Database Security: Research and Practice

As an increasing number of organizations become dependent on access to their data over the Internet, the need for adequate security measures is becoming more and more critical. The most popular security measure these days is a firewall. However, a firewall is not immune to penetration, and it does not provide any protection of internal resources from insiders and successful intruders. One of the requirements for the protection of internal resources is access control to ensure that all accesses are authorized according to some specified policy. In this paper, we survey the state of the art in access control for database systems, discuss the main research issues, and outline possible directions for future research.

[1]  Wei-Tek Tsai,et al.  Multiversion concurrency control for multilevel secure database systems , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[2]  Elisa Bertino,et al.  Research Issues in Discretionary Authorizations for Object Bases , 1993, Security for Object-Oriented Systems.

[3]  Marianne Winslett,et al.  Multilevel Secure Rules: Integrating the Multilevel Secure and Active Data Models , 1993, DBSec.

[4]  Sushil Jajodia,et al.  Planar Lattice Security Structures for Multilevel Replicated Databases , 1993, DBSec.

[5]  R. Sandhu,et al.  Access control: principles and practice , 1994, IEEE Commun. Mag..

[6]  Sushil Jajodia,et al.  Toward a multilevel secure relational data model , 1991, SIGMOD '91.

[7]  Marianne Winslett,et al.  Formal query languages for secure relational databases , 1994, TODS.

[8]  Elisa Bertino,et al.  An Extended Authorization Model for Relational Databases , 1997, IEEE Trans. Knowl. Data Eng..

[9]  Simon R. Wiseman,et al.  Security Properties of the SWORD Secure DBMS design , 1993, DBSec.

[10]  Silvana Castano,et al.  Database Security , 1997, IFIP Advances in Information and Communication Technology.

[11]  Elisa Bertino,et al.  A temporal authorization model , 1994, CCS '94.

[12]  M. B. Thuraisingham Mandatory security in object-oriented database systems , 1989, OOPSLA 1989.

[13]  D. Elliott Bell,et al.  Secure Computer System: Unified Exposition and Multics Interpretation , 1976 .

[14]  Elisa Bertino,et al.  Data hiding and security in object-oriented databases , 1992, [1992] Eighth International Conference on Data Engineering.

[15]  Teresa F. Lunt,et al.  Research Directions in Database Security , 1992, Springer New York.

[16]  Rafiul Ahad,et al.  Supporting Access Control in an Object-Oriented Database Language , 1992, EDBT.

[17]  William Cheswick,et al.  Firewalls and Internet Security , 1994 .

[18]  Elisa Bertino,et al.  Modeling Multilevel Entities Using Single Level Objects , 1993, DOOD.

[19]  Marianne Winslett,et al.  Entity Modeling in the MLS Relational Model , 1992, VLDB.

[20]  Elisa Bertino,et al.  Access Control in Object-Oriented Database Systems - Some Approaches and Issues , 1993, Advanced Database Systems.

[21]  Elisa Bertino,et al.  Authorizations in relational database management systems , 1993, CCS '93.

[22]  Jonathan K. Millen,et al.  Security for object-oriented database systems , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[23]  Luis-Felipe Cabrera,et al.  CACL: efficient fine-grained protection for objects , 1992, OOPSLA.

[24]  Carl E. Landwehr,et al.  Designing a Trusted Application Using an Object-Oriented Data Model , 1992 .

[25]  Ronald Fagin,et al.  On an authorization mechanism , 1978, TODS.

[26]  Sushil Jajodia,et al.  Referential Integrity in Multilevel Secure Database Management Systems , 1992, SEC.

[27]  Teresa F. Lunt,et al.  Access Control Policies for Database Systems , 1988, DBSec.

[28]  P. Samarati,et al.  Access control: principle and practice , 1994, IEEE Communications Magazine.

[29]  Sushil Jajodia,et al.  Solutions to the Polyinstantiation Problem , 1994 .

[30]  Bhavani Thuraisingham,et al.  Security for object-oriented systems , 1993, OOPSLA Addendum.

[31]  Elisa Bertino,et al.  A model of authorization for next-generation database systems , 1991, TODS.

[32]  Sushil Jajodia,et al.  Alternative correctness criteria for concurrent execution of transactions in multilevel secure databases , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[33]  Ira B. Greenberg,et al.  Single-level multiversion schedulers for multilevel secure database systems , 1990, [1990] Proceedings of the Sixth Annual Computer Security Applications Conference.

[34]  S. Jajodia,et al.  Information Security: An Integrated Collection of Essays , 1994 .

[35]  Silvana Castano,et al.  An object-oriented security model for office environments , 1992, Proceedings 1992 International Carnahan Conference on Security Technology: Crime Countermeasures.

[36]  Sushil Jajodia,et al.  Integrating an object-oriented data model with multilevel security , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[37]  Bradford W. Wade,et al.  An authorization mechanism for a relational database system , 1976, TODS.

[38]  R.W. Baldwin,et al.  Naming and grouping privileges to simplify security management in large databases , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[39]  Elisa Bertino,et al.  Achieving stricter correctness requirements in multilevel secure databases , 1993, Proceedings 1993 IEEE Computer Society Symposium on Research in Security and Privacy.

[40]  Neil Munro,et al.  Air force mounts offensive against computer crime , 1988 .

[41]  David D. Clark,et al.  A Comparison of Commercial and Military Computer Security Policies , 1987, 1987 IEEE Symposium on Security and Privacy.

[42]  Bruce G. Lindsay,et al.  A Database Authorization Mechanism Supporting Individual and Group Authorization , 1981, DDSS.