Table of Contents
Many small and big organizations have embraced the use of computers
This has created concern over the safety and security of stored data.
Constant attacks by hackers justifies investigation into security of DBs
Data is one of the most valuable assets that an organization that needs to be protected.
Nearly all businesses have automated their systems and maintain a database.
Database security is an important aspect.
Database security entails protecting information stored in the repository.
Different database architectures may call for different security approaches.
DB manager verifies the clients’ or programs’ permissions to data access
The DB manager is also in charge of concurrent access management.
DB manager controls synchronized access requests on the data by programs.
Extending definition of database
Definition to include aspects beyond physical aspects including processes and memory
DB security concerns begin from the level of the software doing the data manipulation.
Data management functions include:
Simultaneous transaction management,
Data access controls
The internal level and
The external level
These levels are very significant when considering database security.
A replica of the database is the most significant component of the DBMS design.
Security can be enhanced through the use of effective management systems.
Cloud computing has bolstered security vulnerability that faces databases
Most effective security strategies include data encryption and access control.
Ensuring safety of the DB starts with the possession of the necessary skills
Continue monitoring of the usage of the database after its development
Banks must be concerned about losing crucial data to cyber criminals
Banks can use continuous surveillance, development of supportive IT architecture, policies that have been approved by the highest authority
Are composed of inappropriate accesses, alterations or deletions of data
The breaches can be classified into three distinct categories.
Hostile external agents or
Authorized users abusing their right of access to a DB
Protecting a system or database from likely security breaches
Which size of organization needs DB security?
Enhancing security level – adequate policies, authentication mechanisms, and network firewalls.
Enhancing security level – use of a combination of strategies,
Combination of strategies – authentication, elimination of spurious data, and access control
In the modern world, many small and big organizations have embraced the use of computers, and this has created concern over the safety and security of data they store in the database (DB). As explained by Acharya, Jethava & Patel (2013) notes that database security entails processes and procedure put in place to offer protection to a database from unauthorized or unintended activities. These activities could be the malicious attack, misuse or mistakes from authorized people. Accordingly, the main objective of any given database security is to provide a security system that protects the data kept in the database. The importance placed on the security of databases and the fact that these databases are constantly attacked by hackers, malicious people or unauthorized personnel underlines that philosophical backbone for this report that justifies investigating the subject further in order to come up with better suggestions to boost database security in consideration of the dynamic nature of the modern computer environment where hackers keep on being more sophisticated in their hacking attempts. The paper stands to recommend to organizations on how to safeguard their databases and the importance of ensuring DB security at all times. Moreover, given the dynamic nature of the computer environment, research in the DB security subject matter must be taken as a continuing endeavour that needs updating from time to time.
As mentioned by Basharat, Azam & Muzaffa. (2012), data is one of the most valuable assets that an organization that needs to be protected. Today, nearly all businesses and organization have automated their systems and maintain a database that contains critical information. Therefore, Basharat, Azam & Muzaffar (2012) underscores that database security is an important aspect that concerns many organizations. Accordingly, it has been explained that database security entails protecting information stored in the repository, ensuring that it is not accessed by unauthorized people or destroyed. More so, database security requires giving access levels to people so that some are allowed, while others are prohibited from accessing the database. Indeed, for an organization to remain successful, it has to maintain the confidentiality of its database by limiting access and ensuring that data is protected from accidental or malicious damage. There are four properties of database security (see Figure 1) that require being observed when addressing the issue of database security.
Figure 1: properties of data security (source, Basharat, Azam & Muzaffar, 2012, p. 28)
Information systems are essentially used for various activities including helping in production design, control of warehouses, improvement of clerical productivity and control of vital processes. Since information needed to perform these activities is stored in the form of data in companies’ databases, companies find the issue of database security as very vital and integral component of their database setup. Therefore, when designing database security, it is important to consider the properties needed to ensure the desired security (Basharat, Azam & Muzaffar, 2012). Without having and guaranteeing database security, it would be extremely difficult for the organization to guarantee continuity as well as the reliability of its data and programs related to or which use that data.
Ensuring system security goes along protecting the database from intrusions or unauthorized modifications, or theft of data and disclosure. There are some issues that relate to database security. Among these, there is the establishment of an organization’s security strategy and plan, protection of system files and user credentials like passwords and controlling access, establishing privileges and user profiles, instituting appropriate user roles and then ensuring appropriate backup and recovery policies. A database can be understood as a collection of physical files and database management systems software that is responsible for manipulating the stored data.
In recent years, there has been a widespread use of centralized databases as well as those that are distributed and this has shown the great importance of databases in supporting business functions. However, that has brought with it the dire concern and challenge of data security. Quite often, there is news of breached computer systems where the perpetrators of the breaches are disgruntled employees, curiosity-driven teenagers or even business (corporate) spies. And these breaches occur even to systems that are traditionally viewed as or expected to be invulnerable to external intrusion. Systems that are traditionally viewed as invulnerable include bank accounting databases, databases for governments, and sensitive data computer systems such as those that store yet-to-be-concluded research plans among others. It is not uncommon to hear that they have been breached by hackers.
Different database architectures may call for different security approaches. The process retrieves data from the DB into the system work area using the recovery instructions, shifts data from a work region into the DB using the insert functions modifies the data in the DB by use of the update training functions or obliterates data from the DB using the delete training functionality. Through communication with the authorization tables, the DB manager verifies the clients’ or programs’ permissions to data access (Mullins, 2013). Authorized processes are passed on to the file manager. The DB manager is also in charge of concurrent access management. That is, DB manager controls synchronized access requests on the data by programs. In spite of the database architecture, the common risks that face these systems are shown in figure 2 below.
Figure 2: Database security risks source (Basharat, Azam & Muzaffar, 2012, p. 28)
While various database architectures require different security approaches, there are fundamental aspects that are universal to all DB architectures, and these include the following:
- They all entail instituting well defined DB security policy and plan
- In all cases, DB security encompasses protection of system records and users’ passwords;
- There must be protection of DB objectives from unauthorized access;
- There must be building of proper client roles, user privileges, views and profiles;
- Apposite backup and recovery strategies must be developed
It is important to understand that even though a database can be defined as an anthology of mutually interrelated data stored up on a persistent data storage supports, the security of the database considers aspects that are beyond the physical aspects including processes and process objects, memory, alongside the physical architecture.
According to Almutairi & Alruwaili (2012), database security considerations begin from the level of the software tasked with the data manipulation to ensure the reliability of the system to perform the functions it is meant to perform. Within a database’s architecture, there is the software system (DBMS – the Database Management System), which comprises a set of data management functions. There are three structural levels that DBMS has to manage properly for the security of the DB to be guaranteed. The DBMS has to properly manage the conceptual level of the structure, the internal level and then the system’s external level.
Data management functions through which large quantities of data are accessed or retrieved efficiently include schema management, logging, simultaneous transaction management, database recovery and data access controls (Mullins, 2013). Through these database management functions, the usefulness and correlation between the database and application management are defined. There are different DBMS conceptual models and understanding them is vital in understanding the security of the database. Among the most prevalent DBMS, conceptual models are the Entity-Relationship model. Within the Entity-Relationship model, an entity is defined by a group of real-world objects that need to be depicted in the database. Moreover, a relationship is a set of modelling associations between the entities within the database management system. The logical model provides a description of the data as well as the relationships existing between data in the DBMS.
At the logical design phase of the DB, the abstract entities and their associations are translated into a logical schema that can be described as a data schema. The data schema describes the data. It also describes the relationships in line with the logical model. In its makeup, the logical model consists of a network model, relational model, and hierarchical model. All these are managed by the database management system technology. The languages available in a DBMS include Data Definition Language (DDL), Query Language (QL) and Data Manipulation Language (DML). DDL is the Structured Query Language (SQL) construct employed when defining data within the database. It provides support for the description of the logical database schema (Mullins, 2013). On the other hand, DML is the SQL construct employed in the manipulation of the data in the database. DML and QL provide backing for the operations on data that comprises data recovery, insertion, deletion and update.
The levels of data description for a DBMS comprise the conceptual level, the internal level and the external level. These data description levels become very significant when considering database security. The conceptual level is also known as the logical database and is found between the other two levels. It comprises the theoretical representation of the database which is autonomous from the physical implementation.
The internal level is also known as a physical database or at times referred to as the internal database. It is in actual sense the realization of the logical database. The internal level of the database comprises physical files. This level of data description is involved with data types, the lengths of the data, file formats, storage structures, alongside access methods. According to Almutairi and Alruwaili, (2012), the internal level or the physical database embodies the database as truly stored and recovered during access or data retrieval.The third level of data description is the external level, which is also called the external database. This level deals with the views generated from the logical database by database clients or users. Each view encompasses certain entities and features of the logical database. At this level, one important issue of security, according to Gaikwad and Raut (2014) is that of logical independence of data in addition to the physical independence of data. These two aspects are essentially supported by the three mentioned levels. The independence of logical and physical data are important when considering the security of the database because they ensure that the application programs operating on the logical schema and those operating on the physical structures are not affected when changes are made to the logical schema or when there are changes to the physical data respectively. None the less, the physical structures used in storage of the data can be subjected to modification without affecting the configuration of the logical data schema.
A replica of the database is the most significant component of the design of a database management system. Existing literature provides some data models that have been proposed and which can be used as database models. These include the hierarchical model, relational model, entity-relationship model, and network model among many others. The relational model is the most commonly used database model (Gaikwad & Raut, 2014). The relational model is very popular because they provide greater independence of the physical data structures besides being flexible due to its ability to allow for an array of functions and queries that are not attached to the primary physical features.
The study by Gaikwad and Raut (2014) addresses various aspects of data security. The level of safety of databases can be enhanced through the use of effective management systems that can protect the content and ensure that it is only accessed by individuals who have been authorized. The authors of the study point out that it is more challenging to enhance the safety of database compared to conventional computer systems since the earlier is relatively new. Also, the high value of the data enhances the vulnerability of the databases. While the study by Gaikwad and Raut (2014) was enriched by review of various articles published by other scholars to pursue the purpose of their article, this approach allowed them to get the perspective of different scholars and trends in the area of database security.
Within database environments, the various users of a company or corporate body work on a distinct assimilated set of data via the DBMS for the various applications. These tables may also be referred to different programs. According to Almutairi and Alruwaili, (2012), this resolves some problems as duplication, data inconsistency, or reliance on the programs and the data structures. However, the issues of security threats and breaches are increasingly a matter of concern to such any organization- whether big or small.
Gonzalez, Miers, Redigolo, Simplicio, Carvalho, Naslund, and Pourzandi (2012), point out the security vulnerability that faces databases with the increase in the popularity of the concept of cloud computing. Gonzalez et al. (2012) noted that cloud computing technology has made it possible to share infrastructure, which has gone a long way in helping companies save money. However, this has also brought about the challenge of ensuring the security of the databases with the increased access of many users; some of who may not have good intentions. For example, companies can share data that is stored in one cloud, instead of buying their assets and this can easily lead to intrusion as result of corporate spying. Moreover, this technology makes the process of securing shared databases more complicated. The findings of the study by Gonzalez et al., (2012) point to the sheer security challenge brought by cloud technology which has, in turn, limited the capacity of the organizations to take control over their data.
In the study by Malik and Patel (2016), the authors aimed at investigating and addressing the issue of database attack by hackers and the key strategies that can be used to prevent it. The authors advanced an argument that databases have gained significance in the contemporary world where businesses need technology in almost every aspect of their operations. Technology experts have different definitions of the concept of database security. However, Malik and Patel (2016) underscores that presently, businesses require databases to keep data they have since it offers speed and its cheap. But, for the success of these databases, businesses have to ensure that they are protected. According to them, the most effective strategies include data encryption and access control, which can be effectively used to secure databases (Malik and Patel, 2016).
Mullins (2013) looks at various aspects of database development as well as its management. According to Mullins (Ibid), it is evident that the process of ensuring the safety of the database starts with the possession of the necessary skills. This ensures that the structure or the architecture of the database is difficult to allow unauthorized persons from accessing it. This point of view is also supported by Soni, (2015) who also adds that the organization should continue monitoring the usage of the database after its development. This can help the organization discover when its content is accessed by individuals who are not authorized. The main idea here is that security of the system must be taken seriously from the design and development phase and continue during its usage by ensuring that it is monitored effectively.
Furthermore, Soni (2015) demonstrates the vulnerability that arises when useful information is exposed to hackers. Organizations store sensitive data in their databases. Unfortunately, the sensitivity of this data enhances the level of vulnerability. This creates the need to adopt the necessary security measures that can help organizations minimize the risk of malicious attack. The study published in this article was accomplished using a literature review approach, which limited the capacity of the authors to manage the quality of data. According to Soni (2015), it is important that system administrators and organizations understand the different types of threats that organizations possibly face so that they appropriately prepared to prevent before developing databases.
An article by the Reserve Bank of India (2016) on cyber security framework in banks is very resourceful in understanding the type of threats that banks face and how to mitigate them. Accordingly, banks must be concerned about losing crucial data to cyber criminals. It is recommended that a continuous surveillance, development of a conducive IT architecture, policies that have been approved by the highest authority in an organization are some of the key components that should be included in a framework that is developed to secure the database. The reserve bank is a credible institution, which means that the content of the article is reliable. It will be used to show that the development of a comprehensive framework in the industry can secure the databases.
Security problems in databases encompass violations and these violations to database security are composed of inappropriate accesses, alterations or deletions of data. The breaches can be classified into three distinct categories. The first category of DB security breach is through an improper release of information to the public, which is generally as a result of deliberate or accidental access of information by inappropriate users. For instance, unauthorized information is conjectured through the approved observation of data. Another category of DB security breach is through inappropriate alteration o f data. This breach involves all infringements to the data integrity via inappropriate data handling or alterations. The manipulated data may or may not be read. So, the inappropriate alterations do not essentially concern unauthorized reading. Another category of the breach is a denial of service. These entail the actions that may render the users unable to access the database or render then unable to use the resources. Security breaches can also be categorized according to how they can happen, and such violations can be grouped as non-fraudulent (accidental) breaches and fraudulent (intentional) threats.
Non-fraudulent or accidental breaches are the damage originating by accidents. These breaches involve some sources that include accidental or natural disasters, which can damage the corporate body’s system hardware and the data of the DB. These include earthquakes and water damage among others. Another source of the breach is errors or bugs within the system’s hardware or software. These bugs may lead to unpermitted access, perusal or alteration of data. They may also lead to denial of access to the approved users. This type of security breach may lead to some serious issue serious which may, in turn, waste a lot of time along with resources. It may also cause weakness within the system making it possible for hostile agents to take advantage of. Human errors are also causes of breaches in DB. These may fall into the category of the breach may fall under unintentional violations, and they can lead to an incorrect understanding of programs or applications within the system leading to the erroneous application of security policies.
There are fraudulent or intentional breaches, which are essential as a result of explicit and decided fraudulent. In this case, violation of DB security can come from any of the two categories: hostile external agents or authorized users abusing their right of access to a DB. Hostile agents may break into the system and execute damage to the software or threaten the security of the system’s hardware. This can be achieved through the use of computer viruses, trapdoors or even Trojan Horses.
Protecting a system or database from likely security breaches implies protecting the resources and the stored data from unintentional or intentional unauthorized entrance and alteration. The objective for every database is to make it accessible and functional to every one of the users who need the stored information. Conversely, an organization must make sure that this same important data is not exposed to individuals that are not permitted and also it should not be damaged by hostile parties. There must be a proper balance between security concerns, which if not met; some of the users that could benefit from the information may fail to access it. Although the security fears for a database are similar to those for any other information system, integrity, admittance control, approval, privacy, and confidentiality, database systems have some unique and demanding issues (Basharat, Azam & Muzaffar, 2012).
According to Acharya, Jethava and Patel (2013), database security is very essential, and this does not matter whether the organization in question is small-sized, medium-sized or large. For instance, the authors reiterate that database protection in a campus greatly depends on controlling access as a key strategy that institutions can use to minimize the risks associated with the loss of crucial data from their respective databases. The study by Acharya et al. (Ibid) indicated that the security level could be enhanced by developing adequate policies, authentication mechanisms, and network firewalls. Even though findings of a case study cannot be generalized, the findings of that study provide a good reference point for organizations such as universities. Those findings further provide support the argument that the process of securing the databases requires the application of a combination of effective strategies. The findings of the study by Gaikwad and Raut (2014) also support this standing that safety and security of database can be enhanced through the use of a combination of strategies, including authentication, elimination of spurious data, and access control.
According to Almutairi and Alruwaili (2012), administrators of databases must consider several issues when considering database security. These issues include threats and security maintenance processes) that should be considered when addressing database security. According to the study findings (Almutairi & Alruwaili, 2012), there are great milestones made in the information technology sector have helped companies operating in the contemporary business environments to integrate their functions, but these have also come with an equal measure of challenges. The authors point out that the size of the company or organization notwithstanding, given that the information stored in the databases is more vulnerable to unauthorized access compared to traditional hard copies, modern companies are at a higher risk of experiencing data loss than before. According to the findings on what approaches that can help organizations, the study found that integrity principles should be observed to maximize the security of databases.
Basharat et al. (2012) took a different approach to the issue of database security and investigated the effectiveness of encryption in enhancing the safety of the databases. Their study found that encryption is an effective tool that organizations are operating in the contemporary world to secure their databases. These organizations can encrypt their databases by converting the content stored in them into codes that enable them to minimize the chances of access by unauthorized persons. The authors surveyed to accomplish the purpose of their research.
Even databases within the banking sector need a lot of security as pointed out by Choubey and Choubey (2013). According to their study findings, Choubey and Choubey (2013) established that system administrators within the banking sector could enhance the level of security of their respective databases by standardizing the client credentials. Banks create large databases to store customer information, which makes them vulnerable to cyber criminals who would like to use the data for their benefits. The two authors relied on a qualitative design to accomplish the objective of their research. This design is preferred because it enables the researchers to conduct an in-depth investigation of the underlying problem. The study supports the findings of this study that was focusing on the behaviour and vulnerability of the end-users can make the databases more secure.
This paper has investigated the issue of database security in various dimensions. The paper has established that protecting a system from likely security breaches calls for protection of the resources and the stored data from unintentional or intentional unauthorized entrance and alteration. Further, about the susceptibility of the database to security breaches, the study established that the database is vulnerable from its development to its operation or implementation, which makes the security of the database a continuous exercise. It is important to protect and guarantee authenticity and continuity of database functionality through protection of its integrity, ensure admittance control, approval, privacy, and confidentiality, and database systems have some unique and demanding issues. Security of the databases is best achieved through a combination of approaches including the use of authentication, elimination of spurious data, and access control; focusing on the behavior and vulnerability of the end-users to make the databases more secure and data encryption by converting the content stored in them into codes that enable them to minimize the chances of access by unauthorized persons.
Acharya, V., Jethava, S. & Patel, A. (2013). Case study of database security in campus ERP system. International Journal of Computer Application, 79 (15), 1-4. Retrieved from http://research.ijcaonline.org/volume79/number15/pxc3891546.pdf
Almutairi, A. & Alruwaili, A. (2012). Security in database systems. Global Journal of Computer Science and Technology Network, Web, and Security, 12 (17), 1-7. Retrieved from https://globaljournals.org/GJCST_Volume12/3-Security-in-Database-Systems.pdf
Basharat, I., Azam, F. & Muzaffar, A. (2012). Database security and encryption: A survey study. International Journal of Computer Applications, 47 (12), 28-34. Retrieved from http://research.ijcaonline.org/volume47/number12/pxc3880218.pdf
Choubey, J. & Choubey, B. (2013). Secure use authentication in the internet banking: A qualitative survey. International Journal of Innovation, Management, and Technology, 4 (2), 198-203. Retrieved from http://www.ijimt.org/papers/391-D0493.pdf
Gaikwad, R. & Raut, A. (2014). A review on database security. International Journal of Science and Research, 3 (4), 372-374. Retrieved from https://www.ijsr.net/archive/v3i4/MDIwMTMxMjc3.pdf
Gonzalez, N., Miers, C., Redigolo, F., Simplicio, M., Carvalho, T., Naslund, M. & Pourzandi, M. (2012). A quantitative analysis of current security concerns and solutions for cloud computing. Journal of Cloud Computing, 1 (11), 1-11. Retrieved from https://journalofcloudcomputing.springeropen.com/articles/10.1186/2192-113X-1-11
Malik, M. & Patel, T. (2016). Database security: Attacks and control methods. International Journal of Information Sciences and Techniques, 6 (1), 175-183. Retrieved from http://aircconline.com/ijist/V6N2/6216ijist18.pdf
Mullins, S. (2013). Database administration: The complete guide to DBA practices and procedures (2nd ed.). Upper Saddle River, NJ: Addison-Wesley.
Reserve Bank of India (2016). Cyber security framework in banks. Mumbai: Reserve Bank of India. Retrieved from https://rbidocs.rbi.org.in/rdocs/notification/PDFs/NT41893F697BC1D57443BB76AFC7AB56272EB.PDF
Soni, D. (2015). Database security: Threats and security techniques. International Journal of Advanced Research in Computer Science and Software Engineering, 5 (5), 621-625. Retrieved from https://www.ijarcsse.com/docs/papers/Volume_5/5_May2015/V5I4-0780.pdf