Database Security and Privacy

SUSHIL JAJODIA
Center for Secure Information Systems and Department of Information and Software Systems
Engineering, George Mason University ^[email protected]&

A complete solution to either the secu- unauthorized modification of informa-

rity or the privacy problem requires the tion or processes; and (3) availability,
following three steps: which is concerned with improper de-
—Policy. The first step is to develop a nial of access to information.
security or privacy policy. The policy Less well known are the basic princi-
precisely defines the requirements ples for achieving information privacy.
that are to be implemented within the They are as follows:
hardware and software of the com-
puting system and those that are (1) Proper acquisition and retention is
external to the computing system, in- concerned with what information is
cluding physical, personnel, and pro- collected and how long it is retained
cedural controls. The policy lays down by an organization.
broad goals without specifying how to (2) Integrity is concerned with main-
achieve them. taining information on individuals
—Mechanism. The security or privacy that is correct, complete, and timely.
policy is made more concrete with the The source of the information
mechanism necessary to implement should be clearly stated, especially
the requirements of the policy. It is when the information is based on
important that the mechanism per- indirect sources.
form the intended functions. (3) Aggregation and derivation of data
—Assurance. The last step deals with is concerned with ensuring that any
the assurance issue. It provides aggregation or derivations per-
guidelines for ensuring that the formed by an organization on its
mechanism meets the policy require- information are necessary to carry
ments with a high degree of assur- out its responsibilities. Aggregation
ance. Assurance is directly related to is the combining of information from
the effort required to subvert the various sources. Derivation goes one
mechanism. Low-assurance mecha- step further; it uses different pieces
nisms are easy to implement, but also of data to deduce or create new or
relatively easy to subvert; on the previously unavailable information
other hand, high-assurance mecha- from the aggregates.
nisms are notoriously difficult to im- (4) Information sharing is concerned
plement. with authorized or proper disclosure
The high-level objectives of security are of information to outside organiza-
well known: (1) Secrecy (or confidential- tions or individuals. Information
ity), which is concerned with unautho- should be disclosed only when spe-
rized disclosure of information; (2) in- cifically authorized and solely for
tegrity, which is concerned with the limited use specified.

This work was partially supported by NSF grant IRI-9303416 and National Security Agency grant
MDA904-94-C-6118.
Copyright © 1996, CRC Press.

ACM Computing Surveys, Vol. 28, No. 1, March 1996

130 • Sushil Jajodia

(5) Proper access is concerned with lim- Authorization for Advanced DBMSs.
iting access to information and re- The third direction concerns the devel-
sources to authorized individuals opment of adequate authorization mod-
who have a demonstrable need to els for advanced DBMSs, like object-
perform official duties. Thus, infor- oriented DBMSs or active DBMSs.
mation should not be disclosed to These DBMSs are characterized by data
those who are either not authorized models that are richer than the rela-
or do not have a need to know (even tional model. Advanced data models of-
if they are authorized). ten include notions such as inheritance
hierarchies, composite objects, versions,
Privacy protection is a fundamental and methods. Therefore, authorization
personal right of all individuals. Indi- models developed for relational DBMSs
viduals have a right to expect that orga- must be properly extended to deal with
nizations will keep personal information the additional modeling concepts. Some
confidential. One way to ensure this is of those problems have been addressed
to require that organizations collect, by recent research. However, work in
maintain, use, and disseminate identifi- the area of authorization models for ob-
able personal information and data only ject-oriented databases is still at a pre-
as necessary to carry out their func- liminary stage. Of the object-oriented
tions. In the U.S., the federal privacy DBMSs, only Orion and Iris provide au-
policy is guided by two key legislations: thorization models comparable to those
The Freedom of Information Act of 1966 provided by current relational DBMSs.
and The Privacy Act of 1974. The research above, however, consti-
tutes only a small aspect of overall secu-
RESEARCH DIRECTIONS rity. As an increasing number of organi-
Current research efforts in the database zations become dependent on access to
security area can be classified in three their data over the Internet, the net-
main ways (see Bertino et al. [1995] for work aspect of security is also critical.
a detailed discussion and relevant cita- There are several new and open re-
tions): search issues that involve access con-
Discretionary Access Controls. The trols to information over the Internet.
first direction concerns discretionary ac- Information servers such as the
cess control in relational database man- World-Wide Web support quick and effi-
agement systems (DBMSs). Recent re- cient access to a large number of dis-
search efforts attempt to extend the tributed but interlinked information
capabilities of current authorization sources. As the amount of information
models so that a wide variety of applica- to be shared grows, the need to restrict
tion authorization policies can be directly access to specific users or for specific
supported. Related to these extensions is usage will surely arise. The protection
the development of appropriate tools and of information, however, is difficult be-
mechanisms to support those models. Ex- cause of the peculiarity of the hypertext
amples of these extensions are models paradigm that is generally used to rep-
that permit negative authorizations, role- resent the information, together with
based and task-based authorization mod- the fact that related objects in a hyper-
els, and temporal authorization models. text are often distributed at different
sites. Very few hypertext systems pro-
Mandatory Access Controls. The sec- vide any form of protection, and the
ond research direction deals with ex- ones that do enforce a very primitive
tending the relational model to incorpo- form of authorization specification and
rate mandatory access controls. Several control. There are several issues related
results have been reported for relational to access control in distributed hyper-
DBMSs, some of which have been ap- text systems, including (1) formulation
plied to commercial products. of an authorization model for a hyper-

ACM Computing Surveys, Vol. 28, No. 1, March 1996

 Database Security and Privacy • 131

text system, (2) extension of the model by Castano et al. [1994] and Kaufman et
to take distribution aspects into consid- al. [1995] are specific to database and
eration, (3) investigation of different network security, respectively. Security
policies for the administration of autho- in statistical databases is covered in
rizations, and (4) investigation of cre- Denning [1982] and in the survey by
dential-based access control policies. Adam and Wortman [1989].

CONCLUDING REMARKS
REFERENCES
The most popular security measure
these days is a firewall [Cheswick and ABRAMS, M. D., JAJODIA, S., AND PODELL, H. J. EDS.
Bellovin 1994]. A firewall sits between 1995. Information Security: An Integrated
an organization’s internal network and Collection of Essays. IEEE Computer Society
Press, Los Alamitos, CA.
the Internet and monitors all traffic
ADAM, N. R. AND WORTMANN, J. C. 1989. Securi-
from outside to inside, blocking any ty-control methods for statistical databases: A
traffic that is unauthorized. Although comparative study. ACM Comput. Surv. 21, 4,
firewalls can go a long way toward pro- (Dec.) 515–556.
tecting organizations against the threat AMOROSO, E. 1994. Fundamentals of Computer
of intrusion from the Internet, they Security Technology. Prentice-Hall, Engle-
should be viewed only as the first line of wood Cliffs, NJ.
defense. Firewalls are not immune to BERTINO, E., JAJODIA, S., AND SAMARATI, P.
1995. Database security: Research and prac-
penetration; once an outsider is success- tice. Information Systems 20, 7, 537–556.
ful in penetrating a system, firewalls CASTANO, S., FUGINI, M., MARTELLA, G., AND SAMA-
typically provide no protection for inter- RATI, P. 1994. Database Security. Addison-
nal resources. Moreover, firewalls do Wesley, Reading, MA.
not protect against security violations CHESWICK, W. R. AND BELLOVIN, S. M. 1994. Fire-
from insiders, an organization’s autho- walls and Internet Security. Addison-Wesley,
rized users. Most security experts be- Reading, MA.
lieve that insiders are responsible for a DENNING, D. E. 1982. Cryptography and Data Se-
curity. Addison-Wesley, Reading, MA.
vast majority of computer crimes.
KAUFMAN, C., PERLMAN, R., AND SPECINER, M.
For general references on computer 1995. Network Security: Private Communi-
security, see Abrams et al. [1995], Amo- cation in a Public World. Prentice-Hall,
roso [1994], and Denning [1982]. Texts Englewood Cliffs, NJ.

ACM Computing Surveys, Vol. 28, No. 1, March 1996