Database Security Issues

admin | November 20, 2008 | 0 Comments

This proposed project explores database security by examining identity theft, security techniques, prototypes and security policy.

High end users, database managers and security software play a central role in the on-going security process used the client base. Managing a database security system examines the data and looks for unexpected results-findings that contradict one or more of her stories about the data environment.

Introduction

Databases are quickly becoming the lifeblood of organizations and individual use. The database (hard drive, server, USB, etc. hold critical data), if compromised, could lead to devastating results. Data could be deleted, modified, released to the public or stolen. Most databases include security features in the application, such as access permissions to control who is allow to read, modify, and write to various tables and fields. Some also provide the ability to encrypt data.

This discussion will address mission critical areas of database security. Although there is continuing concern about security of the in-house, virtual and extra-network, there are significant differences by region. This may point to perceptual differences in what a database is, and how information is stored, as well as cultural differences vis-a-vis individualism.

The study seeks to suggest that a secure Internet web site can increase trust among users in its approach addressing database security. Given the generally high level of concern in the security of databases access and utilization, web sites that offer the high end security can provide value and confidence to the end user.
This approach focuses on concerns that an individual, organization or group might raise concern about whether data is protected from unauthorized disclosure.

Additionally, this document attempts to address a comprehensive plan for database security. The suggested outline seeks to establish basic guidelines for designing and implementing a database security program, a developmental testing, and an evaluation model.

It is important to note, while a breach of database security and confidentiality can be harmful or embarrassing to the data collector, the proposal will touch on the both the organization and the individual responsible for the breach, Privacy Act violation, could be legally liable. At the government level, legal liability can include civil liability for the agency and criminal liability.

The proposed project will touch upon the costs and extended timeline associated with installing new systems and software, hiring new staff, and the ominous specter of failed interoperability (easily transfer information from the existing databases to the new computer system) is associated with database security.

Concerns of \”upgrading errors,\” due to requirement of moving older security systems to newer ones involves mapping and licenses, is valid. For example, new applications started from existing information held within the current system. Manual records and licensing are widely considered to have a significant number of errors. There is a valid apprehension about the vulnerability and accuracy of database records. Anxiety over database security is not limited to management, but failure to involve individuals familiar with database protocol into the discussion could mean that planning proceeded would not insure the best security.

By the completion of this research, the propose result is to establish database security guidelines, outline and obtainable goals. Each year the suggested plan should be reviewed and revised. The vision is to achieve a reflective and more realistic and database security evaluation process.

Operational Review

I have three goals for this operational review (a) to summarize the current state of my knowledge with respect to database security, (b) to highlight numerous unsolved problems in need of additional research, and (c) to provide pointers to numerous related articles that are not discussed. Although there are many ways to organize the articles I review, I choose to group articles by stand alone off-site, on-site and Internet database security.

I encourage the client to review outside operational information because it often provides valuable insights into the methods that can be used to more effectively integrate accessibility concerns into the overall development process. Finally, I do not discuss the extensive operational information available in the theoretical technology communities. As with the operational information that discusses accessibility from a more general perspective, I encourage the reader to explore the fundamental database security issues. More specifically, I refer the reader to the site dedicated to serious database security issues- specifically, Microsoft SQL Server security.

Database security breaches increase exponentially. Corporate security personnel should think long-term about the value of information in databases.

Methodology

The analysis researched directly supports the generation of representative scenarios. In this idealized methodology, the models developed continue to be available for support of further exploration and evaluation of detailed design alternatives. The final results of the studies will provide the data for database user system requirement specification and system architecture design.

The research methodology of sampling via population and participants techniques suggests that the methods enable readers to structure their own judgment. However, the results run counter to the operational information in some areas (such as usability evaluation), which suggest the superiority of certain commercial database security systems.

The suggested methodology of sampled population implies successfully the approach that needs the support of an explicit recruitment of participants. This approach ensures that the evaluation is structured and thorough. It is important to take into account some clear differences in research and development in technology, both in academia and industry, away from a traditionally led focus of sampling user-led participant approach.

This has led to the development of user-centered design principles and practices in many industries. This approach, however, has tended to reduce the significance of high end computer end users and it becomes applicable for a traditional user-centered design approach. There are some important distinctions between traditional user-centered design with high end users/developers/managers and the approach needed when the user group either contains or is exclusively made up of people with specialized skill sets.

Statement of Results

Like network security, responsibility for maintaining database security resides with the Internet Service Providers (ISP), and violations by users result in cancellation of the ISP’s business license and its network registration. At first look, a relational database package can be quite intimidating. The documentation is often massive and complicated. Once the initial shock of learning a DBMS program wears off, the utility and power of the software may begin to manifest itself.

Intranets are similar in most ways to the Internet In that they often use Web-based technologies, but are restricted to a particular network or a selected set of users. Access is controlled through security systems known as firewalls. Often database intranets are limited to employees of a company or members of a particular group or organization.

Technology for identifying people is advancing at least as quickly as technology for identifying machines. With technologies for distinguishing human irises, fingerprints, faces, or other body parts improving quickly, it seems increasingly attractive to use the “body as password” rather than base security on a pass word, a PIN, or hardware token such as a smart card.

Biometrics can be used for identification or authentication. Although transactional trust looks likely to continue to improve, integrated with biometrics, the same cannot be said for security of the network. As long as this insecurity exists, persons and corporations will continue to experience a general unease with the entire structure. The nature of digital information makes it likely that all players on the web will continue to suffer from identity theft and aggregation of transactional and other personal information, and, because no one can know where such information is stored, controlling its use will likely always be difficult.

Analysis and Discussion

As organizations increasingly use database technology, applications have arisen that require database designers and administrators to provide access to a single database at different levels by different user communities. This demand has resulted in the creation of multilevel relational (MLR) databases. A MLR database contains data at different security classifications and should allow users access to data only if their security clearance is greater than or equal to the security classification (access class) of the data sought “MLR databases have a security problem which cannot be addressed by traditional access control approaches such as password protection and data encryption. The problem is that a low-level user may be able to infer high-level information to which she is not entitled, based on information to which she has authorized access.

The possibility of clandestine capture of biometric data increases concerns about Big Brother. For example, facial recognition systems can track individuals without the individual’s knowledge or permission. This issue alone raises ethical concerns. Moreover, the information from tracking can be combined with other personal data, acquired through biometrics or other means, to provide even more insight into an individual’s private life.

Many firms fear their employees using password-cracking programs, but it is a legitimate audit tool for security professionals. The following sections discuss a few of the more critical components of a security policy.

The acceptable-use policy should discuss and define the appropriate use of company computing resources. Users should be required to read and sign the policy as part of the account-request process. The policy should explicitly state users’ responsibility for protecting information stored in their accounts as well as the appropriate levels of Internet and personal e-mail usage.

The user-account policy outlines the requirements for requesting and maintaining system accounts. This policy is important for large organizations, where users typically have accounts on many systems. It is a good idea to have the user read and sign the policy as part of the account-request process.

The remote-access policy outlines and defines acceptable methods for remotely connecting to your company’s internal network. This policy is essential in organizations today because of geographically dispersed users and networks. The policy should cover all available methods for remotely accessing internal resources, such as dial-in (Serial Line Internet Protocol [SLIP], Point-to-Point Protocol [PPP]), Integrated Services Digital Network (ISDN)/Frame Relay, Telnet access from the Internet, and cable modem/Digital Subscriber Line (DSL).

The information-protection policy provides guidelines to users on the processing, storage, and transmission of sensitive information. The main goal of this policy is to ensure that information is appropriately protected from unauthorized modification or disclosure. The firewall-management policy describes how firewall hardware and software is managed and how changes are requested and approved.

Conclusion

My results recommend that a combination of existing disclosure control methods based on query restriction and data masking can provide better protection than when these methods are separately used. Whereas the vulnerability of database security methods using independent additive noise to estimators based on repeated queries is well understood, I have demonstrated that restricting access under quality control when data is used provides no additional protection, hence the database security requires a combination of multiple layers of technology and human application.

Be Sociable, Share!