Database Security: Policies and Mechanisms

An introduction into policies and mechanisms of database security is given. Three different policy classes for access control are distinguished: Owner driven access control (discretionary access control), organization driven access control (mandatory access control), and access control with security levels (multi-level access control). After giving intentions and characterizations for each policy class, we present mechanisms usually used with those policies. Thus the access control matrix is presented with their different views from a subject (capability list), from a granule (access control list), and from an operation (method control list). Further mechanisms which are considered in connection with owner driven access control are propagation of rights, database views, and query modification. Organization driven access control is studied with respect to classification and clearance, the relationship between confidentiality and integrity, and the appropriate granularity of classification. The dissemination control policy and -in more detail- the chinese wall policy are presented as examples for this class of policies. Mechanisms of the lattice-based access control with security levels include polyinstantiation (used for information hiding and cover stories) and trusted subjects. A final criticism points out the author’s view of the strengths and weaknesses of each class of policies.

[1]  Eduardo B. Fernández,et al.  Database security , 1990, SGMD.

[2]  Selim G. Akl,et al.  Views for Multilevel Database Security , 1986, 1986 IEEE Symposium on Security and Privacy.

[3]  David D. Clark,et al.  A Comparison of Commercial and Military Computer Security Policies , 1987, 1987 IEEE Symposium on Security and Privacy.

[4]  Hans Hermann Brüggemann,et al.  Object-Oriented Authorization , 1993, CISM - Advances in Database Systems.

[5]  Dorothy E. Denning,et al.  Cryptography and Data Security , 1982 .

[6]  LouAnna Notargiacomo,et al.  Beyond the pale of MAC and DAC-defining new forms of access control , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[7]  Michael J. Nash,et al.  The Chinese Wall security policy , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[8]  Selim G. Akl,et al.  Views for Multilevel Database Security , 1987, IEEE Transactions on Software Engineering.

[9]  Richard Graubart,et al.  A Preliminary Naval Surveillance DBMS Security Model. , 1982, S&P 1982.

[10]  Joachim Biskup,et al.  A General Framework for Database Security , 1990, ESORICS.

[11]  D. Elliott Bell,et al.  Secure Computer System: Unified Exposition and Multics Interpretation , 1976 .

[12]  Jonathan K. Millen,et al.  Models of Multilevel Computer Security , 1989, Adv. Comput..

[13]  Eduardo B. Fernandez,et al.  Database Security and Integrity , 1981 .