See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/301613094

Security Of Database Management Systems

Article · January 2016

CITATION READS
1 11,385

1 author:

Ashour A N Mostafa
The Higher Institute of Science and Technology - Tobruk
17 PUBLICATIONS   44 CITATIONS   

SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Factors Affecting Acceptance of Mobile Banking in Libya View project

Factors Affecting Acceptance of E-commerce by SMEs in Libya View project

All content following this page was uploaded by Ashour A N Mostafa on 22 January 2019.

The user has requested enhancement of the downloaded file.

 Security of Relational Database Management System: Threats and
Security Techniques
ASHOUR A N MOSTAFA / ID: 153915643

Infrastructure University Kuala Lumpur, Malaysia

Faculty of Creative Media and Innovative Technology

Abstract: firms are taking account of possibility of

threats as measures to their database

T
he history of database research systems. This paper addresses the relational
backs to more than thirty years, in database threats and security techniques
which created the concept of the considerations in relation to situations:
relational database system that has become threats, countermeasures (computer-based
the most fundamental change for controls) and database security methods [1,
organizations strategy. Technology 8, 9].
evolution has produced more powerful
systems that relate to economic impacts in Introduction:
the recent decade.
As known, in recent years, hardware
Organizations must ensure its information capability and capacity of volumes, in
and data be secured and confidential. addition, huge uses of World Wide Web
Therefore, they deploy systems or platforms and information systems have led
applications have functions, services, and to adopt the relational database systems as
tools for data maintenance and management infrastructure to the data repository. Huge
packed into the so-called Relational amounts of data and information has become
Database Management System (RDBMS). prime concern of security challenges
Such functions contain services plus because the management of information has
privileges for authorization to keep become decentralized.
legitimate users (authorized) to access the
database. The database must be insecure. CIA triangle of security that refers to
RDBMS refers to relational database confidentiality, integrity, and availability
management systems that are using a often is the basis of relational database
relational model that developed by the security concept. These factors must be
researcher Codd at IBM laboratory. existed into application processes to
guarantee the data to be in safe [1].
Database protection means disallowing
illegitimate users to access the database and Theft and fraud have an influence on the
its sensitive information whether intentional database environment, and hence the whole
or accidental [4]. Therefore, most of the corporation. It is not rather making changes
on the data itself, but it may decrease the

1
privacy and integrity. Confidentiality refers taking account the encryption process of
to maintain the secrecy of data, usually only sensitive data require high performance of
is critical to the organization. Breaches of the system because it will need decrypting
security resulting in loss of confidentiality of those data. Therefore, the programmer
could lead to loss of privacy and must ensure using optimized security
competitiveness. Failure of integrity means algorithms while coding the application [8,
the data is corrupt and modified.. Many 9].
organizations are seeking the availability,
the so-called 24/7 availability (that is, 24
hours a day, 7 days a week). Loss of
1. What are the Attacks?
availability means the system, or the data, or
both cannot be accessed. Therefore, Rapid evolution of breach methods to the
relational database management system aims SME organizations called to adopt standards
to reduce the losses that are caused by of security measures like CIA. However, it
threats or anticipated events. Threat is a becomes sophisticated due to diversity of
situation or an event that may adversely attacks either direct or indirect.
affect a system, and hence the organization.
The organization should invest time and The unclassified user can have legal access
effort to detect and identify the most serious to the database to use public information,
threats [1, 8, 9]. but he may be able to infer classified
information. There are three levels of attacks
Millions of online operations conduct via to the relational databases: direct, indirect
unreliable Internet connection such as and by tracking. Direct attack is obvious.
electronic commerce and electronic banking. The attacker can easily access to the
Those types of transactions impose a kind of database if it does not have any protection
transferring sensitive assets and information mechanism. Indirect attack is used by
[2]. This is a challenge to the services expecting the desired data from displayed
providers to get user’s trust. Therefore, it data using combinations of queries. The
has a strong protection of data containers tracking attack is executed by suppression of
such a RDBMS. Not all kind of data require the dominant results [3].
being safe and protected, but the most
critical data that relate to users’ information RDBMS threats can be summarized as:
and money transactions. Corporation can  The administrator could be grant the user
specify the nature of information needed to privileges that not required. Abuse of
be encrypted with high level of security such uses of these privileges may lead to
as ministry of defense [8, 9]. create trapdoors of the application.
This paper shows some of the  The user has a legitimate privilege
countermeasures that are computer-control access to the database. He/She may have
based such as authorization, access control, bad intention to abuse the utility.
backup and recovery, encryption. It must

2
 One of the threats is vulnerability of the program) to have legitimate access to a
software or the operating system. This system or systems’ objects. It involves the
helps the intruder to breach sensitive authentication of subject requesting access
information as backdoors. to objects. The administrator usually create
accounts with specific privileges according
to the security level of the user.
1.1. Mechanisms of Attack Control
Access Controls into a relational database
[3]: can allow/disallow the user to access the
system. RDBMS keeps track the privileges
 Rejection without any response when the process.
requests for accessing the database to
display the results of sensitive data. Views are consequence of flexible
operations were being conducted on the
 Disability of the intruder to guess the
main relation. It is a mechanism of dynamic
real information or values because the
processes of security, in which it shows
system will display the results close to
parts and hide other parts according to the
the real ones.
users’ privileges.
 When the sensitive data will be detected,
the system should limit the results to Process of Backup As known, the backup
prevent the attacker to reveal the data. means capturing a copy of log files of
 Combination of the results will make the instance processes plus a copy of the
attacker to be confused about knowing relational database periodically and storing
the sensitive data. either on external storage or cloud to restore
later.

Integrity is a process to maintain a secure

2. Countermeasures (Computer- RDBMS by preventing data from becoming
based Control): invalid, and hence misleading or incorrect
results.
This type ranges from physical controls to
administrative procedures. It can be
categorized into various forms of control as
[1]: 3. Techniques of RDBMS Security:
 Authorization. Encryption is encoding process of sensitive
 Access controls data to become unreadable. Most of
 Views. relational database management systems
 Process of Backup. support this purpose to secure its data [4].
 Integrity. The encryption concept has four main
Authorization is granting process of a right factors that are defined as [5]:
or privilege to a subject (a user or a

3
 An encryption key to encrypt the data Web-based database security: the
(plaintext). transmitted data from a server to a client
 An encryption algorithm with the must be in a secured way. The client should
encryption key transforms the plaintext be authenticated such as Host Identity
to cipher text. Protocol (HIP). It sets up a trusted
 A decryption key to decrypt the cipher relationship between hosts on the Internet by
text. passing to the web server. The HIP and Web
 A decryption algorithm with the server help in authentication process [2].
decryption key transforms the cipher text
back into the plaintext.
Log file is an important file to monitor the
Two forms of encryption techniques that
processes and operations occurred online. It
called symmetric and asymmetric. The
periodically tracks the status of operations to
symmetric one depends on the safe channel
indicate the modification may occur when
while exchanging the key, in addition, the
the system fails. It also integrates with the
key of encryption is similar to the key of
audit module to track the log file of the users
decryption that is being utilized, for
to guarantee the web database security [1].
instance, IDEA (international data
encryption algorithm) [6, 7]. Symmetric Negative Database: this process depends on
algorithm is much faster than the adding false data to the original to make the
asymmetric algorithm that uses two different malicious users to be confused, and only
keys (private and public keys) such as RSA valid to legal users. It has four modules:
(the name is derived from Ron Rivest, Adi database cache, database encryption
Shamir, and Leonard Adleman). Generally, algorithm, virtual database, and negative
they are often used together, in which public database conversion. The first three
key (asymmetric) encrypts a randomly generates the data for the conversion to
generated encryption key, and the random generate false data [2].
key encrypts the actual message (using a
symmetric algorithm). The database scheme 4. How to develop a relational
of encryption should enhance sharing of data database encryption strategy?
within the database without losing data
privacy [2, 6-9]. It is a mechanism of increasing the strength
of the data protection. Many factors to get
To improve the performance, the data strong encryption into RDBMS:
should be divided into sensitive data and
insensitive data. The insensitive data can be  The encryption should be implemented
retrieved rapidly, and the sensitive data is on the database or the application.
encrypted/ decrypted using Encryption  The accessing to the encryption key.
algorithms.  The amount of data that should be
encrypted.

4
 Is there any influencing on the of keys, the location of keys and the
performance? protection of the accessing of the
 For the programmer and the developer encrypted keys.
most of the responsibilities through
creating or developing the database 4.1. Solutions of implementing
management system. encryption:
The programmers should be aware from
creating trapdoors that can be formed i. Inside the Relational Database
through setting the policies and procedures. Management System (RDBMS):

Two strategies for encrypting the database It is a simple way using the
and both have advantages and encryption/decryption method by
disadvantages: RDBMS. It is a transparent to the
application. When the data inserts
 Encryption the RDBMS.
inside the RDBMS, the data will be
 Performing the encryption outside the
encrypted, or decrypted to the
database.
original when display.
A disadvantage of encryption inside
1. Fundamentals of Encryption:
the RDBMS is an extra processing
Algorithm and key size are factors to
load and decreasing in performance.
encrypt data within RDBMS.
Administrator of the application may
ii. Outside the Relational Database
grant legitimate access to authorized
Management System (RDBMS):
users for need.
Using the client/server security
2. Data encryption effect on RDBMS:
protocol (SSL) helps the data to be
Encrypting the data needs high process
encrypted in the application whether
operations. This drives to increase the
in the source or to the destination.
size of RDBMS, then deceasing the
The protection differs from
utility or the performance. Consequently,
application to another.
sensitive data must be encrypted.
The solution is using the Encryption
Server to provide a centralized
3. Data stream into the application:
encryption services for the whole
Data usually flows over Internet and an
database. The drawbacks include
internal network. Therefore, the potential
communication overhead,
of risk is high.
administering more servers and
changing the applications.
4. The key management:
It relates to how to manage the key that
is used into RDBMS in terms of number Conclusion:

5
 This report is to explain different methods of [6] Shaefer, E. F. (1996). A Simplified Data
Encryption Standard Algorithm. Journal of
database security. Database risks are Cryptologia, 20 (1), 77-84.
increasing by the risks of disclosure data.
The programmers of RDBMS have [7] Chang, H. S. (2004). International Data
Encryption Algorithm. Retrieved from
responsibilities to increase and improve the http://scholar.googleusercontent.com/scholar?q=cach
security techniques of the databases without e:WXJPT0eEM7EJ:scholar.google.com/+Internation
al+Data+Encryption+Algorithm&hl=en&as_sdt=0,5
affecting on the performance. In addition,
on 15 February 2013.
the user has responsibilities especially the
ethics of using the sensitive data. We have [8] Almasri, O., & Jani, H. M. Introducing an
Encryption Algorithm based on IDEA.
described the types of Attacks and threat
that the database could face them. Then, it [9] Almasri, O., Jani, H. M., Ibrahim, Z., & Zughoul,
has explained some mechanisms of attack O. (2013). Improving Security Measures of E-
Learning Database. International Organization of
control. It has explained about the Scientific Research-Journal of Computer
countermeasures that are computer-based Engineering (IOSR-JCE), 10(4), 55-62.
and has concentrated on the encryption
method. In the same approach, it has
described the database security techniques
or method. The last part is about the benefits
and drawbacks of using either encryption
inside RDBMS or outer.

References:

[1] T.Connolly, C. Begg. “Database Systems

A Practical Approach to Design, Implementation, and
Management”, 4th ed., Ed. England: Person
Education Limited, 2005, pp. 542-547, 550-551.

[2] Burtescu, E. (2009). Database Security-Attacks

and Control Methods. Journal of Applied
Quantitative Methods, 4(4), 449-454.

[3] Kayarkar, H. (2012). Classification of Various

Security Techniques in Databases and their
Comparative Analysis. arXiv preprint
arXiv:1206.4124.

[4] Kahate, A. (2013). Cryptography and network

security. Tata McGraw-Hill Education.

[5] Stallings, W., & Brown, L. (2008). Computer

security. Principles and Practice.

View publication stats