DATABASE SECURITY

Database Security

Database security

1. Introduction

As the use of the web grows on both intranets and the public internet, information security is becoming crucial to organizations. The web provides a convenient, cheap, and instantaneous way of publishing data. Now that it is extremely easy to disseminate information, it is equally important to ensure that the information is only accessible to those who have the rights to use it (Kapfhammer, 2003).

With many systems implementing dynamic creation of web pages from a database, corporate information security is even more vital. Previously, strict database access or specialized client software was required to view the data. Now anyone with a web browser can view data in a database that is not properly protected. Never before has information security had so many vulnerable points. As the computing industry moves from the mainframe era to the client/server era to the Internet era, a substantially increasing number of points of penetration have opened up . So, it is important that database management system (DBMS) vendors provide security solution within their product lines, such as Oracle and IBM.

2. Security Evaluations

Every vendor can claim that their products are secure. Are their products really that secure? The best way to claim the security of their products is to get through security evaluations which carried out by independent, licensed and accredited organization.

A security evaluation is an assessment of whether or not a product or IT system meets its security claims. The team performing the evaluation use formal criteria and methods to assess the claimed security attributes and to check for vulnerabilities (Dyreson, 2004).

The Oracle9i database builds upon 15 independent security evaluations of its server software and 9 of these evaluations have examined the security of the Oracle database. However, IBM still hasn't completed any evaluations of DB2. Table 1 shows the number of security evaluations done by Oracle and IBM DB2

Security Evaluations

Oracle

 IBM DB2

US TCSEC, Level B1

1

0

US TCSEC, Level C2

1

0

UK ITSEC, Levels E3/F-C2

3

0

UK ITSEC, Levels E3/F-B1

3

0

ISO Common Criteria, EAL-4

4

0

Russian Criteria, Levels III, IV

2

0

US FIPS 140-1, Level 2

1

0

total

15

0

Therefore, IBM can only claim little assurance of the security implementations in their products if compare with Oracle.

3. Authentication

The first step in database security is authentication. Users have to prove that they are who they say they are before they can access the database server. User ID and password are normally used to authenticate a user. The user ID is used to identify the user to the security facility. Password is used to verify the user's identity.

3.1 Server

Authentication will occurs on the server using local operating system security. The client is authenticated by sending the user ID/encrypted user ID and password/encrypted password to the server. The server will then check whether the ID and password are matched before permit the user to access the instance. Both Oracle and DB2 provide this security feature.

3.2 Kerberos

Kerberos is a network authentication protocol which implemented in MIT. It is designed to provide strong authentication for client/server applications by using secret-key cryptography.

The Kerberos protocol uses strong cryptography so that a ...