Database Security and Statistical Database Security

In this article we will present an introduction to issues relevant to database security and statistical database security. We will briefly cover various security models, elaborate on how data analysis in data warehouses (DWH) might compromise an individual’s privacy, and explain which safeguards can be used to prevent attacks. In most companies, databases are an essential part of IT infrastructure since they store critical business data. In the last two decades, databases have been used to process increasing amounts of transactional data, such as, a complete account of a person’s purchases from a retailer or connection data from calls made on a cell phone. As soon as this data became available from transactional databases and online transactional processing (OLTP) became well established, the next logical step was to use the knowledge contained in the vast amounts of data. Today, data warehouses (DWH) store aggregated data in an optimal way to serve queries related to business analysis. In recent years, most people have begun to focus their attention on security. Early OLTP applications were mainly concerned with integrity of data during transactions; today privacy and secrecy are more important as databases store an increasing amount of information about individuals, and data from different systems can be aggregated. Thuraisingham (2002) summarizes the requirements briefly as “However, we do not want the information to be used in an incorrect manner.” All security requirements stem from one of three basic requirements: confidentiality (aka secrecy), integrity, and availability (CIA). Confidentiality refers to the requirement that only authorized subjects, that is, people or processes should be permitted to read data. Integrity means that unauthorized modifications must not be permitted. This includes both modifications by unauthorized people and incorrect modification by authorized users. To correctly perform the services requested, the system needs to remain available; a denial-of-service compromises the requirement of availability. Other security requirements may include privacy, non-repudiation, and separation of duties. These requirements are, however, composite requirements that can be traced back to one of the three basic requirements. Privacy, for instance, is the non-disclosure (=confidentiality) of personal data; non-repudiation refers to the integrity of transaction logs and integrity of origin. Throughout this article we will focus only on technical attacks and safeguards and not on social engineering. Social engineering is often the easiest and, in many cases, a very successful attack vector. For an in-depth coverage of social engineering we recommend (Bock, 2007). In Section 2 we cover the most relevant access control models; in Section 3 we provide an overview of security in statistical databases. Finally, in Section 4 we highlight the essentials of securing not only the transactional and the statistical databases but the entire system.

[1]  José Galindo,et al.  Fuzzy Databases: Modeling, Design, and Implementation , 2006 .

[2]  Aryya Gangopadhyay,et al.  A privacy-preserving technique for Euclidean distance-based mining algorithms using Fourier-related transforms , 2006, The VLDB Journal.

[3]  Shirley Becker,et al.  A study of a generic schema for management of multidatabase systems , 1996 .

[4]  Zbigniew W. Ras,et al.  Extended Action Rule Discovery Based on Single Classification Rules and Reducts , 2009, Database Technologies: Concepts, Methodologies, Tools, and Applications.

[5]  David Taniar,et al.  Web Data Warehousing Convergence: From Schematic to Systematic , 2006, Int. J. Inf. Technol. Web Eng..

[6]  Özgür Ulusoy Lock-Based Concurrency Control in Distributed Real-Time Database Systems , 1993 .

[7]  Keng Siau,et al.  Co-creation and Collaboration in a Virtual World: A 3D Visualization Design Project in Second Life , 2010, J. Database Manag..

[8]  G. Premkumar,et al.  Knowledge Based System and Database Management System: An Integrative Framework , 1991 .

[9]  Sudha Ram,et al.  Towards a Comprehensive Concurrency Control Mechanism for Object-Oriented Databases , 1995 .

[10]  Antonio Picariello,et al.  Managing Uncertainties in Image Databases , 2009, Database Technologies: Concepts, Methodologies, Tools, and Applications.

[11]  Sébastien Lefèvre Image Features from Morphological Scale-Spaces , 2009, Semantic Mining Technologies for Multimedia Databases.

[12]  Jaehong Park,et al.  The UCONABC usage control model , 2004, TSEC.

[13]  John S. Erickson Database Technologies: Concepts, Methodologies, Tools, and Applications (4 Volumes) , 2009, Database Technologies: Concepts, Methodologies, Tools, and Applications.

[14]  George Tzanis,et al.  Mining for Mutually Exclusive Items in Transaction Databases , 2007, Int. J. Data Warehous. Min..

[15]  Elisa Bertino,et al.  Secure knowledge management: confidentiality, trust, and privacy , 2006, IEEE Transactions on Systems, Man, and Cybernetics - Part A: Systems and Humans.

[16]  Ravi S. Sandhu,et al.  The NIST model for role-based access control: towards a unified standard , 2000, RBAC '00.

[17]  Bhavani M. Thuraisingham,et al.  Data mining, national security, privacy and civil liberties , 2002, SKDD.

[18]  Jan Schlörer,et al.  Security of statistical databases: multidimensional transformation , 1980, TODS.

[19]  Sudha Ram,et al.  IAIS: A Methodology to Enable Inter-Agency Information Sharing In eGovernment , 2003, J. Database Manag..

[20]  Ravi S. Sandhu,et al.  Configuring role-based access control to enforce mandatory and discretionary access control policies , 2000, TSEC.

[21]  Nabil R. Adam,et al.  Security-control methods for statistical databases: a comparative study , 1989, CSUR.

[22]  Peter J. Denning,et al.  The tracker: a threat to statistical database security , 1979, TODS.

[23]  R. Nedunchezhian,et al.  Soft Computing Applications for Database Technologies: Techniques and Issues , 2010 .

[24]  Xuelong Li,et al.  Semantic Mining Technologies for Multimedia Databases , 2009 .

[25]  Josep Domingo-Ferrer,et al.  Efficient multivariate data-oriented microaggregation , 2006, The VLDB Journal.

[26]  Bhavani M. Thuraisingham,et al.  Privacy constraint processing in a privacy-enhanced database management system , 2005, Data Knowl. Eng..