Database Security and Auditing

Introduction

Database security has a lot of significance to the organization because it determines the organization’s data confidentiality, integrity, and availability. The level of information security determines the right person to have access to the data, the data type of data that a particular user should access this can be either the read-only or write/read, the operations that the authorized user should perform on the data, the database security gives the user some privileges which specify the type of data operations the user is entitled to perform on the data.

The process of authorizing a database has been involving providing its customers with either some programs or even operations of accessing available objects or even objects sets. The database integrity of an organization is charged with the responsibility of ensuring data security consistency as well as maintaining it in the right state. The database mechanism has been divided into two, namely; these supporting the database to maintain it, and those charged with the responsibility of maintaining database properties.

Some of the properties maintained in the second mechanism include; integrity of entry, and referrals, as well as transactional integrity, these properties include; “entity integrity, the referral and, transactional integrity and, the applications which relate to the business rules” (Bertino, et al 1991). The integrity of a database about any system is based on the claims that the data retrieved should resemble the original data which was inserted by the administrator/user.

Database administrators should ensure that any unauthorized use is denied the chance to alter or delete the original data. It is required that the organization’s data is kept according to the business rules as determined by the database set down by the organization’s ethical code of conduct. The security checks are enforced by the database to maintain the integrity of the data.

The referential integrity is maintained by the data security checks that apply to the database thereby maintaining it by checking on the threats both from the insiders and outsiders. The importance of the referential security checks is to ensure that the data which is fed directly into a given application about the original application is consistent with the database, these rules govern the data by ensuring that it is in conformance with the referenced values. The referential checks are based on the mechanisms which dictate the extent to which data can be manipulated about the values, these database security checks are vital especially in the determination of the effects of data manipulation.

The attacks are continuously evolving to target the specific applications, and the databases are increasingly housing the enterprise information jewels and hence there must be proper protection from both the insiders and the outsiders. The company is challenged to ensure high security to its database as it continues designing, creating, and testing the software. The security teams should continuously be engaged with the application teams in protecting the massive collaborative systems, through means such as code scanning and Analysis, Firewalls, Database Auditing, Encryption, or Protection of the Service-Oriented Architecture.

Literature Review

Bertino, et al, (1991), highlighted the basics in an uninterruptible self-protection mechanism which has got total integration into an inseparable computing system to ensure a complete and affordable system with compliance to the security audits, they based their research on the insider Threat Security Architecture. However, there is some scenario in which the users are given the privileges to compromise the database checks and even the security checks.

A lot of emphasis is given to the importance of self-protection mechanisms as an integral part of the system that is being protected. The detection of the threats is very critical for the system as well as the health of the organization’s database. The research carried out showed that it is very difficult to detect insider threats since in most cases the focus is put on the external threats at the expense of the internal threats. This is evidenced especially due to the increased use of modern technologies which are software-based with applications such as passwords, firewalls, the encryption of data, and authentication processes.

In addition to these, there are other mechanisms such as the use of access control system audits, patch management, and penetration testing, the internal threats prove to be hard to manage because they are perpetrated by the insiders whose intent cannot be easily identified, this research aimed at finding the effective means of managing and mitigation of the security risks in the global computing environment by the provision of the security framework that works against the outsider threats, (Afyouni, 2005).

Atwood et al (1993) in their research on the database artifacts such as the database security requirements, as well as the application security requirements especially in the cases of the applications which are involved in the leveraging of the database through the identification of the database architecture, the type of technology used in data protection and the configurations, the protection of the critical assets, the sensitivity of the data stores and the interconnections which have been made in accordance to the company business and the security objectives.

This research work has applied a lot of leveraging concepts on the available documentations which ensure the understanding of the potential attacks that focus on the auditing activities especially those that apply to the most critical elements.(Bertino et al, 1991) advocated for the consultation to be carried out especially with the database development team and the administrators to understand; the security requirements in relation to the business goals, and the objectives which are aimed at maintaining the data confidentiality, integrity, availability, and the level at which they can be proved this also applies to the intra database data flows and the emerging security threats; especially when it comes to the issues concerning the database architecture and the key database components.

There are also the core technologies that are very important to the database because the database is very much reliant upon it in order to achieve the security objectives. There are also some core operational processes which are vital to the databases, especially those that the database relies upon as the means to achieve the security objectives.

The review as a whole involved, “the formal reports on the processes, the gap analysis, and the relevant information that can lead to the mitigation roadmap, the report also include; the root cause analysis, the peer-group benchmarking, some of the best practices in benchmarking, the executive/technical summaries” (Bertino, et al 1991). The database security architect benefit the database administrators providing for very high standards of the design assurance through a very comprehensive analysis of the databases especially the level of security and the information stored.

The architect is also involved in the identification of the necessary assurance activities and which focuses on the assessments and the testing of the activities especially on the relevant issues which affect the large scale enterprises and their databases; It devises the ways of addressing the flaws in the database specifically those which apply at the designs phase of the database and the means of mitigating such like flaws

Research has been carried out in which the database Security Architecture has been analyzed at the initial stages of database implementation where it is possible to improve the life cycle of the database thereby ensuring that the database is relevant. Much focus was directed on the means that can reduce the likelihood that the security is applied to the database resulting to the extra expenses that are incurred in the maintenance of the system. It has been established that both the post design and initial stages of the database validates the database in logical sequence according to the design and the certification process.

There are provided the multi-tier application a means of finding the solutions for the problems which are normally associated with the client/server type of the applications. The networking of the systems requires the firewalls to be introduced at strategic points, this firewalls regulate the access to the servers. As a result, the firewall is placed between the Client and the web server, the web server and the application server and between the application server and the Database server. The firewall between the client and the web server only allow the access to some services such as the http but completely blocks any other service. The firewall that is placed between the web server and the application server controls the traffic between the two servers.

According to Gunner (2006) the security architecture’s purpose is to help the administrator to focus on the key areas of concern system security. It is a framework which helps to understand the design and the processes and the actions which are aimed at improving the system security. The system security helps to maintain confidentiality, the integrity and the availability of the services without interruptions.

The implementation of the security services is aimed at providing protection through authentication and authorization, use of the detection services, the monitoring and auditing and the response services. The security architecture is the unifying framework that provides the cyclic services to implement the security and risk management. The security architecture also helps to improve the database integrity. (Ben-Natan, 2005)

The database contains a schedule where role have been distributed and is accomplished through a set of customized instructions which require the authorization of the users to access the data or perform the routine tasks within the database. The database is a combination of various commands which are applied to various database components, which include; the administrator, the process object, the object’s metadata, the multiple level commands that ensure data modification. There have been other cases where, “the administrator permission can be given to the database for viewing and updating of data within the database, this implies that the users of other databases cannot be able to view or update the data objects which they have not been assigned the permissions” Gunner (2006).

The information security also involves the encryption of the client or server communications in order to minimize the risks of the unauthorized users gaining the access to the unauthorized data information. In most cases the database security can be compromised especially if the database security architecture is mis-configured whereby it allows the users to connect to the database without authentication or in case the authentication settings have been disabled by default, in such a situation it is necessary to modify the default settings, (Shaheem, M. 2005).

After the user’s authentication, what then follows is the process of authorization, which involves the verification process which ensures that the user has been given the permission of performing any task within the database limits. Such process in most cases involves data viewing, data updating, or performance of any other administrative work. The authorization process continues even after the user has successfully connected to the database, the process of authentication continues even as the user access the database’s stored procedures, the data mining extensions and the analysis management objects command. The user is subjected to the verification of their authority to gain access to the objects. More research needs to done in order to keep with the technological advancements (Bertino, et al 991).

Requirements Analysis

Objectives

• To gain the overview of the auditing fundamentals.
• To develop a good understanding of the database auditing environment.
• To list the objectives of a database audit
• To ensure the compliance of the database to the data security for integrity.
• To ensure the development of a proper database through planning and executing of a security system.
• To define the ethical issues in the data management as applied to database security.
• To distinguish between the legal and the ethical issues in relation to the database administration.
• To establish the extent to which the regulations have affected the information handling by creating new requirements and the responsibilities on the database administration.
• To establish how various legislations such as the Sarbanes –Oxley Act have affected the database administration.
• To find out how the intellectual property matters have impacted on the information technology and the database administration.

The requirement analysis of the database security system takes into consideration the System input/output descriptions; it defines the database administrator requirement, and the functional and security requirements. The database process requirements are among the inherent requirements that the database security system must be able to handle.

Database transaction

The database security system must be able to perform processes which include sending, receiving and the triggering of the transactions especially to the oracle database system.

Data integrity

The database must be able to commit the transactions which are completed and rollback the unfinished or those transactions that are timed-out.

Data validation

The database system must be able to carefully handle the data errors as generated from the user’s end and other possible sources such as from the back-end database-processing end. The project must ensure that there is data validation and the error-handling routines are performed.

Performance

The database system must be able to resolve the locking issues and handle the concurrent usage of the system based full time schedule. It must be enabled to send, receive and provide the display of the user messages to assist in the over-all user experience, (Emekçi, 2006)

Data repository

The existing Oracle database must be maintained as the main repository for the data.

The information security requirements especially in the databases arise as a result of the necessity to protect data: especially from the loss due to unintentional actions or through malicious means especially from the deliberate attempts to corrupt the database by the unauthorized users who may have the intentions to access or alter that data. There exist the other concerns which include the protection from the undue delays while attempting to access the database, this type of interference can even lead to the point of denial of service. The costs of such security breaches are extremely high; the data loss can be disastrous (Emekçi, 2006)

The advent of technology coupled with the availability of the resources leads to the practices creates the new threats which enable the unauthorized database modification and the exploitation, this make the databases to vulnerable to the threat both internally or externally

leading to the accidental or the deliberate misuse of the information thereby affecting the stability of the databases. The technological advancements creates a globally challenges to the database systems as a result of the threats.

The security requirements are vital when it comes to the databases, it is advisable for the organization to train its employees so that they can understood and value its data banks. This can be achieved at the initial stages of implementation of databases. It is also possible to disable the threats against the database especially from the Internet vulnerabilities. These principles vary in terms of the effectiveness.

The process of implementing the listed requirements in most cases vary in terms of the incurred costs, particularly in the acquisition of hardware and software, together with the expenses incurred during maintenance. The administrative costs and expenses such as the fees for the programmers also need to be cut down. The impacts of the threats on the database can also be seen during the data processing and the response time.

Professional, legal, and ethical issues

The database security is a vital component of the organizational information management; many organizations have in most cases encountered difficult situations where they are required to account for their issues concerning their internal management as a result of the unethical character of their employees with respect to database administration which results into the leakage of internal information. This has the implications for the need for the organizations to develop the knowledge in the efforts to differentiate between the professional and the non-professional behavior.

The ethical code of the professional database administrator gives the examples of the unethical activities as the installation of the unlicensed software, the access to personal information and the leakage of data which results to the divulging of the trade secrets. The ethical code of practice helps the organizations. When it comes to the determination of the specific laws that regulate data security, generally the aspect of ethics fills the gap between the database administration and the law, (Bertino, et al 1991).

The database security in most organizations has been given a lot of attention, this is due to the fact that the information that is contained in an organization’s database is vital for its existence and mishandling of this information has dangerous implications, (Domingo-Ferrer, & Franconi, 2006).

The security professionals have the responsibility of acting ethically according to the policies and the procedures as laid down by their employers, professional organizations and the laws of their society. The following are some of the professional associations dealing with data and the information systems security,

The Association of Computing Machinery

This is a professional society with its own code of ethics which requires the members to carry out their duties in a manner which befits the ethical computing profession, this code contains the specific references aimed at protecting the confidentiality of the information through means that cause no harm, this protects the privacy of the information stored in the Databases, this association promotes the respect for the intellectual property.

The International Information System Security Certification Consortium

This is an international Non-profit organization which has focused on the development and the implementation of the information security; it also issues certifications and the credentials. The code of ethics for this association was primarily designed for the professional information security practioners certification.

The information Systems Audit and Control Association

This is an association which focuses on the auditing, the control and data security, it has its code of ethics which regulates the way of handling the information in the database, the Certified information.

Ethics

The Computer Ethics Institute provides the general ethical guidelines in relation to the use of the computers in handling of the information in the database. This are summarized as follows;

• The computer should not be used to harm other people.
• If not authorized, one should not use the computer to interfere with other people’s work
• Intruder should be allowed into personal data on the computer files
• The computer should not be used for criminal activities such as fraud.
• The computer should not be used for spreading information that can mislead the public
• The computer user should not be involved in either software piracy any other acts of illegal acquisition of data
• The computer user should not use computer resources belonging to other people without being authorized or the intellectual property of other people.
• The person developing the computer software should consider the social consequences of the program

The ethical viewpoint provides that every organization should provide ethical education in order to ensure that its employees are trained and kept aware of the issues relating to information security. A properly structured training program is necessary in an organization to enhance the employee’s ethical and legal understanding in the attempt to create a well informed computer user thereby lowering the risks involved in the data handling. (Kolodner, & Douglas, 1997)

Legal issues

The information officers and the data administrators have are always liable for the for the violations of the laws that protects data storage and acquisition, many organizations have developed the policies which regulate the legal and ethical behaviors, the professional organizations have also been involved in the data protection by formulating their own codes of ethics, (Biskup, & Brüggemann,1989).

Data management requires that the data or database administrators and the software developers gain a good understanding of the issues which surround the data security because the organizational data contains the information which is considered as the intellectual property of the organization. In broad sense, the intellectual property encompasses the inventions or ideas, both registered and the unregistered design rights, patents and their applications, the trademarks, and the written works (Domingo-Ferrer, & Franconi, 2006).

The patents include the legal rights that are issued for a specific period mainly to an individual or an organization to own an invention; they are issued by the government to the individual or the organization which can demonstrate the usefulness of the invention. The trademarks on the other hand are issued to the individual or an organization to own or use a word, the symbol, image and other distinctive elements which identifies the origin of the invention.

The legal system recognizes the rights for the individual or the organization to have a clear understanding of the intellectual property rights as the owner of the original ideas and works by recognizing their value as well as the legal measures in order to defend the integrity of such inventions from being used illegally. The intellectual property right covers the following; the software and patentability, the software and copyright issues, the commercial software and the shareware or freeware.

The intellectual property rights holds in relation to the collection, processing and the sharing of the data either by the individual or the organization with the trading partners. Therefore the data administrators should co-operate with the management and the legal counsel in the formulation and implementation of the policies which govern the way the databases are used in the sharing of the data. (Hassan, 2005)

The legislation that relate to data handling and the database management include the following;

• Securities and Exchange Commission (SEC) Regulation National Market System. This legislation involves the activities which seem to be ethical but they are not, it is based on the order protection rule where the activities that apply to investments are differentiated, it also require the financial service firms to collect data by researching the available markets.
• The Sarbanes-Oxley Act. This legislation is concerned with the security and the auditing of data. It has the implications on the data collection, data processing, the information security and the both the internal and external reporting. It is involved in the establishment of the internal organizational data controls by formulation of rules to be adopted by the organization in order to ensure that the set policies and the procedures cannot be violated but instead it should be properly secured by carrying out reliable operations.
• The European Union Directive on the Data protection of 1995

This legislation was enacted by the European Parliament it is concerned with the protection of the individual in regard to the means of processing personal data and the sharing or handling of such types of data. This legislation aims at maintaining the integrity of data.

Table 1 Project Plan.

Conclusion and discussion of the issues

Database security is an issue that has been of great concern, especially for most companies. Different database models have been developed due to the ever-changing forms of security threats. The software architects have tried to develop and translate the different schemes data models, however, the probability of developing reliable database security systems has been very minimal (Domingo-Ferrer, & Franconi, 2006).

The main motivation behind this project work is not to build a secure database system for very sensitive information stored in a global oil company where the system which includes the authorization process and the authentication process enables access control as one of the general-purpose systems. In addition, the project work has been incorporated with necessary concepts about the implied authorization and authentication of the users.

Future database security project review work will concentrate on the provision of the most dynamic implication rules that should be applied during the authorization and authentication process. Database security management requires that the database administrators and the software developers work in collaboration on the issues which surround the data security because the organization’s data contains information that is considered as the intellectual property of the organization.

This information is referred to as the intellectual property of the organization because it encompasses the inventions or main ideas, both registered and the unregistered design rights, the company patents and their applications, the trademarks, and any other written works that the company bears the responsibility. The loss of such data implies that the company will be vulnerable to external attacks whether in terms of finance or criminal activities such as fraud.

In most cases, the security incidences about the database security lead to many legal considerations. “The organization’s legal department needs to be adequately notified early in the process to respond to the incident by the legal ramifications of the various steps that should be taken as a form of protection to information resources” (Domingo-Ferrer, & Franconi, 2006). The legal is also a vital component in such a case; it can decide on the documentation that may be required for future legal action.

The external and internal threats target the specific applications in the databases, this has raised concerns since the databases are increasingly housing valuable information and hence there must be proper protection from both the insiders and the outsiders. The company is challenged to ensure high security to its database as it continues in the designing, creating, and testing of the software. It also puts a lot of pressure on the security teams; they should always be engaged with the application teams in process of protecting the massively interconnected systems, through protective security means such as code scanning and Analysis, Firewalls, Database Auditing, and Encryption or Protection of the Service Oriented Architecture, (Domingo-Ferrer, & Franconi, 2006).

When dealing with cases involving data, and information issues, the legal recourse can be characterized as either criminal or civil. “If classified as criminal prosecution, the value of the time and the effort taken to restore the system to into its initial condition can be considered as part of the penalty phase to that determines the restitution. If classified as a civil case, it should be possible to itemize the damages to be able to recover from the loss which is caused by those damages”. (Gal, 2009)

References

Afyouni, H. 2005. Database Security and Auditing: Protecting Data Integrity and Accessibility, Cengage Learning. New York: Springer.

Atwood, T., Duhl, J., Ferran, G., Loomis, M. & Wade, D. (1993) The Object Database Standard: ODMG-93, Release 1.1., San Francisco, USA: Morgan Kaufmann Publishers.

Ben-Natan, R. 2005. Implementing database security and auditing: A guide for DBAs, information security administrators and auditors. London: Digital Press.

Bertino, E., Kim, W., Rabitti, F. and Woelk, D. 1991. A Model of Authorization for Next-Generation Database Systems. ACM ToDS, 16(1): 2-54.

Biskup, J. & Brüggemann, H. (1989). The Personal Model of Data: Towards Privacy Oriented Information System (extended abstract). Proc. 5th Int’l Conf. on Data Engineering (ICDE’89), IEEE Computer Society Press.

Domingo-Ferrer, J. & Franconi, L. 2006. Privacy in statistical databases: CENEX-SDC project international conference, Rome, Italy, New York: Springer.

Emekçi, F., Divyakant, A., El Abbadi, A. & Gulbeden, A. 2006. Privacy Preserving Query Processing Using Third Parties. New York. Sage.

Gal, C. 2009. Protecting Persons While Protecting the People: Second Annual Workshop on Information Privacy and National Security, ISIPS 2008, New Brunswick, NJ, USA: Springer.

Gunnar, P. 2006. Security Architecture Blueprint, New York: Arctec Group, LLC.

Kolodner, R. & Douglas, J. 1997. Computerizing large integrated health networks: New York: Springer

Shaheem, M. 2005. Security Architecture for Multi-Tier Applications. Web.