This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
Information is very critical asset. Organizations create so much information and they use database systems to handle the information within them to automate various functions. Due to information importance, information protection is a critical component of the database management system. Information security is the goal of a database management system (DBMS), also called database security. This paper discusses about database security, the various security issues in databases, importance of database security, database security threats and countermeasure, and finally, the database security in web application.
To be able to manage a huge amount of data effectively and fast, a well organized system is needed to build. It will also need to store and retrieve data easily. Generally, a database system is designed to be used by many users simultaneously for the specific collections of data. Databases are classified based on their types of collections, such as images, numeric, bibliographic or full-text. Digitized databases are created by using management system to make, store, maintain or search the data. Oracle, MS SQL and Sybase servers are mostly used in companies, agencies and institutions for their different purposes of the assets.
On the one hand, internetworking technology provides the assets efficiently and effectively among cooperation but it also gives opportunities to hackers or lawbreakers to make profits. So, database security becomes the most important issue and all related agencies have to focus on the availability of their data to the authorized users only. The protection of data from unauthorized disclosure, alteration or destruction is the main purpose of the database security process.
Database security is the system, processes, and procedures that protect database from unintended activity that can be categorized as authenticated misuse, malicious attacks made by authorized individuals or processes. Databases have been protected from external connections by firewalls or routers on the network perimeter with the database environment. Database security can begin with the process of creation and publishing of appropriate security standards for the database environment. (C.J.Date, 2000)
Particularly database systems in E-commerce, can access the database for exchange and retrieval of information from web applications. As many layers consisted for web application access, it is needed to make sure the security of each layer.
In this paper, we are making an attempt to present about database security- threats, countermeasures and how to make secure database in each layer of database system of ecommerce in details.
2. Importance of Database Security
In this information technology age, it is compulsory for all types of institutions or companies to make avail their information assets online always through databases. However, they must have a policy to divide the levels of users with to which extent they can asset the information. It is vital not to give opportunities to mischievous intruders. Databases are used to provide personnel information, customer information, credit card numbers, financial data and business transactions, etc. The information is very sensitive and highly confidential and must be prevented from disclosure by other competitors and unauthorized persons.
The security of data is crucial not only in business but also in even home computers as personal files, details of bank accounts are difficult to replace and potentially unsafe if they will be in wrong hands. Data destroyed by hazards like floods or fire is just lost but handing it in unethical person will have severe consequences.Other threats will be included human errors and espionage. Therefore, the data security starts with strategies of identifying the area of exposure which will be affected. It is important to define who can access what data, who is allowed and who is restricted, whether passwords are used and how to maintain it, what sort of firewalls and anti-malware solutions to use, how to train the staff and to enforce data security. Furthermore, the backup continuity plan should be laid out so that even though the systems fail, the business can be carried out without delay.
While constructing the infrastructure security of a company, database security should be well considered. Database is very crucial to most enterprises at present days; the damage of database will have tragic impact on it. Unsecured systems will make hurt both the company itself and itsclients.
Based on the research done by American National Infrastructure Protection Centre (NIPC) in 2000, the continuous attacks on U.S. e-commerce system are increasing. Themost interrupted system is Microsoft Windows NT systems, butUNIX based operating systems have also been maltreated. The hackers are utilizingat least three identified system weaknesses to be able to achieveillegal access and download information. Even though these vulnerabilities are not freshly innovated and the mischievous activities of hackers had been in progress for quite long before the sufferer became noticed of the intrusion.
The insecurity of the database can affect not only the database itself, but also the other running systems which have the relationship with that database.The process of an intruder can be first to get access to the poorlysafe database, then use strongbuilt-in database characters to get admission to the local operating system. In this way, other trusted systems connecting with that database will be easily attacked by the intruder.
3. Database Security Threats:
Database security begins with physical security for the systems that host the database management system (DBMS). Database Management system is not safe from intrusion, corruption, or destruction by people who have physical access to the computers. Once physical security has been established, database must be protected from unauthorized access by authorized users as well as unauthorized users. There are three main objects when designing a secure database system, and anything prevents from a database management system to achieve these goals would be consider a threat to database security. There are many internal and external threats to database systems. Some of threats are as follows:
Database integrity refers that information be protected from improper modification. Modification includes creation, insertion, modification, changing the status of data, and deletion. Integrity is lost if unauthorized changes are made intentionally or through accidental acts. For example, Students cannot be allowed to modify their grades.
Authorized user or program should not be denied access. For example, an instructor who wishes to change a student grade should be allowed to do so.
Data should not be disclosed to unauthorized users. For example, a student should not be allowed to see and change other student grades.
3.4 Denial of service attack:
This attack makes a database server greatly slower or even not available to user at all. DoS attack does not result in the disclosure or loss of the database information; it can cost the victims much time and money.
3.5 Sniff attack:
To accommodate the e-commerce and advantage of distributed systems, database is designed in a client-server mode. Attackers can use sniffer software to monitor data streams, and acquire some confidential information. For example, the credit card number of a customer.
3.6 Spoofing attack:
Attackers forge a legal web application to access the database, and then retrieve data from the database and use it for bad transactions. The most common spoofing attacks are TCP used to get the IP addresses and DNS spoofing used to get the mapping between IP address and DNS name.
3.7 Trojan Horse:
It is a malicious program that embeds into the system. It can modify the database and reside in operating system.
To achieve these objectives, a clear and consistent security policy should be developed to define what security measure must be enforced. We must determine what part of data is to be protected and which users get access to which part of the information. The security mechanisms of the underlying database management system, as well as external mechanism, such as securing access to buildings, must be utilized to enforce the policy.
4. Database Security Countermeasures:
To protect the database system from the above mentioned threats. Here are some countermeasures which are as follows:
4.1 Access Control:
A database for an organization contains a great deal of information and usually has several users. Most of them need to access only a small part of the database. A policy defines the requirements that are to be implemented within hardware and software and those that are external to the system, including physical, personal, and procedural controls.
4.2 Flow Control:
Flow control provides the flow of information among accessible objects. Flow controls check that information contained in objects does not flow explicitly or implicitly into less protected objects.
An encryption algorithm should be applied to the data, using a user-specified encryption key. The output of the algorithm is the encrypted version. There is also a decryption algorithm, which takes the encrypted data and a decryption key as input and then returns the original data.
Redundant Array of Independent Disks which protect against data loss due to disk failure.
Access to the database is a matter of authentication. It provides the guidelines how the database is accessed. Every access should be monitored.
At every instant, backup should be done. In case of any disaster, Organizations can retrieve their data.
5. Database Security in E-commerce database
Database system cannot stand alone and it needs to depend on many othersystems. Hence, database security is a combination of many other associated and correlated systems are included as well. The following figure is a normal schema of E-commerce Company. In figure 1, the four basic layers are existed in order to defend a database system. These systems are the functioningsystem on which the database system runs. Firewall is a commonly applied mechanism to obstruct the interruption from the external network. Web server and web application offernumerousservices to the end user by accessing the database. Network layer is the medium in which the data is transmitted.
Figure 1. E-enterprise Architecture
5.1 Operating system layer
Operating system security is a very important characteristic in database administration.Some dominant features of database systems will possibly be a crack for the underlying operating system. Thus, the responsible person should very thoroughly scan the relations between a feature of database and it is operating system.
According to Gollmann, there are five layers in Information Technology system. These layers are application, services, operating system, os kernel and hardware. Each layer is constructed on top of other fundamental ones. As the database system is at the service and application layer, it is existed in above the operating system layer. If the weaknesses of the operating system platforms are identified, then those weaknesses may lead toillegal database access or manipulation. Database configuration files and scripts are at server level resources and they should be shelteredseverely to ensure the reliability of the database environment. In many database environments, membership in Operating system group is authorized full power of controlling over the database. To keep away frommistreatment and exploitationof the membership, those users' membership and access to the database should be warrantedfrequently.
One of the responsibilities of Administrator is toorganizethe settings of the operating system or to adjust the size of the buffer andthe timeout period, so as to avoid the rejection of service attack stated previously. Most operating system vendors supply system patches generously and fast if any vulnerability has been detected on the system. Another weakness which is often ignored by the administrator is to bring up to date the operating system with the latest patches to abolish thenewestrevealed holes of the system.
5.2 Network layer
Data has to be transmitted through the network including local LAN and Internet when web applications communicate with database or other distributed components. The two major network transmissions are from user to web server, and from the web application to web database server. All these communications must be completely protected. Although the administrator can secured the network in local domain, the global internet is unmanageable.
Encryption is another influential technology. It is set aside not only the invader cannot interrupt but also theencrypted data is unreadable and tremendously hard to presume or decrypt. The matching key can only be todecrypt the cipher text. The two meansto apply encryption in database system are of the one way to use the encryption options provided by database products and another way to obtain encryption products form trusted vendors.In addition, one more approach for a safety connection is practicing the secured protocols above TCP/IP, for example, the technology of Ipsec and VPN (Virtual Private Network).
The personal traffic in the course of the public internet by means of encryption technology can be provided by VPN. In generally,SSL (secure sockets layer)can be used as another way for cryptography on top of TCP/IP. Safe and sound web sessions can be obtained by Netscape. SSL has newly developed into Transport Layer Security (TLS) that make certain no other invasion may snoop or interfere with any communication. Utilization of SSL can help to validate and protect web sessions, but thecomputer itself cannot be safe.
5.3 Web servers
There are dissimilarities in functions of Web programs and common programs in area of safety. The major reason is safety for Web application program as the flaw isnot easy to perceive. Web server that keepsthe external disturbances is located in the middle of the application server and firewall. It can beapplied as intermediary to get the data that we approved to be available.
For the time being, the software commonly used in web applications is CGI (Common Gateway Interface). The web server can do a different function in easier way as it is uncomplicated. It is user-friendly as a web page counter. Moreover, for example as reading the input from the remote user, it can be used as multifarious to access the input as uncertainty to a local database. CGI precedes the outcome to the userafter retrieving the database. On the other hand, it is also risky since CGI scripts permit software applications to be carried out inside the web server. The well-known language for CGI scripts is Perl since it is simple to build applications and parse the input from the user. Nevertheless, Perl can be exploited by wicked users as it grants some forceful system commands.
The invader can simply demolish the system if CGI was weakly executed by web server. This may be a huge hazard to the system as someone can easily eliminate the classified files from Web server as effortless to contact. To get rid of the intimidations, there are several ways to prevent these. The CGIscripts should be prohibited by abuser to write, and the arrangement should be done to CGI program that can be performedas a single way of directory. It should also be cautious in writing the CGI script. No more longer usage of CGI applications such as sample applications should be disposed as theseare approachabletoWeb server and major intentions for invaders since older CGI samples havesafetygaps.
Without comprehensive handlings, default settings of Web application server can be a huge imperfection of the system if the database system networks with CGI. There need to make sure the system for which extent of operation is unapproved to the clients when a use logs into the database. Web serve with verification methods built in CGI is the most valuable way which means to prepare a CGI script with login name and password to prevent the files. By doing this, the files are protected to the web server apart from readable only. The safety gaps should be checked firmly and regularly to all the scripts even though these are obtained by self-developed, downloaded or bought from vendors.
The major significant layer to slab the external interruption of the system is Firewalls. Packet filter and proxy server are the twotypes of firewall mechanism. Theconnected data between the application and database are divided into packets which consist of much information in its headers, for examples, sources, destination address and protocol being used. A number of them are cleanedas with whichsource addresses are unbelievable to access to the databases.
The arrangement of firewall should be done to access only one or few protocolswhich is helpful for application queriessuch as TCP whereas the other packets are choked-up firmly. Accordingly, the smallest amountof risks are maintained for the vulnerable system. Moreover, the ping of fatalloss will be kept systematically if the firewall is constructed to abandon the approached ICMP demand.
The potential invaders should be marked out by reserving log files at the firewall. There are two connections inProxy server. The first one is the connection between cooperation's database and proxy server. Another one is the connection between proxy servers also provided the log and audit files.On the other hand, there are very hard to build up strong firewalls, and also too huge and tough to investigatethe audit tracks.
5.5 Database server
Database servers are the fundamentals and essentials of greatest values in each and every sector of Education, Health, Military, Manpower, Economics, Modern Arts and Sciences, Information Technology, Electronic Businesses, Financial Institutions, Enterprise Resource Planning (ERP) System, and even universallycomprised of sensitive information forbusiness firms, customers, marketers and all stakeholders.
The functions and purposes of Database servers are highly depended on the users of their particular intentions for applying the services provided by the operating systems.Some good safety practices for Database serversare to:
use multiple passwords to access multi-functions of a server such as using one password to access thesingle system for administration;
apply a different password for another operation;
be audited for each and every transaction of the database;
utilize application specific user name and password and should never use a default user name or password;
back up the system thoroughly for late recovery in case of accidentally break down
Allowing knowing the end-user for the name and location of database is very worthless. In addition, exposing physical location and name of every database can also be a huge danger to the system. To cover up these issues, we should better practice the service names and pseudonyms. The several copies should be done for the important fileswhich control the accessibility to the database services. Each and every copy should be also connected to a meticulous user group. Moreover, themembers of each group should be allowed to access only the relevant documents concerning them.
The institutions, organizations and business firms mainly storedtheir important information and valuable assets as digital formats in online related excellent databases. The safety and security issues of Databasesbecomestrongly an essential role in the modern world for enterprises.To save from harm of database is to prevent the companiesâ€™untouchableinformation resources and digital belongings. Database is the multifarious system and very complicated to handle and difficult to prevent from invaders.
Last, but not the least, database protection is also to be takensignificantly to the confidentiality, availability and integrity of the organizations likeother measures of the safety systems. It can be guarded as diverse natures to cover up. Although auditing is critical, but analysis is also very tough whilepotential analytical tools will be an enormous contribution to protect the online rationality of database system. There should be reinforced to the corporate safety and security issues.Means of verification and encryption will play the essential role in modern database precaution and safety system.