Fluent Essays

I want someone to write an Article review for me. It has to be 2 pages and ive posted the article and guidelines you need to follow to write the paper. Please read the how to write a research paper and ffolow the guidelines accordingly. .Please complete the article by tomorrow. Database Security—Concepts, Approaches, and Challenges Elisa Bertino, Fellow, IEEE, and Ravi Sandhu, Fellow, IEEE Abstract—As organizations increase their reliance on, possibly distributed, information systems for daily business, they become more vulnerable to security breaches even as they gain productivity and efficiency advantages. Though a number of techniques, such as encryption and electronic signatures, are currently available to protect data when transmitted across sites, a truly comprehensive approach for data protection must also include mechanisms for enforcing access control policies based on data contents, subject qualifications and characteristics, and other relevant contextual information, such as time. It is well understood today that the semantics of data must be taken into account in order to specify effective access control policies. Also, techniques for data integrity and availability specifically tailored to database systems must be adopted. In this respect, over the years the database security community has developed a number of different techniques and approaches to assure data confidentiality, integrity, and availability. However, despite such advances, the database security area faces several new challenges. Factors such as the evolution of security concerns, the “disintermediation” of access to data, new computing paradigms and applications, such as grid-based computing and on- demand business, have introduced both new security requirements and new contexts in which to apply and possibly extend current approaches. In this paper, we first survey the most relevant concepts underlying the notion of database security and summarize the most well-known techniques. We focus on access control systems, on which a large body of research has been devoted, and describe the key access control models, namely, the discretionary and mandatory access control models, and the role-based access control (RBAC) model. We also discuss security for advanced data management systems, and cover topics such as access control for XML. We then discuss current challenges for database security and some preliminary approaches that address some of these challenges. Index Terms—Data confindentiality, data privacy, relational and object databases, XML. � 1 INTRODUCTION AS organizations increase their adoption of databasesystems as the key data management technology for day-to-day operations and decision making, the security of data managed by these systems becomes crucial. Damage and misuse of data affect not only a single user or application, but may have disastrous consequences on the entire organization. The recent rapid proliferation of Web- based applications and information systems have further increased the risk exposure of databases and, thus, data protection is today more crucial than ever. It is also important to appreciate that data needs to be protected not only from external threats, but also from insider threats. Security breaches are typically categorized as unauthor- ized data observation, incorrect data modification, and data unavailability. Unauthorized data observation results in the disclosure of information to users not entitled to gain access to such information. All organizations, ranging from commercial organizations to social organizations, in a variety of domains such as healthcare and homeland protection, may suffer heavy losses from both financial and human points of view as a consequence of unauthorized data observation. Incorrect modifications of data, either intentional or unintentional, result in an incorrect database state. Any use of incorrect data may result in heavy losses for the organization. When data is unavailable, information crucial for the proper functioning of the organization is not readily available when needed. Thus, a complete solution to data security must meet the following three requirements: 1) secrecy or confidentiality refers to the protection of data against unauthorized disclosure, 2) integrity refers to the prevention of unauthor- ized and improper data modification, and 3) availability refers to the prevention and recovery from hardware and software errors and from malicious data access denials making the database system unavailable. These three requirements arise in practically all application environ- ments. Consider a database that stores payroll information. It is important that salaries of individual employees not be released to unauthorized users, that salaries be modified only by the users that are properly authorized, and that paychecks be printed on time at the end of the pay period. Similarly, consider the Web site of an airline company. Here, it is important that customer reservations only be available to the customers they refer to, that reservations of a customer not be arbitrarily modified, and that information on flights and reservations always be available. In addition to these requirements, privacy requirements are of high relevance today. Though the term privacy is often used as a synonym for confidentiality, the two requirements are quite different. Techniques for information confidentiality 2 IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 2, NO. 1, JANUARY-MARCH 2005 . E. Bertino is with the Computer Science and Electric and Computer Engineering Department and CERIAS, Purdue University, West Lafay- ette, IN 47907. E-mail: [email protected] . R. Sandhu is with the Information Science Engineering Department, George Mason University, Fairfax, VA 22030. E-mail: [email protected] Manuscript received 2 Sept. 2004; revised 11 Jan. 2005; accepted 1 Mar. 2005; published online 4 Apr. 2005. For information on obtaining reprints of this article, please send e-mail to: [email protected], and reference IEEECS Log Number TDSC-0130-0904. 1545-5971/05/$20.00 � 2005 IEEE Published by the IEEE Computer Society may be used to implement privacy; however, assuring privacy requires additional techniques, such as mechanisms for obtaining and recording the consents of users. Also, confidentiality can be achieved be means of withholding data from access, whereas privacy is required even after the data has been disclosed. In other words, the data should be used only for the purposes sanctioned by the user and not misused for other purposes. Data protection is ensured by different components of a database management system (DBMS). In particular, an access control mechanism ensures data confidentiality. When- ever a subject tries to access a data object, the access control mechanism checks the rights of the user against a set of authorizations, stated usually by some security adminis- trator. An authorization states whether a subject can perform a particular action on an object. Authorizations are stated according to the access control policies of the organization. Data confidentiality is further enhanced by the use of encryption techniques, applied to data when being stored on secondary storage or transmitted on a network. Recently, the use of encryption techniques has gained a lot of interest in the context of outsourced data management; in such contexts, the main issue is how to perform operations, such as queries, on encrypted data [54]. Data integrity is jointly ensured by the access control mechanism and by semantic integrity constraints. When- ever a subject tries to modify some data, the access control mechanism verifies that the user has the right to modify the data, and the semantic integrity subsystem verifies that the updated data are semantically correct. Semantic correct- ness is verified by a set of conditions, or predicates, that must be verified against the database state. To detect tampering, data can be digitally signed. Finally, the recovery subsystem and the concurrency control mechan- ism ensure that data is available and correct despite hardware and software failures and accesses from con- current application programs. Data availability, especially for data that are available on the Web, can be further strengthened by the use of techniques protecting against denial-of-service (DoS) attacks, such as the ones based on machine learning techniques [25]. In this paper, we focus mainly on the confidentiality requirement and we discuss access control models and techniques to provide high-assurance confidentiality. Be- cause, however, access control deals with controlling accesses to the data, the discussion in this paper is also relevant to the access control aspect of integrity, that is, enforcing that no unauthorized modifications to data occur. We also discuss recent work focusing specifically on privacy-preserving database systems. We do not cover transaction management or semantic integrity. We refer the reader to [50] for an extensive discussion on transaction models, recovery and concurrency control, and to any database textbook for details on semantic integrity. It is also important to note that an access control mechanism must rely for its proper functioning on some authentication mechanism. Such a mechanism identifies users and con- firms their identities. Moreover, data may be encrypted when transmitted over a network in the case of distributed systems. Both authentication and encryption techniques are widely discussed in the current literature on computer network security and we refer the reader to [62] for details on such topics. We will, however, discuss the use of encryption techniques in the context of secure outsourcing of data, as this is an application of cryptography which is specific to database management. We do not attempt to be exhaustive, but try to articulate the rationale for the approaches we believe to be promising. 1.1 A Short History Early research efforts in the area of access control models and confidentiality for DBMSs focused on the development of two different classes of models, based on the discretionary access control policy and on the mandatory access control policy. This early research was cast in the framework of relational database systems. The relational data model, being a declarative high-level model specifying the logical structure of data, made the development of simple declarative languages for the specification of access control policies possible. These earlier models and the discretionary models in particular, introduced some important principles [45] that set apart access control models for database systems from access control models adopted by operating systems and file systems. The first principle was that access control models for databases should be expressed in terms of the logical data model; thus authorizations for a relational database should be expressed in terms of relations, relation attributes, and tuples. The second principle is that for databases, in addition to name-based access control, where the protected objects are specified by giving their names, content-based access control has to be supported. Content- based access control allows the system to determine whether to give or deny access to a data item based on the contents of the data item. The development of content- based access control models, which are, in general, based on the specification of conditions against data contents, was made easy in relational databases by the availability of declarative query languages, such as SQL. In the area of discretionary access control models for relational database systems, an important early contribution was the development of the System R access control model [51], [42], which strongly influenced access control models of current commercial relational DBMSs. Some key features of this model included the notion of decentralized author- ization administration, dynamic grant and revoke of authorizations, and the use of views for supporting content-based authorizations. Also, the initial format of well-known commands for grant and revoke of authoriza- tions, that are today part of the SQL standard, were developed as part of this model. Later research proposals have extended this basic model with a variety of features, such as negative authorization [27], role-based and task- based authorization [80], [87], [47], temporal authorization [10], and context-aware authorization [74]. Discretionary access control models have, however, a weakness in that they do not impose any control on how BERTINO AND SANDHU: DATABASE SECURITY—CONCEPTS, APPROACHES, AND CHALLENGES 3 information is propagated and used once it has been accessed by subjects authorized to do so. This weakness makes discretionary access controls vulnerable to malicious attacks, such as Trojan Horses embedded in application programs. A Trojan Horse is a program with an apparent or actually useful function, which contains some hidden functions exploiting the legitimate authorizations of the invoking process. Sophisticated Trojan Horses may leak information by means of covert channels, enabling illegal access to data. A covert channel is any component or feature of a system that is misused to encode or represent information for unauthorized transmission, without violat- ing the stated access control policy. A large variety of components or features can be exploited to establish covert channels, including the system clock, operating system interprocess communication primitives, error messages, the existence of particular file names, the concurrency control mechanism, and so forth. The area of mandatory access control and multilevel database systems tried to address such problems through the development of access control models based on information classification, some of which were also incorporated in commercial products. Early mandatory access control models were mainly developed for military applications and were very rigid and suited, at best, for closed and controlled environments. There was considerable debate among security researchers concerning how to eliminate covert channels while maintaining the essential properties of the relational model. In particular, the concept of polyinstantiation, that is, the presence of multiple copies with different security levels of the same tuple in a relation, was developed and articulated in this period [81], [55]. Because of the lack of applications and commercial success, companies developing multilevel DBMSs discontinued their production several years ago. Covert channels were also widely investigated with con- siderable focus on the concurrency control mechanisms that, by synchronizing transactions running at different security levels, would introduce an obvious covert channel. However, solutions developed in the research arena to the covert channel problem were not incorporated into com- mercial products. Interestingly, however, today we are witnessing a “multilevel security reprise” [82], driven by the strong security requirements arising in a number of civilian applications. Companies have thus recently re- introduced such systems. This is the case, for example, of the Labeled Oracle, a multilevel relational DBMS marketed by Oracle, which has much more flexibility in comparison to earlier multilevel secure DBMSs. Early approaches to access control have since been extended in the context of advanced DBMSs, such as object-oriented DBMSs and object-relational DBMSs, and other advanced data management systems and applica- tions, such as data made available through the Web and represented through XML, digital libraries and multimedia data, data warehousing systems, and workflow systems. Most of these systems are characterized by data models that are much richer than the relational model; typically, such extended models include semantic modeling notions such as inheritance hierarchies, aggregation, methods, and stored procedures. An important requirement arising from those applications is that it is not only the data that needs to be protected, but also the database schema may contain sensitive information and, thus, accesses to the schema need to be filtered according to some access control policies. Even though early relational DBMSs did not support authorizations with respect to schema information, today several products support such features. In such a context, access control policies may also need to be protected because they may reveal sensitive information. As such, one may need to define access control policies the objects of which are not user data, rather they are other access control policies. Another relevant characteristic of advanced appli- cations is that they often deal with multimedia data, for which the automatic interpretation of contents is much more difficult, and they are in most cases accessed by a variety of users external to the system boundaries, such as through Web interfaces. As a consequence both discre- tionary and mandatory access control models developed for relational DBMSs had to be properly extended to deal with additional modeling concepts. Also, these models often need to rely on metadata information in order to support content-based access control for multimedia data and to support credential-based access control policies to deal with external users. Recent efforts in this direction include the development of comprehensive access control models for XML [14], [72]. 1.2 Emerging Research in Database Security Besides the historical research that has been conducted in database security, several new areas are emerging as active research topics. A first relevant recent research direction is motivated by the trend of considering databases as a service that can be outsourced to external companies [54]. An important issue is the development of query processing techniques for encrypted data. Several specialized encryp- tion techniques have been proposed, such as the order- preserving encryption technique by Agrawal et al. [3]. A second research direction deals with privacy-preserving techniques for databases, an area recently investigated to a considerable extent. Research in this direction has been motivated, on one side, by increasing concerns with respect to user privacy and, on the other, by the need to support Web-based applications across organization boundaries. In particular privacy legislation, such as the early Federal Act of 1974 [43] and the more recent Health Insurance Portability and Accountability Act of 1996 (HIPAA) [53] and the Children’s Online Privacy Protection Act (COPPA) [33], require organizations to put in place adequate privacy- preserving techniques for the management of data concern- ing individuals. The new Web-based applications are characterized by the requirement of supporting cooperative processes while ensuring the confidentiality of data. This research direction is characterized by a number of different approaches and techniques, including privacy-preserving data mining [92], privacy-preserving information retrieval, and databases systems specifically tailored toward enfor- cing privacy [2]. 4 IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 2, NO. 1, JANUARY-MARCH 2005 1.3 Organization of the Paper The remainder of the paper is organized as follows: Section 2 discusses past and current developments for relational database systems. It discusses both discretionary and mandatory access control models and also briefly surveys other topics such as RBAC models. Section 3 presents an overview of relevant requirements for access control models for advanced data management systems and outlines the main approaches, including access control systems for XML. Section 4 summarizes privacy-preserving data management techniques, which are the focus of several research efforts today, and Section 5 discusses current factors and trends which make database security more challenging. Finally, Section 6 presents some concluding remarks. 2 RELATIONAL DATABASE SYSTEMS 2.1 Discretionary Access Control for Relational Databases Access control mechanisms of current DBMSs are based on discretionary policies governing the accesses of a subject to data based on the subject’s identity and authorization rules. These mechanisms are discretionary in that they allow subjects to grant authorizations on the data to other subjects. Because of such flexibility, discretionary policies are adopted in many application environments and this is the reason that commercial DBMSs adopt such policies. An important aspect of discretionary access control is thus related to the authorization administration policy. Authoriza- tion administration refers to the function of granting and revoking authorizations. It is the function by which authorizations are entered into or removed from the access control mechanism. Common administration policies in- clude centralized administration, by which only some privileged subjects may grant and revoke authorizations, and ownership administration, by which grant and revoke operations on data objects are entered by the creator (or owner) of the object. Ownership-based administration is often provided with features for administration delegation, allowing the owner of a data object to assign other subjects the right to grant and revoke authorizations. Delegation thus supports decentralized authorization administration. Most commercial DBMSs adopt ownership-based adminis- tration with administration delegation. More sophisticated administration mechanisms can be devised such as joint administration, by which several subjects are jointly respon- sible for authorization administration [17]. In this section, we review some discretionary models proposed for relational DBMSs. We start by describing the System R authorization model and then we survey some recently proposed extensions to it. We then discuss role- based access control (RBAC), a relevant extension to current authorization models, which finds application not only to database systems, but also to the more general context of enterprise security [60] and of multidomain systems [28]. 2.1.1 The System R Authorization Model and Its Extensions One of the first authorization models developed for relational DBMSs was defined by Griffiths and Wade [51], [42] in the framework of the System R DBMS [6]. Under this model, protection objects are tables and views, also referred to as virtual tables.1 The possible access modes that subjects can exercise on tables correspond to SQL operations that can be executed on tables. Thus, relevant access modes include: select (to retrieve tuples from a table), insert (to add tuples to a table), delete (to remove tuples from a table), and update (to modify tuples in a table). The same access modes are defined for views with the difference that some access modes may not be applicable to a view depending on the view definition. For example, very often, delete, insert, and update operations are not allowed on views defined as joins or containing aggregate functions. In the remainder, we use the term table to refer to both base tables and views. It is important to point out that this basic model is still prevalent today in commercially available DBMSs. Of course, current DBMSs have extended the basic model by introducing new types of objects to be protected as a consequence of extensions to the data model, and the set of protection modes that one finds in such DBMSs is much larger than the set defined as part of the basic model. For example, the introduction of trigger mechanisms in relational DBMSs [93] has required the introduction of a specific access mode allowing a subject to create a trigger on a table. Similarly, the introduction of mechanisms for referential integrity through the use of foreign key has required the introduction of a related access mode allowing a subject to reference a table from another table. Authorization administration in the System R model is based on the ownership approach coupled with adminis- tration delegation. Any database user authorized to do so can create a new table. When a user creates a table, he becomes the owner of the table and is solely and fully authorized to exercise all access modes on the table. The owner, however, can delegate privileges on the table to other subjects by granting these subjects authorizations with the so-called grant option. The possibility of delegating authorization administration introduces some interesting issues concerning the semantics of the revoke operations. A subject, to whom the administration right on a given table has been granted and then revoked, may have granted to another subject an authorization to access the table. The question is what happens to this authorization when the revokation takes place. The semantics of the revokation of an authorization from a subject (revokee) by another subject (revoker) is to consider as valid only the authorizations that would have been present had the revoker never granted the revokee the privilege. As a consequence, every time an authorization is revoked from a subject, a recursive revocation takes place to remove all authorizations for this BERTINO AND SANDHU: DATABASE SECURITY—CONCEPTS, APPROACHES, AND CHALLENGES 5 1. There are usually other objects to be protected in a database, such as application programs and stored procedures. We limit the discussion to tables and views to simplify the presentation. table from the revokee. The revoke operation takes into account the temporal sequence according to which the grant operations were made. The temporal sequence is deter- mined according to the timestamps that are associated with the granted authorizations. A number of extensions to the basic model have been proposed with the goal of enriching the expressive power of the authorization languages in order to address a large variety of application requirements. A first extension deals with negative authorizations [27]. The System R authoriza- tion model, as the models of most DBMSs, uses the closed world policy. Under this policy, whenever a subject tries to access a table and no authorization is found in the system catalogs, the subject is denied access. Therefore, the lack of authorization is interpreted as no authorization. This approach has the major drawback that the lack of an authorization for a subject on a table does not prevent this subject from receiving this authorization some time in the future. Any subject holding the right to administer that table can grant any other subject the authorization to access the table. The introduction of negative authorization can overcome this drawback. An explicit negative authorization expresses a denial for a subject to access a table under a specified mode. Conflicts between positive and negative authorizations are resolved by applying the denials-take- precedence policy under which negative authorizations override positive authorizations. That is, whenever a subject has both a positive and a negative authorization for a given privilege on a table, the subject is prevented from exercising the privilege on the table. The subject is denied access even if a positive authorization is granted after a negative one has been granted. Negative authorizations can also be used to temporarily block possible positive authorizations of a subject and to specify exceptions. For example, it is possible to grant an authorization to all members of a group, but for one specific member, by granting the group a positive authorization for the privilege on the table and the given member the corresponding negative authorization. Such a model has been further extended with a more flexible conflict resolution policy, based on the concept of more specific authorization. Such a concept introduces a partial order relation among authorizations which is taken into account when dealing with conflicting authorizations. For example, the authorizations granted directly to a user are more specific than the authorizations granted to the groups of which the user is a member. Therefore, a negative authorization can be overridden by a positive authorization, if the latter is more specific than the former. If, however, two conflicting authorizations cannot be compared under the order relation, the negative authorization prevails. This line of work has been further extended by several other researchers and today we find a variety of approaches dealing with conflict resolution policies and with logical formalizations of access control policies. Such logical formalizations provide sound underlying semantics which is essential when dealing with complex access control models [16]. The notion of explicit denial has also been proposed in the context of the Sea View system [59]. In Sea View, authorizations can specify which users or groups are authorized to access particular tables and which users and groups are specifically denied for particular tables. Unlike positive authorizations, negative authorizations cannot specify an access mode. A special access mode, called “null,” is used to denote a negative authorization. If a subject receives a null access mode on a table, the subject cannot exercise any access mode on the table. Conflicts between positive and negative authorizations are solved on the basis of the following policy: 1) authorizations directly granted to a user take precedence over authorizations specified for groups to which the user belongs and 2) a null mode authorization given to a subject overrides any other authorization granted to the same subject. Thus, negative … Writing Research Papers “A research paper is the culmination and final product of an involved process of research, critical thinking, source evaluation, organization, and composition. A research paper is not simply an informed summary of a topic by means of primary and secondary sources. It is neither a book report nor an opinion piece nor an expository essay consisting solely of ones interpretation of a text nor an overview of a particular topic.” OWL, Purdue University Types of Research Papers 1. Experimental/empirical paper To validate or test hypotheses /a new system design/method/algorithm 2. Theoretical/conceptual paper To offer new theory/framework/model/guidelines/critical insights Structure of Research Papers Title Reflects the research work Summarizes the hypothesis of the paper Abstract States the hypothesis or research questions or purpose of your study Justifies your research study Summarizes your research findings (add this when you are done with your research) Mentions the key contributions of the paper Introduction Provide context Motivation of your research Questions addressed What is the problem? Why is the problem important? What has so far been done on the problem? What is the contribution of the paper on the problem? Is the contribution original? Explain why Is the contribution non-trivial? Explain why Ends with a short summary of the paper’s organization. For example, “The rest of the paper is structured as follows: In Section 2 we ... “ Main Body (Vary depending on the type of paper) This part of the paper consists of Sections with names of your choice. For example, If a paper is fairly large and has an extensive amount of background material, you may add a section of Literature Review below. Literature Review (optional) (a) Provide a broad and general account of the field, which helps to create a context for your research contribution. For example, What are the rival approaches? What are the drawbacks of each? How has the battle between different approaches progressed? What are the major outstanding problems? (This is where you come in) (b) Background describes previous work in more technical detail, as far as needed for a proper understanding of the contribution of the paper (c ) Theory describes the underlying theory of techniques or system where appropriate, uses a mathematical style of definitions, lemmas, propositions, theorems, etc. illustrates the main definitions and theorems with simple but meaningful examples. Most Scientific research papers contain these sections: Methodology, Results, Discussion. Methodology States research method used. Survey study is mostly used in social science disciplines. Experimental study is often used in computer science and engineering fields. Specification (optional) Describe survey instrument and its development Describe survey subjects, procedure of data collection and analyses or Formally specifies techniques that underlie the implementation States the requirements of the implementation Implementation (optional) Describe how the survey was administered; response rate Or Describes only the final state of the implementation Identifies the major design decisions and gives their reasons Describes the overall structure of the system and key algorithms in abstract form Illustrates the main algorithms with simple but meaningful examples Results Statistical analyses of data collected from the survey or computational data from the experiment are presented Results are often best presented graphically. Discussions Use the results to support or refute the hypothesis. The following is a case of a computational study, Technique/system X automates task Y for the first time Technique/system X automates task Y better, along some dimension, than each of its rivals, where the dimensions are typically: (a) Behavior: X has a higher success rate or produces better quality outputs (b) Coverage: X is applicable to a wider range of examples (c) Efficiency: X is faster or uses less space (d) Dependability: X is more reliable, safe or secure than its rivals (e) Maintainability: X is easier to adapt and extend than its rivals (f) Usability: Users find X easier to use than its rivals Conclusions Summarizes the research and discusses its significance (a) The hypothesis and the evidence for and against it are briefly restated (b) The original motivation is recapitulated (c) The state of the field in the light of this new contribution is reassessed References ICCL Team, “How to Write a Research Paper in Computer Science, Technische Universitat Dresden, Germany Shoop, Libby, “A Guide for Writing a Technical Research Paper,” Macalester College Turner, Jon, “How to Write a Great Research Paper,” Washington University in St. Louis