Designing secure databases
Introduction
Modern society forces business to evolve, and to manage information correctly in order to achieve their objectives and survive in the digital era. Organizations increasingly depend on information systems (IS), which rely upon large databases, and these databases therefore need increasingly more quality and security [8]. Indeed, the very survival of organizations depends on the correct management, security and confidentiality of this information [14], [15].
Consequently, protecting information that is stored in databases is important for companies, but at times, it is also important for individuals. This is because databases also frequently store information regarding private or personal aspects of individuals, such as identification data, medical data or even religious beliefs, ideologies, or sexual tendencies. As a result, there are laws to protect the individual's privacy, such as the European Union Directive 95/46/CE of the European Parliament and Council, which deals with the protection of personal data and its free circulation [16]. These laws tend to be very strict, imposing severe penalties for failure to comply with them. This information should then be protected against non-authorized access, thus fulfilling the existing data protection laws.
Some authors note that database protection is a serious requirement that must be carefully considered, not as an isolated aspect, but as an element present in all stages of the database life cycle [13], [19], [21]. Even the Information Systems Audit and Control Foundation affirms that managers have to ensure that security is considered as an integral part of the systems development life cycle process and is explicitly addressed during each phase of the process [24].
In this article, we propose a methodology to build multilevel databases, taking into consideration aspects of security (with regard to confidentiality) from the earliest stages to the end of the development process. We believe that a new methodology for designing secure databases should be an extension of a widely accepted modeling language, in order to save developers from learning a new model and its corresponding notation. Therefore, the methodology we propose extends some well-known models, such as different unified modeling language (UML) models [7], the unified process (UP) [25], and the object constraint language (OCL) [38]. This methodology allows us to create conceptual and logical models of multilevel databases, and implement them by using Oracle9i Label Security (OLS9i) [29].
The rest of the article is organized as follows: in Section 2 we present related work. Section 3 presents a summary of OLS9i. In Section 4 we provide an overview of the case study. A concise revision of the secure database design methodology, including subsections with details of each stage and the models and languages that have been defined is presented in Section 5. An overview of the CASE tool developed is shown in Section 6. Section 7 collects the lessons learned when applying the methodology to the case study. Finally, in Section 8, we mention some conclusions that have been drawn and future work to be carried out.
Section snippets
Related work
In spite of the fact that there is a vast amount of work related to security and databases, not much work of this integrates security into the database development process. We can classify related work as follows:
- •
Database design. Traditional database design methodologies [4], [11] do not consider security. Therefore, these methodologies are not useful in developing secure databases.
- •
Security design. Security methods can be organized into three main generations: checklists, engineering, and logic
Oracle9i label security
OLS9i [29] is a component of version 9 of Oracle database management system (DBMS) which allows us to implement multilevel databases [35]. OLS9i defines labels that are assigned to the rows and users of the database. These labels contain confidentiality information for the rows, and authorization information for users. OLS9i defines a combined access control mechanism, considering mandatory access control (MAC) by using the content of the labels, and discretionary access control (DAC) which is
Case study
In order to develop our methodology, we have used the Action Research method [2], applying the methodology to the redesign of a Spanish Provincial Government's database. Those involved in this process were mainly Provincial Government managers and researchers.
The database that we considered in this case study was used by an application, called System for the Accounting of the Local Administration (SALA), which had various confidentiality problems which were solved by creating a new secure
Methodology overview
As we have mentioned previously, there is no satisfactory solution to the problem of integrating security into the database development process. Therefore, our main objective is to build a complete methodology (with the necessary techniques) in order to develop secure databases. Considering this main objective, we have defined the following set of partial sub-objectives with regard to the methodology: (1) it has to be easy to learn; (2) it has to be flexible; (3) it has to be
Case tool
A CASE tool that extends Rational Rose has been developed in order to automate the requirements gathering and database analysis stages of the secure database design methodology. The main functions of this tool can be grouped as follows:
- •
System Security Information Definition. For each database, it is possible to define and manage the valid values of security levels and the valid user role hierarchy.
- •
Use Cases Security Information Definition. This functionality helps to model use case diagrams,
Lessons learned
The development of this methodology, together with its application for the design of a secure database for a Provincial Government in Spain during a period of almost 2 years, and with continuous revisions and feedback has contributed to many advantages and lessons learned. This activity has been positive both for the Provincial Government and for the results of our research.
The positive aspects for the Provincial Government have been the following
- •
Considering that Society's concerns for security
Conclusions and future work
The critical nature of IS and especially of databases for modern business, together with new requirements of laws and governments, make more sophisticated approaches necessary to ensure database security.
Traditionally, information security deals with different research topics, such as access control techniques, secure architectures, cryptographic methods, etc. Although all these topics are very important, we believe it is fundamental to use a methodological approach, where security is taken
Acknowledgements
This research is part of the CALIPO project, supported by the Dirección General de Investigación of the Ministerio de Ciencia y Tecnología (TIC2003-07804-C05-03), and the MESSENGER project, supported by the Consejería de Ciencia y Tecnlogía of the Junta de Comunidades de Castilla-La Mancha (PCC-03-003-1). We would like to thank the rest of the Alarcos Research Group members, and especially the reviewers of this journal for their valuable comments, and Antonio Martínez, director of the SALA
References (38)
- et al.
Database Systems. Concepts, Languages and Architectures
(1999) - et al.
Action research
Communications of the ACM
(1999) Information systems security design methods: implications for information systems development
ACM Computing Surveys
(1993)- et al.
Conceptual database design. An entity-relationship approach
(1991) Testing Object-Oriented Systems—Models, Patterns, and Tools
(2000)- et al.
Object-Oriented Modeling and Design for Database Applications
(1998) - et al.
The Unified Modeling Language, User Guide
(1999) - et al.
What Is There to Worry About? An Introduction to the Computer Security Problem
- et al.
Database Security
(1994) - et al.
Non-functional requirements in software engineering
(2000)
Database systems. A practical approach to design, implementation, and management
Temporal OCL: Meeting Specification Demands for Business Components
Software engineering for security: a roadmap
Information Security Management: Global challenges in the New Millennium
Information system security management in the new millennium
Communications of the ACM
Fundamentals of Database Systems
Secure Database Systems
Cited by (33)
An extensive systematic review on the Model-Driven Development of secure systems
2015, Information and Software TechnologyASE: A comprehensive pattern-driven security methodology for distributed systems
2015, Computer Standards and InterfacesCitation Excerpt :In this sense, the fact that ASE possesses such similar features is an advantage, not a disadvantage that diminishes ASE's uniqueness – just as ASE does not diminish the value or uniqueness of its related security methodologies, which possess their own unique advantages within their own specific constraints and objectives. A number of other security methodologies exist in the literature which attempt to take into account the specifics of different system types – e.g. databases/data warehouses [83–86]; as well as specific project situations – e.g. systems being developed using business processes [88,89] or as software product lines [73,87]. Needless to say, their specific features are quite distinct from those of ASE, even though, they do, of course, follow a general model of gathering and analyzing security requirements, considering security during system design, etc. (cf. [8]).
A comprehensive pattern-oriented approach to engineering security methodologies
2015, Information and Software TechnologyCitation Excerpt :Finally, as intimated in Section 2.2, a more in-depth exploration of flexibility and the inherent possibilities in the approach proposed in this paper to construct flexible methodologies that can not only be tailored further on-the-fly, but also combine features of existing methodologies, will form an important focus for the future. As discussed in Section 8.9, the related group of methodologies in [11,132–139] would be extremely suitable candidates for such a purpose – especially for determining the plausibility of constructing one, or several, abstract, extrinsically flexible methodologies that would be allow for parts of other methodologies generalized as abstract process fragments (e.g. for modeling Web-service-based components, for utilizing repositories, for using standards to elicit security requirements, etc. – cf. Section 3.5) to be introduced on-the-fly via the tailoring workflow of S-SMEP. For the case study described in this paper, S-SMEP was applied without the support of any specialized software tools.
Advances in model-driven security
2014, Advances in ComputersCitation Excerpt :The project’s goal was to handle complex healthcare scenarios based on Usage Control and dealing with multiple advanced access control policies such as dynamic access control or delegation of rights. In [91] the authors illustrate the ModelSec approach using an example taken from of a web application for the management of medical patients [32]. The core of the example is the design of a secure database where the authors show how ModelSec deals with access control and database security code.
Development of secure XML Data warehouses with QVT
2013, Information and Software TechnologyCitation Excerpt :On the other hand, Mokum [56] is an active object oriented knowledge base system for modeling which permits the specification of security and integrity constraints, and automatic code generation. We have been working on the integration of security in the development process applied to: the development of applications based on Web services (PWSSec process) [57]; processes for requirements engineering (SREP) [58] and product lines (SREPPLine) [59]; a methodology for secure databases that covers requirements gathering, analysis, relational logical design and specific logical design for Oracle Label Security [60]; model driven development of secure systems from secure business processes modeled with extensions of BPMN [61] or UML [62]. These are relevant contributions to secure information systems development but are not specifically focused on DWs.
Evaluation of the Pattern-based method for Secure Development (PbSD): A controlled experiment
2012, Information and Software Technology