Database Security System supporting Access Control for Various Sizes of Data Groups

Due to various requirements for the user access control to large databases in the hospitals and the banks, database security has been emphasized. There are many security models for database systems using wide variety of policy-based access control methods. However, they are not functionally enough to meet the requirements for the complicated and various types of access control. In this paper, we propose a database security system that can individually control user access to data groups of various sites and is suitable for the situation where the user`s access privilege to arbitrary data is changed frequently. Data group(s) in different sixes d is defined by the table name(s), attribute(s) and/or record key(s), and the access privilege is defined by security levels, roles and polices. The proposed system operates in two phases. The first phase is composed of a modified MAC (Mandatory Access Control) model and RBAC (Role-Based Access Control) model. A user can access any data that has lower or equal security levels, and that is accessible by the roles to which the user is assigned. All types of access mode are controlled in this phase. In the second phase, a modified DAC(Discretionary Access Control) model is applied to re-control the `read` mode by filtering out the non-accessible data from the result obtained at the first phase. For this purpose, we also defined the user group s that can be characterized by security levels, roles or any partition of users. The policies represented in the form of Block(s, d, r) were also defined and used to control access to any data or data group(s) that is not permitted in `read ` mode. With this proposed security system, more complicated `read` access to various data sizes for individual users can be flexibly controlled, while other access mode can be controlled as usual. An implementation example for a database system that manages specimen and clinical information is presented.

[1]  D. Richard Kuhn,et al.  A role-based access control model and reference implementation within a corporate intranet , 1999, TSEC.

[2]  Simon R. Wiseman,et al.  Securing an object relational database , 1997, Proceedings 13th Annual Computer Security Applications Conference.

[3]  E. Fernandez-Medina,et al.  Secure databases: state of the art , 2000, Proceedings IEEE 34th Annual 2000 International Carnahan Conference on Security Technology (Cat. No.00CH37083).

[4]  Ramaswamy Chandramouli,et al.  The Queen's Guard: A Secure Enforcement of Fine-grained Access Control In Distributed Data Analytics Platforms , 2001, ACM Trans. Inf. Syst. Secur..

[5]  I. S. Herschberg,et al.  On the validity of the Bell-La Padula model , 1994, Comput. Secur..

[6]  Eduardo B. Fernández,et al.  Authorization in multilevel database models , 1979, Inf. Syst..