You are on page 1of 1

See all › Download citation Recruit

Share
Search for publications, researchers, or questions or Discover by subject area researchers Download full-text
Join for free PDFLogin
8 References

Security Of Database Management Systems Ad

Article (PDF Available) · January 2016 with 366 Reads

Cite this publication

Ashour A N Mostafa
1.16 · The Higher Institute of Science and Technology

Abstract

The history of database research backs to more than thirty years, in which created the concept of the relational database system that has become
the most fundamental change for organizations strategy. Technology evolution has produced more powerful systems that relate to economic
impacts in the recent decade. Organizations must ensure its information and data be secured and confidential. Therefore, they deploy systems or
applications have functions, services, and tools for data maintenance and management packed into the so-called Relational Database
Management System (RDBMS). Such functions contain services plus privileges for authorization to keep legitimate users (authorized) to access
the database. The database must be insecure. RDBMS refers to relational database management systems that are using a relational model that
developed by the researcher Codd at IBM laboratory. Database protection means disallowing illegitimate users to access the database and its
sensitive information whether intentional or accidental. Therefore, most of the firms are taking account of possibility of threats as measures to
their database systems. This paper addresses the relational database threats and security techniques considerations in relation to situations:
threats, countermeasures (computer-based controls) and database security methods.

Discover the world's research

15+ million members


118+ million publications
700k+ research projects

Join for free

Content uploaded by Ashour A N Mostafa Author content Download full-text PDF

Security of Relational Database Management System: Threats and


Security Techniques
ASHOUR A N MOSTAFA / ID: 153915643

Infrastructure University Kuala Lumpur, Malaysia

Faculty of Creative Media and Innovative Technology

Abstract: firms are taking account of possibility of

T
threats as measures to their database
he history of database research systems. This paper addresses the relational
backs to more than thirty years, in database threats and security techniques
which created the concept of the considerations in relation to situations:
relational database system that has become threats, countermeasures (computer-based
the most fundamental change for controls) and database security methods [1,
organizations strategy. Technology 8, 9].
evolution has produced more powerful
systems that relate to economic impacts in Introduction:
the recent decade.
As known, in recent years, hardware
Organizations must ensure its information capability and capacity of volumes, in
and data be secured and confidential. addition, huge uses of World Wide Web
Therefore, they deploy systems or platforms and information systems have led
applications have functions, services, and to adopt the relational database systems as
tools for data maintenance and management infrastructure to the data repository. Huge
packed into the so-called Relational amounts of data and information has become
Database Management System (RDBMS). prime concern of security challenges
Such functions contain services plus because the management of information has
privileges for authorization to keep become decentralized.
legitimate users (authorized) to access the
CIA triangle of security that refers to
database. The database must be insecure.
RDBMS refers to relational database confidentiality, integrity, and availability
management systems that are using a often is the basis of relational database
security concept. These factors must be
relational model that developed by the
researcher Codd at IBM laboratory. existed into application processes to
guarantee the data to be in safe [1].
Database protection means disallowing
illegitimate users to access the database and Theft and fraud have an influence on the
database environment, and hence the whole
its sensitive information whether intentional
or accidental [4]. Therefore, most of the corporation. It is not rather making changes
on the data itself, but it may decrease the

privacy and integrity. Confidentiality refers taking account the encryption process of
to maintain the secrecy of data, usually only sensitive data require high performance of
is critical to the organization. Breaches of the system because it will need decrypting
security resulting in loss of confidentiality of those data. Therefore, the programmer
could lead to loss of privacy and must ensure using optimized security
competitiveness. Failure of integrity means algorithms while coding the application [8,
the data is corrupt and modified.. Many 9].
organizations are seeking the availability,
the so-called 24/7 availability (that is, 24
hours a day, 7 days a week). Loss of
1. What are the Attacks?
availability means the system, or the data, or
both cannot be accessed. Therefore, Rapid evolution of breach methods to the
relational database management system aims SME organizations called to adopt standards
to reduce the losses that are caused by of security measures like CIA. However, it
threats or anticipated events. Threat is a becomes sophisticated due to diversity of
situation or an event that may adversely attacks either direct or indirect.
affect a system, and hence the organization.
The organization should invest time and The unclassified user can have legal access
effort to detect and identify the most serious to the database to use public information,
threats [1, 8, 9]. but he may be able to infer classified
information. There are three levels of attacks
Millions of online operations conduct via to the relational databases: direct, indirect
unreliable Internet connection such as and by tracking. Direct attack is obvious.
electronic commerce and electronic banking. The attacker can easily access to the
Those types of transactions impose a kind of database if it does not have any protection
transferring sensitive assets and information mechanism. Indirect attack is used by
[2]. This is a challenge to the services expecting the desired data from displayed
providers to get user’s trust. Therefore, it data using combinations of queries. The
has a strong protection of data containers tracking attack is executed by suppression of
such a RDBMS. Not all kind of data require the dominant results [3].
being safe and protected, but the most
critical data that relate to users’ information RDBMS threats can be summarized as:
and money transactions. Corporation can
 The administrator could be grant the user
specify the nature of information needed to privileges that not required. Abuse of
be encrypted with high level of security such
uses of these privileges may lead to
as ministry of defense [8, 9]. create trapdoors of the application.
This paper shows some of the  The user has a legitimate privilege
countermeasures that are computer-control access to the database. He/She may have
based such as authorization, access control, bad intention to abuse the utility.
backup and recovery, encryption. It must

 One of the threats is vulnerability of the program) to have legitimate access to a


software or the operating system. This system or systems’ objects. It involves the
helps the intruder to breach sensitive authentication of subject requesting access
information as backdoors. to objects. The administrator usually create
accounts with specific privileges according
to the security level of the user.
1.1. Mechanisms of Attack Control Access Controls into a relational database
[3]: can allow/disallow the user to access the
system. RDBMS keeps track the privileges
 Rejection without any response when the process.
requests for accessing the database to
display the results of sensitive data. Views are consequence of flexible
operations were being conducted on the
 Disability of the intruder to guess the
main relation. It is a mechanism of dynamic
real information or values because the
processes of security, in which it shows
system will display the results close to
parts and hide other parts according to the
the real ones.
users’ privileges.
 When the sensitive data will be detected,
the system should limit the results to Process of Backup As known, the backup
prevent the attacker to reveal the data. means capturing a copy of log files of
 Combination of the results will make the instance processes plus a copy of the
attacker to be confused about knowing relational database periodically and storing
the sensitive data. either on external storage or cloud to restore
later.

Integrity is a process to maintain a secure


2. Countermeasures (Computer- RDBMS by preventing data from becoming
based Control): invalid, and hence misleading or incorrect
results.
This type ranges from physical controls to
administrative procedures. It can be
categorized into various forms of control as
[1]: 3. Techniques of RDBMS Security:

 Authorization. Encryption is encoding process of sensitive


 Access controls data to become unreadable. Most of
 Views. relational database management systems
 Process of Backup. support this purpose to secure its data [4].
 Integrity. The encryption concept has four main
Authorization is granting process of a right factors that are defined as [5]:
or privilege to a subject (a user or a

 An encryption key to encrypt the data Web-based database security: the


(plaintext). transmitted data from a server to a client
 An encryption algorithm with the must be in a secured way. The client should
encryption key transforms the plaintext be authenticated such as Host Identity
to cipher text. Protocol (HIP). It sets up a trusted
 A decryption key to decrypt the cipher relationship between hosts on the Internet by
text. passing to the web server. The HIP and Web
 A decryption algorithm with the server help in authentication process [2].
decryption key transforms the cipher text
back into the plaintext.
Log file is an important file to monitor the
Two forms of encryption techniques that
processes and operations occurred online. It
called symmetric and asymmetric. The
periodically tracks the status of operations to
symmetric one depends on the safe channel
indicate the modification may occur when
while exchanging the key, in addition, the
the system fails. It also integrates with the
key of encryption is similar to the key of
audit module to track the log file of the users
decryption that is being utilized, for
to guarantee the web database security [1].
instance, IDEA (international data
encryption algorithm) [6, 7]. Symmetric Negative Database: this process depends on
algorithm is much faster than the adding false data to the original to make the
asymmetric algorithm that uses two different malicious users to be confused, and only
keys (private and public keys) such as RSA valid to legal users. It has four modules:
(the name is derived from Ron Rivest, Adi database cache, database encryption
Shamir, and Leonard Adleman). Generally, algorithm, virtual database, and negative
they are often used together, in which public database conversion. The first three
key (asymmetric) encrypts a randomly generates the data for the conversion to
generated encryption key, and the random generate false data [2].
key encrypts the actual message (using a
symmetric algorithm). The database scheme 4. How to develop a relational
of encryption should enhance sharing of data database encryption strategy?
within the database without losing data
It is a mechanism of increasing the strength
privacy [2, 6-9].
of the data protection. Many factors to get
To improve the performance, the data strong encryption into RDBMS:
should be divided into sensitive data and
insensitive data. The insensitive data can be  The encryption should be implemented
retrieved rapidly, and the sensitive data is on the database or the application.
encrypted/ decrypted using Encryption  The accessing to the encryption key.
algorithms.  The amount of data that should be
encrypted.

 Is there any influencing on the of keys, the location of keys and the
performance? protection of the accessing of the
 For the programmer and the developer encrypted keys.
most of the responsibilities through
creating or developing the database 4.1. Solutions of implementing
management system. encryption:
The programmers should be aware from
creating trapdoors that can be formed i. Inside the Relational Database
through setting the policies and procedures. Management System (RDBMS):

Two strategies for encrypting the database It is a simple way using the
and both have advantages and encryption/decryption method by
disadvantages: RDBMS. It is a transparent to the
application. When the data inserts
 Encryption the RDBMS.
inside the RDBMS, the data will be
 Performing the encryption outside the
encrypted, or decrypted to the
database.
original when display.
A disadvantage of encryption inside
1. Fundamentals of Encryption:
the RDBMS is an extra processing
Algorithm and key size are factors to
load and decreasing in performance.
encrypt data within RDBMS.
Administrator of the application may
ii. Outside the Relational Database
grant legitimate access to authorized
Management System (RDBMS):
users for need.
Using the client/server security
2. Data encryption effect on RDBMS:
protocol (SSL) helps the data to be
Encrypting the data needs high process
encrypted in the application whether
operations. This drives to increase the
in the source or to the destination.
size of RDBMS, then deceasing the
The protection differs from
utility or the performance. Consequently,
application to another.
sensitive data must be encrypted.
The solution is using the Encryption
Server to provide a centralized
3. Data stream into the application:
encryption services for the whole
Data usually flows over Internet and an
database. The drawbacks include
internal network. Therefore, the potential
communication overhead,
of risk is high.
administering more servers and
changing the applications.
4. The key management:
It relates to how to manage the key that
is used into RDBMS in terms of number Conclusion:

This report is to explain different methods of [6] Shaefer, E. F. (1996). A Simplified Data
Encryption Standard Algorithm. Journal of
database security. Database risks are Cryptologia, 20 (1), 77-84.
increasing by the risks of disclosure data.
The programmers of RDBMS have [7] Chang, H. S. (2004). International Data
Encryption Algorithm. Retrieved from
responsibilities to increase and improve the http://scholar.googleusercontent.com/scholar?q=cach
security techniques of the databases without e:WXJPT0eEM7EJ:scholar.google.com/+Internation
al+Data+Encryption+Algorithm&hl=en&as_sdt=0,5
affecting on the performance. In addition,
on 15 February 2013.
the user has responsibilities especially the
ethics of using the sensitive data. We have [8] Almasri, O., & Jani, H. M. Introducing an
Encryption Algorithm based on IDEA.
described the types of Attacks and threat
that the database could face them. Then, it [9] Almasri, O., Jani, H. M., Ibrahim, Z., & Zughoul,
has explained some mechanisms of attack O. (2013). Improving Security Measures of E-
Learning Database. International Organization of
control. It has explained about the Scientific Research-Journal of Computer
countermeasures that are computer-based Engineering (IOSR-JCE), 10(4), 55-62.
and has concentrated on the encryption
method. In the same approach, it has
described the database security techniques
or method. The last part is about the benefits
and drawbacks of using either encryption
inside RDBMS or outer.

References:

[1] T.Connolly, C. Begg. “Database Systems


A Practical Approach to Design, Implementation, and
Management”, 4th ed., Ed. England: Person
Education Limited, 2005, pp. 542-547, 550-551.

[2] Burtescu, E. (2009). Database Security-Attacks


and Control Methods. Journal of Applied
Quantitative Methods, 4(4), 449-454.

[3] Kayarkar, H. (2012). Classification of Various


Security Techniques in Databases and their
Comparative Analysis. arXiv preprint
arXiv:1206.4124.

[4] Kahate, A. (2013). Cryptography and network


security. Tata McGraw-Hill Education.

[5] Stallings, W., & Brown, L. (2008). Computer


security. Principles and Practice.

Supplementary resources

E-BookDATABASE SYSTEMS1
April 2016
Ashour A N Mostafa

Download

Citations (0) References (8)

Improving Security Measures of E-Learning Database

Article Apr 2013

Zaidah Ibrahim · Hajar Mat · Omar Zughoul · Osama Almasri

View Show abstract

Introducing an Encryption Algorithm based on IDEA

Article Sep 2013

Hajar Mat · Osama Almasri

View Show abstract

DATABASE SECURITY - ATTACKS AND CONTROL METHODS

Article

Emil Burtescu

View Show abstract

A simplified data encryption standard algorithm

Article Jan 1996 · CRYPTOLOGIA

Edward F. Schaefer

View Show abstract

Database systems. A practical approach to design, implementation and management

Chapter Full-text available Jan 2010

Carolyn Begg · Thomas Connolly

View

Cryptography and network security. Tata McGraw-Hill Education


Jan 2013

A Kahate

Kahate, A. (2013). Cryptography and network security. Tata McGraw-Hill Education.

Computer security. Principles and Practice


Jan 2008

W Stallings · L Brown

Stallings, W., & Brown, L. (2008). Computer security. Principles and Practice.

International Data Encryption Algorithm


Feb 2004

H S Chang

Chang, H. S. (2004). International Data Encryption Algorithm. Retrieved from http://scholar.googleusercontent.com/scholar?q=cach


e:WXJPT0eEM7EJ:scholar.google.com/+Internation al+Data+Encryption+Algorithm&hl=en&as_sdt=0,5 on 15 February 2013.

Recommendations Discover more publications, questions and projects in Database


Management Systems

Project Project

Factors Affecting Acceptance of Mobile Factors Affecting Acceptance of Mobile


Banking in Developing Countries Banking in Libya
Ashour A N Mostafa Ashour A N Mostafa

View project View project

Project Conference Paper

Factors Affecting Acceptance of E- Cryptography and relational database


commerce by SMEs in Libya management systems
Ashour A N Mostafa February 2001

Jingmin He · Min Wang


Nowadays, e-commerce has gained a substantial attention from SMEs (Small
and Medium Enterprises) as it affords competitive advantages and strategic
Security is becoming one of the most urgent challenges in database research
benefits to the business. Despite the numerous be ... [more]
and industry, and the challenge is intensifying due to the enormous popularity of
e-business. The authors study database security from a cryptographic point of
view. They show how to integrate modern cryptography technology into a
relational database management system to solve some major security problems.
Our study shows ... [Show full abstract]

View project Read more

Conference Paper Full-text available Article Full-text available

Jelly view - A technology for arbitrarily Jelly Views : Extending Relational


advanced queries within RDBMS Database Systems Toward Deductive
January 2005 Database Systems
Antoni Ligęza · Igor Wojnicki January 2004

Igor Wojnicki
Data processing capabilities of Relational Database Management Systems are
limited. In particular, the following two categories of problems are hard to solve:
Traversal of Structurally Complex Data Structures (such as graphs, trees, terms, This paper regards the Jelly View technology, which provides a new, practical
lists etc.) and Search for Admissible Solutions Under Specified Constraints methodology for knowledge decomposition, storage, and retrieval within
(finding specific subsets of a given set, generation of structural solutions ... Relational Database Management Systems (RDBMS). Intensional Knowledge
clauses (rules) are decomposed and stored in the RDBMS founding reusable
[Show full abstract]
components. The results of the rule-based processing are visible as regular
views, accessible through SQL. ... [Show full abstract]
View full-text
View full-text

Article Conference Paper

Data Security Mechanisms Implemented in Secure databases: state of the art


the Database with Universal Model February 2000

May 2014 · Bulletin of the Lebedev Physics Institute Eduardo Fernández-Medina · Mario Piattini
S. G. Rassomakhin · V. I. Esin · N. G. Polukhina · V. M.
Most of the relational database management systems (RDBMS) used nowadays
Grachev provide some limited security mechanisms, and facilities offer capabilities to
define roles and establish audit trails. Users of RDBMSs are used to working
The problem of database security is examined. By the example of the database with discretionary access control (DAC) policies. This kind of security is
with universal model, the tools and methods providing security of stored sufficient for a great majority of information systems, however an increasing
corporate data are considered. The security mechanisms implemented due to number of ... [Show full abstract]
the capabilities of the database management systems (DBMSs), used as
database, platforms and special data protection tools implemented in the
schema of the database with ... [Show full abstract]
Read more
Read more

Discover more

Last Updated: 24 Jan 2019

Ad

About Support Business solutions

News Help center Recruiting

Company FAQ Advertising

Careers

© ResearchGate 2019. All rights reserved. Imprint · Terms · Privacy