Designing secure databases

https://doi.org/10.1016/j.infsof.2004.09.013Get rights and content

Abstract

Security is an important issue that must be considered as a fundamental requirement in information systems development, and particularly in database design. Therefore security, as a further quality property of software, must be tackled at all stages of the development. The most extended secure database model is the multilevel model, which permits the classification of information according to its confidentiality, and considers mandatory access control. Nevertheless, the problem is that no database design methodologies that consider security (and therefore secure database models) across the entire life cycle, particularly at the earliest stages currently exist. Therefore it is not possible to design secure databases appropriately. Our aim is to solve this problem by proposing a methodology for the design of secure databases. In addition to this methodology, we have defined some models that allow us to include security information in the database model, and a constraint language to define security constraints. As a result, we can specify a fine-grained classification of the information, defining with a high degree of accuracy which properties each user has to own in order to be able to access each piece of information. The methodology consists of four stages: requirements gathering; database analysis; multilevel relational logical design; and specific logical design. The first three stages define activities to analyze and design a secure database, thus producing a general secure database model. The last stage is made up of activities that adapt the general secure data model to one of the most popular secure database management systems: Oracle9i Label Security. This methodology has been used in a genuine case by the Data Processing Center of Provincial Government. In order to support the methodology, we have implemented an extension of Rational Rose, including and managing security information and constraints in the first stages of the methodology.

Introduction

Modern society forces business to evolve, and to manage information correctly in order to achieve their objectives and survive in the digital era. Organizations increasingly depend on information systems (IS), which rely upon large databases, and these databases therefore need increasingly more quality and security [8]. Indeed, the very survival of organizations depends on the correct management, security and confidentiality of this information [14], [15].

Consequently, protecting information that is stored in databases is important for companies, but at times, it is also important for individuals. This is because databases also frequently store information regarding private or personal aspects of individuals, such as identification data, medical data or even religious beliefs, ideologies, or sexual tendencies. As a result, there are laws to protect the individual's privacy, such as the European Union Directive 95/46/CE of the European Parliament and Council, which deals with the protection of personal data and its free circulation [16]. These laws tend to be very strict, imposing severe penalties for failure to comply with them. This information should then be protected against non-authorized access, thus fulfilling the existing data protection laws.

Some authors note that database protection is a serious requirement that must be carefully considered, not as an isolated aspect, but as an element present in all stages of the database life cycle [13], [19], [21]. Even the Information Systems Audit and Control Foundation affirms that managers have to ensure that security is considered as an integral part of the systems development life cycle process and is explicitly addressed during each phase of the process [24].

In this article, we propose a methodology to build multilevel databases, taking into consideration aspects of security (with regard to confidentiality) from the earliest stages to the end of the development process. We believe that a new methodology for designing secure databases should be an extension of a widely accepted modeling language, in order to save developers from learning a new model and its corresponding notation. Therefore, the methodology we propose extends some well-known models, such as different unified modeling language (UML) models [7], the unified process (UP) [25], and the object constraint language (OCL) [38]. This methodology allows us to create conceptual and logical models of multilevel databases, and implement them by using Oracle9i Label Security (OLS9i) [29].

The rest of the article is organized as follows: in Section 2 we present related work. Section 3 presents a summary of OLS9i. In Section 4 we provide an overview of the case study. A concise revision of the secure database design methodology, including subsections with details of each stage and the models and languages that have been defined is presented in Section 5. An overview of the CASE tool developed is shown in Section 6. Section 7 collects the lessons learned when applying the methodology to the case study. Finally, in Section 8, we mention some conclusions that have been drawn and future work to be carried out.

Section snippets

Related work

In spite of the fact that there is a vast amount of work related to security and databases, not much work of this integrates security into the database development process. We can classify related work as follows:

  • Database design. Traditional database design methodologies [4], [11] do not consider security. Therefore, these methodologies are not useful in developing secure databases.

  • Security design. Security methods can be organized into three main generations: checklists, engineering, and logic

Oracle9i label security

OLS9i [29] is a component of version 9 of Oracle database management system (DBMS) which allows us to implement multilevel databases [35]. OLS9i defines labels that are assigned to the rows and users of the database. These labels contain confidentiality information for the rows, and authorization information for users. OLS9i defines a combined access control mechanism, considering mandatory access control (MAC) by using the content of the labels, and discretionary access control (DAC) which is

Case study

In order to develop our methodology, we have used the Action Research method [2], applying the methodology to the redesign of a Spanish Provincial Government's database. Those involved in this process were mainly Provincial Government managers and researchers.

The database that we considered in this case study was used by an application, called System for the Accounting of the Local Administration (SALA), which had various confidentiality problems which were solved by creating a new secure

Methodology overview

As we have mentioned previously, there is no satisfactory solution to the problem of integrating security into the database development process. Therefore, our main objective is to build a complete methodology (with the necessary techniques) in order to develop secure databases. Considering this main objective, we have defined the following set of partial sub-objectives with regard to the methodology: (1) it has to be easy to learn; (2) it has to be flexible; (3) it has to be

Case tool

A CASE tool that extends Rational Rose has been developed in order to automate the requirements gathering and database analysis stages of the secure database design methodology. The main functions of this tool can be grouped as follows:

  • System Security Information Definition. For each database, it is possible to define and manage the valid values of security levels and the valid user role hierarchy.

  • Use Cases Security Information Definition. This functionality helps to model use case diagrams,

Lessons learned

The development of this methodology, together with its application for the design of a secure database for a Provincial Government in Spain during a period of almost 2 years, and with continuous revisions and feedback has contributed to many advantages and lessons learned. This activity has been positive both for the Provincial Government and for the results of our research.

The positive aspects for the Provincial Government have been the following

  • Considering that Society's concerns for security

Conclusions and future work

The critical nature of IS and especially of databases for modern business, together with new requirements of laws and governments, make more sophisticated approaches necessary to ensure database security.

Traditionally, information security deals with different research topics, such as access control techniques, secure architectures, cryptographic methods, etc. Although all these topics are very important, we believe it is fundamental to use a methodological approach, where security is taken

Acknowledgements

This research is part of the CALIPO project, supported by the Dirección General de Investigación of the Ministerio de Ciencia y Tecnología (TIC2003-07804-C05-03), and the MESSENGER project, supported by the Consejería de Ciencia y Tecnlogía of the Junta de Comunidades de Castilla-La Mancha (PCC-03-003-1). We would like to thank the rest of the Alarcos Research Group members, and especially the reviewers of this journal for their valuable comments, and Antonio Martínez, director of the SALA

References (38)

  • P. Atzeni et al.

    Database Systems. Concepts, Languages and Architectures

    (1999)
  • D. Avison et al.

    Action research

    Communications of the ACM

    (1999)
  • R. Baskerville

    Information systems security design methods: implications for information systems development

    ACM Computing Surveys

    (1993)
  • C. Batini et al.

    Conceptual database design. An entity-relationship approach

    (1991)
  • R.V. Binder

    Testing Object-Oriented Systems—Models, Patterns, and Tools

    (2000)
  • M. Blaha et al.

    Object-Oriented Modeling and Design for Database Applications

    (1998)
  • G. Booch et al.

    The Unified Modeling Language, User Guide

    (1999)
  • D. Brinkley et al.

    What Is There to Worry About? An Introduction to the Computer Security Problem

  • S. Castano et al.

    Database Security

    (1994)
  • L. Chung et al.

    Non-functional requirements in software engineering

    (2000)
  • T. Connolly et al.

    Database systems. A practical approach to design, implementation, and management

    (2002)
  • C. Conrad et al.

    Temporal OCL: Meeting Specification Demands for Business Components

  • P. Devanbu et al.

    Software engineering for security: a roadmap

  • G. Dhillon

    Information Security Management: Global challenges in the New Millennium

    (2001)
  • G. Dhillon et al.

    Information system security management in the new millennium

    Communications of the ACM

    (2000)
  • Directive, Directive 95/46/CE of the European Parliament and Council, dated October 24th, about People protection...
  • R. Elmasri et al.

    Fundamentals of Database Systems

    (2002)
  • E. Fernández-Medina, M. Piattini, Extending OCL for Secure Database Development (accepted), Proceedings of The Unified...
  • E. Ferrari et al.

    Secure Database Systems

  • Cited by (33)

    • ASE: A comprehensive pattern-driven security methodology for distributed systems

      2015, Computer Standards and Interfaces
      Citation Excerpt :

      In this sense, the fact that ASE possesses such similar features is an advantage, not a disadvantage that diminishes ASE's uniqueness – just as ASE does not diminish the value or uniqueness of its related security methodologies, which possess their own unique advantages within their own specific constraints and objectives. A number of other security methodologies exist in the literature which attempt to take into account the specifics of different system types – e.g. databases/data warehouses [83–86]; as well as specific project situations – e.g. systems being developed using business processes [88,89] or as software product lines [73,87]. Needless to say, their specific features are quite distinct from those of ASE, even though, they do, of course, follow a general model of gathering and analyzing security requirements, considering security during system design, etc. (cf. [8]).

    • A comprehensive pattern-oriented approach to engineering security methodologies

      2015, Information and Software Technology
      Citation Excerpt :

      Finally, as intimated in Section 2.2, a more in-depth exploration of flexibility and the inherent possibilities in the approach proposed in this paper to construct flexible methodologies that can not only be tailored further on-the-fly, but also combine features of existing methodologies, will form an important focus for the future. As discussed in Section 8.9, the related group of methodologies in [11,132–139] would be extremely suitable candidates for such a purpose – especially for determining the plausibility of constructing one, or several, abstract, extrinsically flexible methodologies that would be allow for parts of other methodologies generalized as abstract process fragments (e.g. for modeling Web-service-based components, for utilizing repositories, for using standards to elicit security requirements, etc. – cf. Section 3.5) to be introduced on-the-fly via the tailoring workflow of S-SMEP. For the case study described in this paper, S-SMEP was applied without the support of any specialized software tools.

    • Advances in model-driven security

      2014, Advances in Computers
      Citation Excerpt :

      The project’s goal was to handle complex healthcare scenarios based on Usage Control and dealing with multiple advanced access control policies such as dynamic access control or delegation of rights. In [91] the authors illustrate the ModelSec approach using an example taken from of a web application for the management of medical patients [32]. The core of the example is the design of a secure database where the authors show how ModelSec deals with access control and database security code.

    • Development of secure XML Data warehouses with QVT

      2013, Information and Software Technology
      Citation Excerpt :

      On the other hand, Mokum [56] is an active object oriented knowledge base system for modeling which permits the specification of security and integrity constraints, and automatic code generation. We have been working on the integration of security in the development process applied to: the development of applications based on Web services (PWSSec process) [57]; processes for requirements engineering (SREP) [58] and product lines (SREPPLine) [59]; a methodology for secure databases that covers requirements gathering, analysis, relational logical design and specific logical design for Oracle Label Security [60]; model driven development of secure systems from secure business processes modeled with extensions of BPMN [61] or UML [62]. These are relevant contributions to secure information systems development but are not specifically focused on DWs.

    View all citing articles on Scopus
    View full text