≤
class(O). This is known as the star property (or *-property).
Prepared by Elisaye B. @WSU-DTC 17
 Statistical DB Security
 Statistical databases are used mainly to produce statistics
about various populations.
 The database may contain confidential data about
individuals, which should be protected from user access.
 However, users are permitted to retrieve statistical
information about the populations, such as averages, sums,
counts, maximums, minimums, and standard deviations.
 A population is a set of tuples of a relation (table) that
satisfy some selection condition.
 Statistical queries involve applying statistical functions to a
population of tuples.
• Statistical database security techniques must prohibit the
retrieval of individual data such as COUNT, SUM, MIN,
MAX, AVERAGE, and STANDARD
Prepared by Elisaye B. @WSU-DTC DEVIATION. 18
Example of statistical database query:
Q1: SELECT COUNT (*) FROM PERSON
WHERE <condition>;
Q2: SELECT AVG (Income) FROM PERSON
WHERE <condition>;
Now suppose that we are interested in finding the
Salary of Jane Smith, and we know that she has a
Ph.D. degree and that she lives in the city of
Bellaire, Texas. We issue the statistical query Q1
with the following condition:
(Last_degree=‘Ph.D.’ AND Sex=‘F’ AND City=‘Bellaire’ AND State=‘Texas’)
Prepared by Elisaye B. @WSU-DTC 19