IT 221: Introduction to Information Security Principles Lecture 11: Database Security For Educational Purposes Only Revised: November 13, 2002 Special Topics Outline (1) •Special Topics Outline: Context and Overview Introduction to Databases Database Components Advantages of Using Databases Database Security Factors Security Requirements CIA Types of Disclosures Interference Problem Three Dimensions of Integrity Data Sensitivity Multilevel Security Requirements 1 November 3, 2002 IT 221: Introduction to Information Security Principles For Educational Purposes Only Special Topics Outline (2) •Special Topics Outline: Methods of Multilevel Security -Partitioning -Encryption -Integrity Loc -Trusted Front-End Discussion Points 2 November 3, 2002 IT 221: Introduction to Information Security Principles For Educational Purposes Only Context and Overview •Context [1]: Database security is of substantial interest in the arena of IT Security: -Newer than programming and operating systems -Ubiquitous in most businesses and government agencies -Contains info that is of greater general interest that a piece of software. Value of information is now recognized as a major corporate asset. •Overview: Covered protocols and mechanisms to enhance security in client-server architectures; Email and IP/Web applications. This lecture will focus on the security aspects of databases. Lecture material is considered special topics, and is based on Pfleeger, Charles. Security In Computing, Prentice Hall, 1997. Chapter 9. 3 November 3, 2002 IT 221: Introduction to Information Security Principles For Educational Purposes Only Introduction to Databases •Introduction [1]: Collection of data and a set of rules that organize data by specifying certain relationships among the data. Through these rules, a user describes a logical format for the data. Data items are stored in a file, but the physical format of the file is of no concern for the user. Database Administrator (DBA) defines the rules that organize the data and controls who should have access to what parts of the data. Users interact with the database via a Database Management System (DBMS) or some other front-end tool. 4 November 3, 2002 IT 221: Introduction to Information Security Principles For Educational Purposes Only Databases Components •Basic Components [1]: Records: One related set of data in a database file. Attributes (Columns/Fields/Elements): Elementary data items contained in a record. Schema: Logical structure of the database Query: A command to retrieve, modify, add, and/or delete Attributes and Records in a database. 5 November 3, 2002 IT 221: Introduction to Information Security Principles For Educational Purposes Only Advantages of Using Databases •Advantages [1]: Shared Access: Collection of data, stored and maintained at one central location, to which many people have access as needed. Minimized Redundancy: Individual users do not have to collect and maintain their own sets of data. Data Consistency: Change to a data value affects all users of the data value. Data Integrity: Data values are protected against accidental or malicious incorrect changes. Controlled Access: Only authorized users are allowed to view or to modify data values. 6 November 3, 2002 IT 221: Introduction to Information Security Principles For Educational Purposes Only Database Security Factors •Factors [1]: Basic security requirements of databases are not unlike the security requirements of other computing systems. Basic problems include Access Control, exclusion of spurious data, Authentication of unauthorized data, and reliability. However, as often happens, security goals can conflict with other factors, I.e. namely with performance. 7 November 3, 2002 IT 221: Introduction to Information Security Principles For Educational Purposes Only Security Requirements •Requirements [1]: Physical Integrity: Immunity to physical problems such as power outages, i.e. can be easily reconstructed if destroyed in a catastrophe. Logical Integrity: Preservation of DB structure, e.g. a modification to the value of one attribute does not affect other attributes. Element Integrity: Accuracy of data contained in each element. Audibility: Ability to track who has accessed (or modified) the DB elements. Access Control: Authorized access (and privileges) for authorized DB users. Availability: Users can access the database in general and all the data for which they are authorized. 8 November 3, 2002 IT 221: Introduction to Information Security Principles For Educational Purposes Only Confidentiality (Secrecy), Integrity and Availability •CIA [1]: Confidentiality (Secrecy): A large issue with databases because of inference. A user can access sensitive data indirectly. Integrity: Applies to the individual elements of a database as well as to the database as a whole. Availability: Important because the shared access motivation underlying the development of databases. However, Availability can conflict with Confidentiality (Secrecy). 9 November 3, 2002 IT 221: Introduction to Information Security Principles For Educational Purposes Only Types of Disclosures •Types of Disclosure [1]: Exact Data: Exact value of the sensitive data itself. The user may know that sensitive data is being requested, or the user may request general data without knowing that some of it is sensitive. Bound: Sensitive value, y, is between two values L and H. Through an iterative, inductive approach, a hacker could determine L < y < H…L < y < H/2….etc. Ex: Salary Ranges. Negative Result: Query and determine a negative result, i.e. that z is not the value of y. Ex: If a student does not appear on the Honor Roll list. Existence: Existence of data is sometimes itself a sensitive piece of information, regardless of the actual value. Ex: Whether a long distance call was placed. 10 November 3, 2002 IT 221: Introduction to Information Security Principles For Educational Purposes Only Inference Problem •Inference Problem [1]: Way to infer or derive sensitive data from non-sensitive data. Two methods of Attack: -Direct Attack: Seeks to determine values of sensitive fields by seeking them directly with queries that yields few records. Most successful technique is to form a query so specific that it matches exactly one data item. -Indirect Attack: Seeks to infer a result based on one or more statistical results, and requires work outside of the database itself. Example: Inferring information on individual citizens based on US Census Bureau demographics. 11 November 3, 2002 IT 221: Introduction to Information Security Principles For Educational Purposes Only Three Dimensions of Integrity •Integrity [1]: (1) Database Integrity: Concern that the database as a whole is protected against damage, as from the failure of a disk drive or the corruption of the mater database index. These concerns are typically addressed by Operating System integrity controls and recovery procedures. (2) Element Integrity: Concern that the value of a specific data element is written or changed only by authorized users. Proper access controls protect a database from corruption by unauthorized users. (3) Element Accuracy: Concern that only correct values are written into the elements of a database. Checks on the values of elements can help to prevent insertion of improper values. 12 November 3, 2002 IT 221: Introduction to Information Security Principles For Educational Purposes Only Data Sensitivity (1) •Data Sensitivity[1]: Sensitive Data: Data that should not be made public. Determining which data items are sensitive depends on the individual DB and the underlying meaning of the data. More challenging, however, is the case in which some but not all of the elements in the database are sensitive. Several factors can make data sensitive: -(1) Inherently Sensitive: Value may be so revealing that it is sensitive. -(2) From a Sensitive Source: Source of data may indicate a need for confidentiality. -(3) Declared Sensitive: DBA or the owner of the data may have declared it to be sensitive. 13 November 3, 2002 IT 221: Introduction to Information Security Principles For Educational Purposes Only Data Sensitivity (2) •Data Sensitivity [1]: So far, we’ve considered data of only two categories: Sensitive or NonSensitive We’ve alluded to some data being more sensitive than others, but we’ve allowed only yes-or-no access. Consider an example of a database containing data on US Government expenditures. Some expenditures are for paper clips, which is not sensitive information. But some salary expenditures are subject to privacy requirements. 14 November 3, 2002 IT 221: Introduction to Information Security Principles For Educational Purposes Only Multilevel Security Requirements •Multilevel Security Requirements [1]: Not unlike the Military Model, a Multi-level DB model can be defined: -(1) Security of a single element may be different from the security of other elements of the same record or from other values of the same attribute. That is, the security of one element may be different from that of other elements of the same row or column. This situation implies that security should be interpreted for each individual element. -(2) Two levels – sensitive and non-sensitive- are inadequate to represent some security situations. Several grades of security may be needed. These grades may represent ranges of allowable knowledge, which may overlap. Typically, the security grades form a lattice. -(3) Security of an aggregate – a sum, a count, or a group of values in a DB- may be different from the security of the individual elements. Security of the aggregate may be higher or lower than that of the individual elements. 15 November 3, 2002 IT 221: Introduction to Information Security Principles For Educational Purposes Only Methods of Multilevel Security •Methods of Multilevel Security [1]: Implementing multilevel security for DBs is difficult, probably more so than OSs, because of the small granularity of the items being controlled. Several Methods include: -Partitioning -Encryption -Integrity Lock -Trusted Front-End 16 November 3, 2002 IT 221: Introduction to Information Security Principles For Educational Purposes Only Partitioning •Partitioning [1]: Database is divided into separate databases, each at its own level of sensitivity. Analogous to maintaining separate files in separate file cabinets. Destroys two basic advantages of databases: -Elimination of redundancy and improved accuracy through having only one field to update. -Does not address the problem of a high-level user who needs to access some low-level data to be combined with high-level data. 17 November 3, 2002 IT 221: Introduction to Information Security Principles For Educational Purposes Only Encryption •Encryption [1]: If Sensitive data is encrypted, a user who accidentally receives sensitive data cannot interpret the data. Thus each level of sensitive data can be stored in a table encrypted under a key unique to the level of sensitivity. Encryption, however, has one major disadvantage: Each field must be decrypted in order to perform standard database operations , and thus, increases the time to process a query. 18 November 3, 2002 IT 221: Introduction to Information Security Principles For Educational Purposes Only Integrity Lock •Integrity Lock [1]: First proposed at the Air Force Summer Study on Database Security. Way to provide both integrity and limited access for a database. Nicknamed ‘spray paint’ because each element is ‘painted’ with a ‘color’ that denotes its sensitivity. Coloring is maintained with the element , not in a master database table. Each data item consists of three pieces: the data itself, a sensitivity label, and a checksum. Each level of sensitive data can be stored in a table encrypted under a key unique to the level of sensitivity. 19 November 3, 2002 IT 221: Introduction to Information Security Principles For Educational Purposes Only Trusted Front-End •Trusted Front-End[1]: Interaction between a user, a trusted front-end and a DBMS is as follows: -(1) User identifies self to the front-end; front-end authenticates users -(2) User issues query to front-end. -(3) Front-end verifies user’s authorization to data -(4) Front-end issues query to database manager -(5) DB Manager performs I/O access, interacting with low-level access control to achieve access to actual data. -(6) Database manager returns result of query to front-end -(7) Front-end verifies validity of data via checksum and checks classification of data against security level of user -(8) Front-end transmits data to untrusted front-end for formatting -(9) Untrusted front-end transmits formatted data to user. 20 November 3, 2002 IT 221: Introduction to Information Security Principles For Educational Purposes Only Discussion Points •Discussion Points [1]: Best practices for balancing Security Goals with practical availability/performance needs? Best practices and commercially available tools. 21 November 3, 2002 IT 221: Introduction to Information Security Principles For Educational Purposes Only Resources •[1] Pfleeger, Charles. Security In Computing, Prentice Hall, 1997. Chap-8. 22 November 3, 2002 IT 221: Introduction to Information Security Principles For Educational Purposes Only