2. 22
OutlineOutline
Data SecurityData Security
Access controlAccess control
Security policySecurity policy
Access control policyAccess control policy
1.1. Discretionary access controlDiscretionary access control
2.2. Content-based access controlContent-based access control
3.3. Mandatory access controlMandatory access control
4.4. Role-based access controlRole-based access control
3. 33
Data security: ExamplesData security: Examples
1.1. Consider a payroll database in a corporation, it must be ensuredConsider a payroll database in a corporation, it must be ensured
that:that:
– Salaries of individual employeesSalaries of individual employees are not disclosedare not disclosed to arbitrary users ofto arbitrary users of
the database,the database,
– SalariesSalaries are modifiedare modified by only those individuals that are properlyby only those individuals that are properly
authorized,authorized,
– PaychecksPaychecks are printed on timeare printed on time at the end of each pay period.at the end of each pay period.
1.1. In a military environment, it is important that:In a military environment, it is important that:
– The target of a missileThe target of a missile is not givenis not given to an unauthorized user,to an unauthorized user,
– The targetThe target is not arbitrarily modified,is not arbitrarily modified,
– The missileThe missile is launched when it is fired.is launched when it is fired.
4. 44
Data Security: main goalsData Security: main goals
Confidentiality: it refers to data protection from unauthorized
read operations.
Integrity: it refers to data protection from unauthorized
modification operations.
Availability: it ensures that data access is not denied to
authorized subjects.
Others: Authentication, etc.
Confidentiality Integrity
Data
security
availability
5. 55
Data Security: main goalsData Security: main goals
Confidentiality is enforced by theConfidentiality is enforced by the access control mechanism.access control mechanism.
Integrity is enforced by theIntegrity is enforced by the access control mechanismaccess control mechanism and by theand by the
semantic integrity constraintssemantic integrity constraints specified during schemaspecified during schema
definition.definition.
Availability is enforced by theAvailability is enforced by the recoveryrecovery andand concurrency controlconcurrency control
mechanisms.mechanisms.
6. 66
Access control: BasicAccess control: Basic
conceptsconcepts
An access control system regulates the operations that can beAn access control system regulates the operations that can be
executed on data and resources to be protected.executed on data and resources to be protected.
Its goal is to control operations executed by subjects in order toIts goal is to control operations executed by subjects in order to
prevent actions that could damage data and resources.prevent actions that could damage data and resources.
Authorization
rules
Reference
Monitor
Security
Policy
Access
request
Access denied
Access Permitted
Access partially
permitted
7. 77
Security PolicySecurity Policy
Policies deal with defining what is authorized and who can grantPolicies deal with defining what is authorized and who can grant
authorizations.authorizations.
Existing security policies tend to focus mainly on theExisting security policies tend to focus mainly on the
confidentiality (Privacy) requirements of securityconfidentiality (Privacy) requirements of security ..
Policies are used like requirements; they are the starting point inPolicies are used like requirements; they are the starting point in
the development of any system that has security features .the development of any system that has security features .
Adopted security policies mainly depend on organizationalAdopted security policies mainly depend on organizational
requirements, such as legal requirements, regulatoryrequirements, such as legal requirements, regulatory
requirements, user requirements.requirements, user requirements.
8. 88
Security Policies andSecurity Policies and
AuthorizationsAuthorizations
The security policies are implemented by mapping them into aThe security policies are implemented by mapping them into a
set ofset of authorizationsauthorizations
Authorizations thus establish the operations and rights thatAuthorizations thus establish the operations and rights that
subjects can exercise on the protected objectssubjects can exercise on the protected objects
TheThe reference monitorreference monitor is a control mechanismis a control mechanism
– It has the task of determining whether a given subject is authorized toIt has the task of determining whether a given subject is authorized to
access the dataaccess the data
9. 99
Access control policyAccess control policy
Discretionary access controlDiscretionary access control
Mandatory access controlMandatory access control
Role-based access controlRole-based access control
Context-based access controlContext-based access control
10. 1010
Access control PolicyAccess control Policy
Most access control policies are formulated in terms of subjects,Most access control policies are formulated in terms of subjects,
objects, and privilegesobjects, and privileges
Authorization Objects: Anything that holds data, such asAuthorization Objects: Anything that holds data, such as
relations, directories, interprocess messages, network packets,relations, directories, interprocess messages, network packets,
I/O devices, or physical mediaI/O devices, or physical media
Authorization Subjects: An abstraction of any active entity thatAuthorization Subjects: An abstraction of any active entity that
performs computation in the systemperforms computation in the system
– Examples: users, processes, roles, etc.Examples: users, processes, roles, etc.
Authorization Privileges: Operations that a subject can exerciseAuthorization Privileges: Operations that a subject can exercise
on the objects in the systemon the objects in the system
– Examples: read, write, execute, select, insert, update, delete, etc.Examples: read, write, execute, select, insert, update, delete, etc.
11. 1111
Discretionary ACPsDiscretionary ACPs
DAC policies govern the access of subjects to objects on theDAC policies govern the access of subjects to objects on the
basis of subjects' identity and authorization rulesbasis of subjects' identity and authorization rules
When an access request is submitted to the system, the accessWhen an access request is submitted to the system, the access
control mechanism verifies whether there is an authorization rulecontrol mechanism verifies whether there is an authorization rule
authorizing the accessauthorizing the access
Such mechanisms are discretionary in that they allow subjects toSuch mechanisms are discretionary in that they allow subjects to
grant other subjects authorization to access their objects at theirgrant other subjects authorization to access their objects at their
discretiondiscretion
Most of the common commercial DBMSs support itMost of the common commercial DBMSs support it
12. 1212
DAC: SQL commandsDAC: SQL commands
Privilege delegation is supported through thePrivilege delegation is supported through the grant optiongrant option: if a: if a
privilege is granted with the grant option, the user receiving itprivilege is granted with the grant option, the user receiving it
can not only exercise the privilege, but can also grant it to othercan not only exercise the privilege, but can also grant it to other
usersusers
A user can only grant a privilege on a given table if he/she is theA user can only grant a privilege on a given table if he/she is the
table owner or if he/she has received the privilege with granttable owner or if he/she has received the privilege with grant
optionoption
GRANTGRANT PrivilegeListPrivilegeList| ALL[PRIVILEGES] ON| ALL[PRIVILEGES] ON tabletable||ViewView TOTO
UserListUserList | PUBLIC [WITH GRANT OPTION]| PUBLIC [WITH GRANT OPTION]
13. 1313
DAC: SQL commandsDAC: SQL commands
Example:Example:
– Bob: GRANT select, insert ON Employee TO Ann WITH GRANTBob: GRANT select, insert ON Employee TO Ann WITH GRANT
OPTION;OPTION;
Bob: GRANT select ON Employee TO Jim WITH GRANT OPTION;Bob: GRANT select ON Employee TO Jim WITH GRANT OPTION;
Ann: GRANT select, insert ON Employee TO Jim;Ann: GRANT select, insert ON Employee TO Jim;
– Jim has theJim has the selectselect privilege (received from both Bob and Ann) and theprivilege (received from both Bob and Ann) and the
insert privilege (received from Ann).insert privilege (received from Ann).
– Jim canJim can grantgrant to other users the select privilege (because it has receivedto other users the select privilege (because it has received
itit with grant optionwith grant option); however, he cannot grant the insert privilege.); however, he cannot grant the insert privilege.
14. 1414
DAC in SQL - GrantDAC in SQL - Grant
Grant Command:Grant Command:
1.1. Bob: GRANT select, insert ON Employee TO Jim WITH GRANTBob: GRANT select, insert ON Employee TO Jim WITH GRANT
OPTION;OPTION;
2.2. Bob: GRANT select ON Employee TO Ann WITH GRANT OPTION;Bob: GRANT select ON Employee TO Ann WITH GRANT OPTION;
3.3. Bob: GRANT insert ON Employee TO Ann;Bob: GRANT insert ON Employee TO Ann;
4.4. Jim: GRANT update ON Employee TO Tim WITH GRANT OPTION;Jim: GRANT update ON Employee TO Tim WITH GRANT OPTION;
5.5. Ann: GRANT select, insert ON Employee TO Tim;Ann: GRANT select, insert ON Employee TO Tim;
The first three GRANT commands are fully executed (Bob is the owner of theThe first three GRANT commands are fully executed (Bob is the owner of the
table)table)
The fourth command is not executed, because Jim does not have theThe fourth command is not executed, because Jim does not have the updateupdate
privilege on the tableprivilege on the table
The fifth command is partially executed; Ann has theThe fifth command is partially executed; Ann has the selectselect andand insertinsert but shebut she
does not have the grant option for the insertdoes not have the grant option for the insert
– Tim only receives theTim only receives the selectselect privilegeprivilege
15. 1515
DAC in SQL - RevokeDAC in SQL - Revoke
REVOKEREVOKE PrivilegeListPrivilegeList| ALL[PRIVILEGES] ON| ALL[PRIVILEGES] ON table | Viewtable | View
FROMFROM UserListUserList | PUBLIC| PUBLIC
A user can only revoke the privileges he/she has granted;A user can only revoke the privileges he/she has granted;
Upon execution of a revoke operation, the user from whom theUpon execution of a revoke operation, the user from whom the
privileges have been revoked looses these privileges, unless hasprivileges have been revoked looses these privileges, unless has
them from some sourcethem from some source independentindependent from that has executed thefrom that has executed the
revoke.revoke.
Recursive revocation: whenever a user revokes an authorizationRecursive revocation: whenever a user revokes an authorization
on a table from another user, all the authorizations that theon a table from another user, all the authorizations that the
revokee had granted because of the revoked authorization arerevokee had granted because of the revoked authorization are
removed.removed.
16. 1616
DAC in SQL - RevokeDAC in SQL - Revoke
Example:Example:
– Bob: GRANT select ON Employee TO Jim WITH GRANT OPTION;Bob: GRANT select ON Employee TO Jim WITH GRANT OPTION;
– Bob: GRANT select ON Employee TO Ann WITH GRANT OPTION;Bob: GRANT select ON Employee TO Ann WITH GRANT OPTION;
– Jim: GRANT select ON Employee TO Tim;Jim: GRANT select ON Employee TO Tim;
– Ann: GRANT select ON Employee TO Tim;Ann: GRANT select ON Employee TO Tim;
– Jim: REVOKE select ON Employee FROM Tim;Jim: REVOKE select ON Employee FROM Tim;
– Tim continues to hold theTim continues to hold the selectselect privilege on table Employee after theprivilege on table Employee after the
revokerevoke operation, since he has independently obtained such privilege fromoperation, since he has independently obtained such privilege from
Ann.Ann.
17. 1717
Content-Based AC (CBAC)Content-Based AC (CBAC)
Content-based access control conditions the access to a givenContent-based access control conditions the access to a given
object to its content.object to its content.
As an example, in a RDBMS supporting content-based accessAs an example, in a RDBMS supporting content-based access
control it is possible to authorize a subject to access informationcontrol it is possible to authorize a subject to access information
only of those employees whose salary is not greater than 30K.only of those employees whose salary is not greater than 30K.
Two are the most common approaches to enforce content-basedTwo are the most common approaches to enforce content-based
access control in a DBMS:access control in a DBMS:
– by associating a predicate (or a Boolean combination of predicates) withby associating a predicate (or a Boolean combination of predicates) with
the authorizationthe authorization
– by defining aby defining a viewview which selects the objects whose content satisfies awhich selects the objects whose content satisfies a
given condition, and then granting the authorization on the view insteadgiven condition, and then granting the authorization on the view instead
of on the basic objectsof on the basic objects
18. 1818
CBAC: SQL CommandsCBAC: SQL Commands
Example: suppose we want to authorize user Ann to access onlyExample: suppose we want to authorize user Ann to access only
the employees whose salary is lower than 20000 – steps:the employees whose salary is lower than 20000 – steps:
– CREATE VIEW Vemp ASCREATE VIEW Vemp AS
SELECT * FROM Employee WHERE Salary < 20000;SELECT * FROM Employee WHERE Salary < 20000;
GRANT Select ON Vemp TO Ann;GRANT Select ON Vemp TO Ann;
Ann:Ann:
– SELECT * FROM Vemp WHERE Job = ‘Programmer’;SELECT * FROM Vemp WHERE Job = ‘Programmer’;
– This is equivalent to:This is equivalent to:
– SELECT * FROM Employee WHERE Salary < 20000 AND Job =SELECT * FROM Employee WHERE Salary < 20000 AND Job =
‘Programmer’;‘Programmer’;
19. 1919
Mandatory Access controlMandatory Access control
MAC specifies the access that subjects have to access objectsMAC specifies the access that subjects have to access objects
based on subjects and objects classification.based on subjects and objects classification.
This type of security has also been referred to asThis type of security has also been referred to as multilevelmultilevel
securitysecurity
Database systems that satisfy multilevel security properties areDatabase systems that satisfy multilevel security properties are
called multilevel secure database management systemscalled multilevel secure database management systems
(MLS/DBMSs)(MLS/DBMSs)
Many of the MLS/DBMSs have been designed based on the BellMany of the MLS/DBMSs have been designed based on the Bell
and LaPadula (BLP) model.and LaPadula (BLP) model.
20. 2020
Role-based AC (RBAC):Role-based AC (RBAC):
MotivationMotivation
One challenging problem in managing large systems is the complexity ofOne challenging problem in managing large systems is the complexity of
security administration.security administration.
Whenever the number of subjects and objects is high, the number ofWhenever the number of subjects and objects is high, the number of
authorizations can become extremely large.authorizations can become extremely large.
Moreover, if the user population is highly dynamic, the number of grant andMoreover, if the user population is highly dynamic, the number of grant and
revoke operations to be performed can become very difficult to manage.revoke operations to be performed can become very difficult to manage.
End users often do not own the information for which they are allowedEnd users often do not own the information for which they are allowed
access. The corporation or agency is the actual owner of data objects.access. The corporation or agency is the actual owner of data objects.
Control is often based on employee functions rather than data ownership.Control is often based on employee functions rather than data ownership.
RBAC has been proposed as anRBAC has been proposed as an alternativealternative approach to DAC and MAC bothapproach to DAC and MAC both
to simplify the task of access control management and to directly supportto simplify the task of access control management and to directly support
function-based access control.function-based access control.
21. 2121
RBAC: Basic ConceptsRBAC: Basic Concepts
Roles represent functions within a given organization andRoles represent functions within a given organization and
authorizations are granted to roles instead of to single usersauthorizations are granted to roles instead of to single users
Users are thus simply authorized to "play“ the appropriate roles,Users are thus simply authorized to "play“ the appropriate roles,
thereby acquiring the roles’ authorizationsthereby acquiring the roles’ authorizations
RBAC: BenefitsRBAC: Benefits
– Because roles represent organizational functions, an RBAC model canBecause roles represent organizational functions, an RBAC model can
directly support security policies of the organizationdirectly support security policies of the organization
– Granting and revoking of user authorizations is greatly simplifiedGranting and revoking of user authorizations is greatly simplified
Most commercial DBMSs support RBAC features at some extentsMost commercial DBMSs support RBAC features at some extents
22. 2222
RBAC: NIST ModelRBAC: NIST Model
UserUser:: is defined as a human being, a machine, a process, etc.is defined as a human being, a machine, a process, etc.
RoleRole: is a function within the context of an organization with an associated: is a function within the context of an organization with an associated
semantic regarding its authority and responsibilitysemantic regarding its authority and responsibility
PermissionPermission:: is an access mode that can be exercised on objects in the system.is an access mode that can be exercised on objects in the system.
Both objects and access modes are domain dependent.Both objects and access modes are domain dependent.
– For example, in the case of databases, the object set includes tables, columns, andFor example, in the case of databases, the object set includes tables, columns, and
rows, and the access mode set includes insert, delete, and update operations.rows, and the access mode set includes insert, delete, and update operations.
SessionSession:: it is a particular instance of a connection of a user to the system andit is a particular instance of a connection of a user to the system and
defines the subset of activated roles.defines the subset of activated roles.
– At each moment, different sessions for the same user can be active.At each moment, different sessions for the same user can be active.
– When a user logs in the system, he/she establishes a session and, during thisWhen a user logs in the system, he/she establishes a session and, during this
session, can request to activate a subset of the roles he/she is authorized to play.session, can request to activate a subset of the roles he/she is authorized to play.
– The user obtains all permissions associated with the role he/she has activated inThe user obtains all permissions associated with the role he/she has activated in
the sessionthe session
24. 2424
RBAC: SQL CommandsRBAC: SQL Commands
CREATE ROLE role-name IDENTIFIED BY passwd |NOT IDENTIFIED;CREATE ROLE role-name IDENTIFIED BY passwd |NOT IDENTIFIED;
example:example:
– CREATE ROLE teller IDENTIFIED BY cashflow;CREATE ROLE teller IDENTIFIED BY cashflow;
DROP ROLE role-name;DROP ROLE role-name;
GRANT role TO user | role | PUBLIC [WITH ADMIN OPTION];GRANT role TO user | role | PUBLIC [WITH ADMIN OPTION];
To perform the grant of a role, a user must have the privilege for the role withTo perform the grant of a role, a user must have the privilege for the role with
the ADMIN option, or the system privilege GRANT ANY ROLEthe ADMIN option, or the system privilege GRANT ANY ROLE
The ADMIN option allows the receiver to modify or drop the roleThe ADMIN option allows the receiver to modify or drop the role
Example:Example:
– GRANT teller TO Bob;GRANT teller TO Bob;
25. 2525
RBAC: SQL CommandsRBAC: SQL Commands
The grant command for authorization granting can have roles asThe grant command for authorization granting can have roles as
subjectssubjects
example:example:
– GRANT select ON Employee TO teller;GRANT select ON Employee TO teller;
Hinweis der Redaktion
The reference monitor checks the access rights, and then grants or deny access accordingly.
A role is a named collections of privileges / functional entities within the organization