Chapter 5

Database and Cloud Security

 Databases
 Structured collection of data stored
for use by one or more applications Database management system
(DBMS)
• Suite of programs for
 Contains the relationships between
constructing and maintaining
data items and groups of data items the database
• Offers ad hoc query facilities
to multiple users and
 Can sometimes contain sensitive applications
data that needs to be secured

Query language
 Provides a uniform interface to
the database
 Relational Database
Elements
Primary key
• Uniquely identifies a row
• Consists of one or more column names

Foreign key
 Relation/table/file • Links one table to attributes in another
 Tuple/row/record
 Attribute/column/field View/virtual table
• Result of a query that returns selected
rows and columns from one or more
tables
 Table 5.1
Basic Terminology for Relational Databases
 Structured Query Language
(SQL)
 Standardized language to define schema, manipulate, and
query data in a relational database
 Several similar versions of ANSI/ISO standard

 All follow the same basic syntax and semantics

SQL statements can be used to:

• Create tables
• Insert and delete data in tables
• Create views
• Retrieve data with query statements
 SQL Injection Attacks
(SQLi)
• One of the most prevalent • Most common attack goal is
and dangerous network- bulk extraction of data
based security threats

• Depending on the
• Designed to exploit the environment SQL injection
nature of Web application can also be exploited to:
pages o Modify or delete data
o Execute arbitrary operating system
commands
• Sends malicious SQL o Launch denial-of-service (DoS)
attacks
commands to the database
server
 Injection Technique

The SQLi attack typically works by prematurely

terminating a text string and appending a new command
Because the inserted command may have additional strings appended to
it before it is executed the attacker terminates the injected string with a
comment mark “- -”

Subsequent text is ignored at execution time

 SQLi Attack Avenues
User input
• Attackers inject SQL commands by providing suitable crafted user input

Server variables
• Attackers can forge the values that are placed in HTTP and network headers and exploit this
vulnerability by placing data directly into the headers

Second-order injection
• A malicious user could rely on data already present in the system or database to trigger an SQL
injection attack, so when the attack occurs, the input that modifies the query to cause an attack does
not come from the user, but from within the system itself

Cookies
• An attacker could alter cookies such that when the application server builds an SQL query based on
the cookie’s content, the structure and function of the query is modified

Physical user input

• Applying user input that constructs an attack outside the realm of web requests
 Inband Attacks
• Uses the same communication channel for injecting SQL code
and retrieving results
• The retrieved data are presented directly in application Web page
• Include:

End-of-line Piggybacked
Tautology
comment queries

After injecting code The attacker adds

This form of attack
into a particular additional queries
injects code in one
field, legitimate beyond the intended
or more conditional
code that follows are query, piggy-
statements so that
nullified through backing the attack
they always evaluate
usage of end of line on top of a
to true
comments legitimate request
 Inferential Attack
• There is no actual transfer of data, but the attacker is able to
reconstruct the information by sending particular requests and
observing the resulting behavior of the Website/database server
• Include:
o Illegal/logically incorrect queries
• This attack lets an attacker gather important information about the type
and structure of the backend database of a Web application
• The attack is considered a preliminary, information-gathering step for
other attacks
o Blind SQL injection
• Allows attackers to infer the data present in a database system even
when the system is sufficiently secure to not display any erroneous
information back to the attacker
 Out-of-Band Attack
• Data are retrieved using a different channel

• This can be used when there are limitations on information

retrieval, but outbound connectivity from the database server
is lax
 SQLi Countermeasures
• Three types:

• Manual defensive
Detection • Check queries at
coding practices runtime to see if they
• Parameterized query • Signature based conform to a model of
insertion • Anomaly based expected queries
• SQL DOM • Code analysis

Defensive Run-time
coding prevention
 Database Access Control
Database access control Can support a range of
system determines: administrative policies

Centralized administration
If the user has access to the entire database • Small number of privileged users may grant and
or just portions of it revoke access rights

Ownership-based administration
What access rights the user has (create, • The creator of a table may grant and revoke access
insert, delete, update, read, write) rights to the table

Decentralized administration
• The owner of the table may grant and revoke
authorization rights to other users, allowing them to
grant and revoke access rights to the table
 SQL Access Controls
• Two commands for managing access rights:
• Grant
o Used to grant one or more access rights or can be used to assign a
user to a role
• Revoke
o Revokes the access rights

• Typical access rights are:

• Select
• Insert
• Update
• Delete
• References
Role-Based Access Control
(RBAC)
• Role-based access control eases administrative burden and improves security

• A database RBAC needs to provide the following capabilities:

• Create and delete roles
• Define permissions for a role
• Assign and cancel assignment of users to roles

• Categories of database users:

Application owner End user Administrator

• An end user who owns • An end user who operates on • User who has administrative
database objects as part of an database objects via a responsibility for part or all of
application particular application but does the database
not own any of the database
objects
Table 5.2

Fixed
Roles
in
Microsoft
SQL
Server
 Inference Detection
Approach removes an inference
channel by altering the database
structure or by changing the
access control regime to prevent
inference
Inference detection during
database design

Techniques in this category often

result in unnecessarily stricter
access controls that reduce
availability

Two approaches

Approach seeks to eliminate an

inference channel violation during
a query or series of queries

Inference detection at query

time

If an inference channel is
detected, the query is denied or
altered

• Some inference detection algorithm is needed for either of these approaches

• Progress has been made in devising specific inference detection techniques for multilevel secure
databases and statistical databases
 Database Encryption
 The database is typically the most valuable information resource for any
organization
 Protected by multiple layers of security
 Firewalls, authentication, general access control systems, DB access control
systems, database encryption
 Encryption becomes the last line of defense in database security
 Can be applied to the entire database, at the record level, the attribute
level, or level of the individual field
 Disadvantages to encryption:
 Key management
 Authorized users must have access to the decryption key for the data for which they
have access
 Inflexibility
 When part or all of the database is encrypted it becomes more difficult to perform
record searching
Data owner –
organization that
produces data to be
made available for
controlled release

User – human entity

that presents queries to
the system

Client – frontend that

transforms user queries
into queries on the
encrypted data stored
on the server

Server – an organization
that receives the
encrypted data from a
data owner and makes
them available for
distribution to clients
 Cloud Security
NIST SP-800-145 defines cloud computing as:

“A model for enabling ubiquitous, convenient, on-

demand network access to a shared pool of configurable
computing resources (e.g., networks, servers, storage,
applications, and services) that can be rapidly
provisioned and released with minimal management
effort or service provider interaction. This cloud model
promotes availability and is composed of five essential
characteristics, three service models, and four
deployment models.”
 NIST Deployment Models
Public cloud Private cloud
• The cloud infrastructure is made • The cloud infrastructure is operated
available to the general public or a large solely for an organization
industry group and is owned by an • It may be managed by the organization
organization selling cloud services or a third party and may exist on premise
• The cloud provider is responsible both or off premise
for the cloud infrastructure and for the • The cloud provider is responsible only
control of data and operations within the for the infrastructure and not for the
cloud control

Community cloud Hybrid cloud

• The cloud infrastructure is shared by • The cloud infrastructure is a composition
several organizations and supports a of two or more clouds that remain unique
specific community that has shared entities but are bound together by
concerns standardized or proprietary technology
• It may be managed by the organizations that enables data and application
or a third party and may exist on premise portability
or off premise
 Cloud Computing
Reference Architecture
• NIST SP 500-292 establishes a reference architecture
described as follows:

“The NIST cloud computing reference architecture focuses on

the requirements of ‘what’ cloud services provide, not a ‘how
to’ design solution and implementation. The reference
architecture is intended to facilitate the understanding of the
operational intricacies in cloud computing. It does not represent
the system architecture of a specific cloud computing system;
instead it is a tool for describing, discussing, and developing a
system-specific architecture using a common framework of
reference.”
 Objectives
• NIST developed the reference architecture with the following
objectives in mind:

o To illustrate and understand the various cloud services in the context of an

overall cloud computing conceptual model

o To provide a technical reference for consumers to understand, discuss,

categorize, and compare cloud services

o To facilitate the analysis of candidate standards for security, interoperability,

and portability and reference implementations
 Cloud Security Risks
The Cloud Security Alliance lists the following as the top cloud
specific security threats:

Abuse and Insecure

Malicious
nefarious use of interfaces and
insiders
cloud computing APIs

Shared Data loss or Account or

technology issues leakage service hijacking

Unknown risk
profile
Table 5.4 NIST Guidelines on Cloud Security and Privacy
Issues and Recommendations

(This table can be found on page 210

in the textbook.)
 Data Protection in the
Cloud
The threat of data compromise
increases in the cloud
Risks and
challenges that
Multi-instance model
are unique to
the cloud
Provides a unique

Multi-tenant model
DBMS running on a
virtual machine
instance for each cloud
subscriber

Architectural or
Provides a predefined environment for Gives the appearance of exclusive use of
operational Gives the subscriber the cloud subscriber that is shared with the instance but relies on the cloud
characteristics complete control over other tenants typically through tagging provider to establish and maintain a
of the cloud administrative tasks data with a subscriber identifier secure database environment
environment related to security
 Cloud Security
As A Service
• SecaaS
• Is a segment of the SaaS offering of a CP
• Defined by The Cloud Security Alliance as the provision of
security applications and services via the cloud either to cloud-
based infrastructure and software or from the cloud to the
customers’ on-premise systems
 Summary
• The need for database
security • Database access control
o SQL-based access
• Database management definition
o Cascading authorizations
systems
o Role-based access control
• Relational databases • Database encryption
o Elements of a relational database
system • Cloud computing
o Structured Query Language o Cloud computing elements
o Cloud computing reference
• SQL injection attacks architecture
o A typical SQLi attack
• Cloud security risks
o The injection technique
o SQLi attack avenues and types and countermeasures
o SQLi countermeasures • Data protection in the
• Inference cloud
• Cloud security as a
service