Abstract
Data is fundamental in today’s digital life. Therefore, the essential need is to protect data from unauthorized users. Choosing a database application depends on cost. Business database is expensive to a great degree. This paper delineates database security utilizing true blue benefit manhandle and cryptography. There are numerous dangers in the database, which releases the data for the denied purpose. Among the fundamental dangers in database security, this paper will portray the true blue benefit abuse. Among the approaches to secure data from gatecrashers/assailants is by using cryptography techniques, the access-control approach is the primary imperative technique to secure database by using cryptography and row-level security.
Access provided by Autonomous University of Puebla. Download conference paper PDF
Similar content being viewed by others
Keywords
1 Introduction
Day by day, protection is fundamental in all viewpoints. Everyone desires to protect his/her advantages, basic information. Protection is the main problem in all associations. For all, associations have their own associated and relevant data. So it should be protected from intruders. So the protection of data is the far-reaching extent to protect information from unauthorized customers. Various associations have to collect or access their data by spending some portion of the money. Therefore, data must be guaranteed and protected. The protection of the database should be in the two spots, either in government zone or in private zone. Wherever there is some essentialness of information is to protect. In addition, the information must be guaranteed. The request for protection shorelines is unapproved data discernment, wrong data adjustment, and unavailability. The protection of data needs three properties, privacy, trustworthiness, and openness. Protection insinuates confirmation from unapproved customers. Reliability keeps the unapproved customers and misguided data change and openness suggests recovery from hardware and programming botches or harmful activity realizing the refusal of data availability [1,2,3,4,5,6,7,8].
2 Literature Survey
Database Threats
The repeat of assaults against these databases has in as manner extended. Database overseers truly can deal with those DDOS attacks [4,5,6,7,8,9].
Excessive Privilege-Based Abuse
Exactly when database customers are outfitted with getting to benefits that outperform their essential action, these advantages can be misused by intention or unexpectedly. For example, a database executive in budgetary affiliation. If he drops audit trails or makes counterfeit records he can have the ability to trade money beginning with one record then onto the following so mistreating the unnecessary advantage intentionally. Another case is a DBA in the bank, whose action is to change customer contact can access other details. An affiliation is giving a task at home, other option of agents and the laborer takes a fortification of extraordinarily sensitive information to manage from home. This is not only neglects the protection techniques of affiliation, yet what’s more may realize data protection break, if a system at home is dealt. So this advantage can be misused incidentally.
Legitimate Privilege-Based Abuse
Customers in a similar manner misuse bona fide database benefits for ill-conceived purposes. Exactly when the affirmed customer mishandles the true blue advantage for an unapproved reason, this is called genuine advantage abuse. Good old fashioned advantage misuse can be as mishandle by database customers, chiefs or a system boss doing any unlawful or deceptive development. It is, however not confined to, any manhandling of sensitive data or unjustified usage of advantages [2]. For example, affiliation laborer with advantages to see particular specialist records by methods for a custom Web application. The structure of the web application normally obliges customers to audit an individual laborer’s history. A couple of records cannot be seen in the meantime and electronic duplicates are not good old fashioned. Regardless, the heel laborer may dodge these imperatives by a partner with the database using different customers, for instance, MS Excel and his genuine login qualifications, the laborer may recover and spare every single delegate record.
Platform Vulnerabilities
Vulnerabilities in previous working structures like Windows 2000, UNIX, Linux, etc., and additional organizations presented on databases may provoke unapproved access to database management or forswearing of administration. For instance, the Blaster Worm exploited in a Windows 2000 helplessness to make dissent of administration situations [2]. In a study report of information security [6]: pioneers versus slouches. The vulnerabilities versus priorities to audit graph is shown in Fig. 1
Vulnerabilities versus priorities
Stored Procedure
It communicates that in a Database Organization System (DBMS), a putaway methodology is a plan of Structured Query Language (SQL) clarifications with an allotted name that is secured in the database fit as a fiddle so it can be shared by different undertakings. The usage of putaway strategy philosophy can be helpful in controlling access to data (end-customers may enter or change data yet do not create frameworks), protecting data respectability (information is entered consistently), and improving effectiveness (clarifications in a set away method just ought to be formed one time).
3 Proposed Method
Row-level security and data masking are the better methods to be implemented for providing security to a database [8].
Row-Level Security
Row-Level Security for SQL Database is presently large accessible. RLS empowers you to store information for some clients in a solitary database and tables, while in the meantime confining row-level access in view of a client’s character, part, or implementation setting. RLS unifies get to rationale inside the database itself, which improves and decreases the danger of blunder in your application code. RLS-Diagram-4 RLS can help customers develop secure applications for a variety of scenarios. For instance,
-
Confining access to money-related information in the view of a worker’s area and part.
-
Guaranteeing that occupants of a multi-inhabitant application can just access their own particular rows of information. Empowering diverse experts to investigate distinctive subsets of information in light of their position.
Discretionary Access Control
Approval control comprises of scrutiny if given subject/client, activity/benefit name, database object will have permission to continue [3]. So an approval will be seen as subjects, task write, obj definition, which determines that the subject has the privilege to play out an activity of activity compose on a protest. To oversee approvals properly, the DBMS requires significance of subjects/customer, inquiries, and rights or exercises. The system for enforcing discretionary access control in database structure relies upon the Grant and Revoke benefits. Surrender, Revoke clarifications are used to endorse triplets (customer/subject, action/advantage, data challenge) [5,6,7].
In UNIVERSITY database application, consider Student and Professor table.
After Row-Level Security
-
execute as user = ‘moorthy’
-
go
-
select * from dbo.detstudent
Parts of Row-Level Security
-
a.
Security Policy
-
b.
Filter Predicate
You might use Dynamic Data Masking to enable developers to work with production tables without exposing sensitive data or you might use it in help desk or call center scenarios where you want to restrict the data the help desk personnel can see. It is important to understand that Dynamic Data Masking is not encryption. The key difference is that Dynamic Data Masking obfuscates data as it is displayed to the end user. However, it does not change or encrypt the data that is stored on the disk. Dynamic Data masking is implemented when a table is built using the CREATE TABLE statement or you can add it after the fact by using the ALTER COLUMN statement. Implementing Dynamic Data Masking on a column does not prevent authorized users from performing updates to that column. Despite the fact that the end clients may see veiled information when they question the covered segment they can even now refresh, embed, and erase the information on the off chance that they have composed consents. SQL Server 2016’s Dynamic Data Masking gives a few implicit functions that you can quickly use without the need to compose any information concealing functions all alone. You can see the inherent information covering capacities in the table beneath.
Default
Full concealing as indicated by the information sorts of the assigned fields.
Conceal WITH (FUNCTION = ‘default()’) NULL
A concealing technique which uncovered the primary letter of an email address and the steady postfix “.com” as an email address. aXXX@XXXX.com.
Veiled WITH (FUNCTION = ‘email()’) NULL
Custom String
A veiling strategy which uncovered the first and last letters and includes a custom cushioning string in the center. prefix,[padding],suffix.
Covered WITH (FUNCTION = ‘partial (prefix, [padding], suffix)’) NULL.
Arbitrary
An arbitrary concealing capacity for use on any numeric sort to cover the first incentive with an irregular incentive inside a predefined extend.
Veiled WITH (FUNCTION = ‘random([start range], [end range])’.
Giving the UNMASK consent enables a client to see the information unmasked. You can see cases of utilizing the MASK and UNMASK consents in the accompanying posting.
-
Adding the UNMASK consent.
-
Give UNMASK TO User1;
-
Removing the UNMASK consent.
-
Disavow UNMASK TO User1;
There are a few considerations you need to be aware of with Dynamic Data Masking. You cannot use it with Always Encrypted columns or the FILESTREAM data type. Although the data is not masked when it is stored in the database if the client executes the SELECT INTO or INSERT INTO to duplicate information from a covered section into another table the outcomes in the objective table will be concealed. You can utilize the sys. masked_columns view to see the sections that have a veiling capacity connected to them. This DMV restores all sections and the is_masked and masking function segments show if a segment is concealed and the veiling capacity that was utilized.
Dynamic Data Masking can be combined with Always Encrypted, Row-Level security, and Transparent Data Encryption (TDE) to help create a comprehensive and layered security strategy.
-
After Data Masking
-
execute as user = ‘anyuser’
-
select * from dbo.detstudent.
4 Experimental Analysis
An analysis is made on the two methods, Stored procedure and Row-Level Security based on the execution time in eight attempts as show in Table 1.
-
Avg. execution time = 4.8 * 10−2 s for Row-Level Security
-
Avg. execution time = 6.6 * 10−2 s for Data Masking
So, it is predicted that the stored procedure takes more time for execution. Whereas Row-Level Security takes less time for execution when compared to the stored procedure method (Fig. 2).
Stored procedure versus row-level security
5 Conclusion
This paper discusses database security using Legitimate Privilege Abuse the methods for providing security to the database from assailants. In this paper, a few database dangers have been talked about. This security is possible by various cryptographic techniques. The paper discusses the cryptography in detail. An analysis made on two methods discuss that the the optimized method is Row-Level Security than Stored Procedure. So the security of the database can be provided in two levels, one is at the content level and the next is at access level. The rule destinations of database protection are to guarantee unapproved access to data, guarantee the unapproved change of data to guarantee that data continually open when required. Further usage of this venture will manage the encryption on how the secured content like watchword will be put away in the ambiguous configuration.
References
Bertino E, Sandhu R (2005) Database security-concepts, approaches, and challenges. IEEE Trans Dependable Secure Comput 2(1):2–19
Asole SS, Mundada MS (2013) A survey on securing databases from unauthorized users. Int J Sci Technol Res 2(4):228–230
Basharat I, Azam F, Muzaffar AW (2012) Database security and encryption: a survey study. Int J Comput Appl 47(12)
Rohilla S, Mittal PK (2013) Database security: threats and challenges. Int J Adv Res Comput Sci Softw Eng 3(5)
Bertino E, Jajodia S, Samarati P (1995) Database security: research and practice, Pergamon. Inf Syst 20(7):537–556
Maurer U (2004) The role of cryptography in database security. In: Proceedings of the 2004 ACM SIGMOD international conference on management of data, ACM, pp 5–10, June
Sandhu RS, Jajodia S (1993) Data and database security and controls. Handbook of Security Management
Le Grand C, Sarel D (2008) Database access, security, and auditing for PCI compliance. EDPAC: EDP Audit, Control, Secur Newsl 37(4–5):6–32
Hashmi MJ, Saxena M, Saini R (2012) Classification of DDoS attacks and their defense techniques using intrusion prevention system. Int J Comput Sci & Commun Netw 2(5):607–614
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Aravindharamanan, S., Ramasubbareddy, S., Govinda, K. (2019). Legitimate Privilege Abuse and Data Security in Database. In: Saini, H., Sayal, R., Govardhan, A., Buyya, R. (eds) Innovations in Computer Science and Engineering. Lecture Notes in Networks and Systems, vol 74. Springer, Singapore. https://doi.org/10.1007/978-981-13-7082-3_22
Download citation
DOI: https://doi.org/10.1007/978-981-13-7082-3_22
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-13-7081-6
Online ISBN: 978-981-13-7082-3
eBook Packages: EngineeringEngineering (R0)