BULE HORA UNIVERSITY

COLLEGE OF INFORMATICS

INFORMATION TECHNOLOGY DEPARTMENT

A Seminar Report On:

“Database Security and Access Control”

By:

Student Name ID. Number

1. Bedane Aga Ware………..WU0396/12

2. Elias Nenko Guye………..WU0412/12
3. Bareto Mechene Dugo…..WU0394/12
4. Shagitu Gobena Dube.….WU0206/12
5. Dure Bido Ware……..….WU0411/12

Bule Hora, Ethiopia

July, 2024
Table of Contents Pages
Lists of figures ..........................................................................................................................ii

Lists of Tables......................................................................................................................... iii

Abstract ................................................................................................................................ - 1 -

1. Introduction ................................................................................................................. - 2 -

2. History of the Database Security and Access Control.............................................. - 3 -

3. How the Database Security and Access Control works ........................................... - 7 -

3.1. Access Control Mechanism ..................................................................................... - 7 -

4. Research works in the area ....................................................................................... - 11 -

5. The role of the Database Security and Access Control for developing countries like
Ethiopia .............................................................................................................................. - 13 -

6. Application areas of Database Security and Access Control ................................. - 13 -

6.1. In Enterprise Information ................................................................................. - 14 -

6.2. Banking and Finance ......................................................................................... - 14 -

7. Advantages and disadvantages Database Security and Access Control ............... - 15 -

7.1. Advantages Database Security and Access Control ........................................... - 15 -

7.2. Disadvantages Database Security and Access Control ....................................... - 15 -

8. Conclusion .................................................................................................................. - 16 -

9. References................................................................................................................... - 17 -

i
 Lists of figures
Figure 1: Main control measures for database security [6]. ........................................... - 6 -
Figure 2: Control measures. ......................................................................................... - 7 -
Figure 3: Access control for complex data models [3]. .................................................. - 8 -
Figure 4: Access Control and Security Services[1] ........................................................ - 9 -
Figure 5: The area of access control for the relational data model. ............................ - 13 -

ii
 Lists of Tables
Table 1: Comparison between DAC, MAC, RBAC, and ABAC [4] ................................... - 8 -
Table 2: Summary of Database Security Measures .......................................................... - 11 -

iii
 Abstract
Database security is a growing concern evidenced by increase in number of reported
incidents of loss of or unauthorized exposure of sensitive data. Security models are the basic
theoretical tool to start with when developing a security system. These models enforce
security policies which are governing rules adopted by any organization.

Access control models are security models whose purpose is to limit the activities of
legitimate users. The main types of access control include discretionary, mandatory and role
based. All the three techniques have their drawbacks and benefits. The selection of a proper
access control model depends on the requirement and the type of attacks to which the system
is vulnerable [1]. The features of a security policy for databases as stated in paper [1] are
Access Control Policy, Inference Policy, User identification/authentication policy,
Accountability and audit policy, Consistency policy. This policy defines the state in which
the database is considered valid or correct and includes operational, semantic and physical
integrity of database. This database security encompasses three constructs confidentiality,
integrity, and availability.

Database security is the mechanisms that ensure the protection of the Database from
unauthorized users, deliberate threats, data loss, and hackers. It addresses many issues such as
legal, ethical, policy, and system-related [4]. Database security is a difficult process that any
organization should improve to run its activities easily and efficiently. Each organization that
is running successfully demand the confidentiality and the integrity of their data are protected
against unauthorized access and any malicious or accidental modification.

These authorizations are administered by following a Discretionary Access Control (DAC)

policy, Mandatory Access Control (MAC) policy, Role-Based Access Control (RBAC)
policy, or Attribute-based access control (ABAC). The inference control prevents users, when
they have access to only the statistical or summary information, from being able to infer
confidential information, which they are not authorized to read. The flow control ensures that
the information cannot be flown to reach unauthorized users[8].

-1-
 1. Introduction
Information is a critical resource in today’s enterprise, whether it is industrial, commercial,
education etc. Database systems are designed to manage large bodies of information.
Management of data involves both defining structures for storage of information and
providing mechanisms for the manipulation of information. In addition, the database system
must ensure the safety of the information stored, despite system crashes or attempts at
unauthorized access [2]. If data are to be shared among several users, the system must avoid
possible anomalous results. Today all organizations rely on database systems as the key data
management technology for a large variety of tasks, ranging from day-to-day operations to
critical decision making. Such widespread use of database systems implies that security
breaches to these systems affect not only a single user or application, but also may have
disastrous consequences on the entire organization. The recent rapid proliferation of Web-
based applications and information systems, and recent trends such as cloud computing and
outsourced data management, has further increased the exposure of database systems and,
thus, data protection is more crucial than ever [3]. Conventional perimeter-oriented defences,
like firewalls, are inadequate in today’s interconnected world and are unable to offer the fine-
grained protection required for selective and secure data sharing among multiple users and
applications. Security techniques offered by operating systems may offer some protection at
the file system level; however the protected objects are typically files and directories and
these protection units are too coarse with respect to the logical protection units, such as
records, that are required in database systems. It is also important to appreciate that data need
to be protected not only from external threats, but also from insider threats [3].

The Defence Information System Agency of US Department of defence states that database
security should provide controlled, protected access to the contents of database as well as
preserve the integrity, consistency and overall quality of the data [1]. As the researcher
discusses in the paper database security encompasses three constructs confidentiality,
integrity, and availability.

Confidentiality: Protection of data from unauthorized disclosure.

Integrity: Prevention from unauthorized data access.

Availability: Identification and recovery from hardware and software errors or malicious
activity resulting in the denial of data availability.

-2-
 2. History of the Database Security and Access Control
2.1. Threats of Database Security

A threat can be identified with a hostile agent who either accidently or intentionally gains an
unauthorized access to the protected database resource. In organizations there are so many
type of threats are recognized with can’t only increase the risk of database exposure but also
cause disastrous consequences on the entire organization. Some of these threats are described
below [4],[1]:

Excessive Privilege Abuse: When users (or applications) are granted database access
privileges that exceed the requirements of their job function, these privileges may be abused
for malicious purpose.

Legitimate Privilege Abuse: Users may also abuse legitimate database privileges for
unauthorized purposes.

Platform Vulnerabilities: Vulnerabilities in operating systems and any installed additional

services on a DB server can result in damage to the DB such as unauthorized access, denial of
service, or data corruption.

SQL Injection: In a SQL injection attack, attacker typically inserts unauthorized database
statements into a vulnerable SQL data channel.

Denial of Service: Denial of Service (DOS) is a general attack category in which access data
is denied to intended users.

Weak Authentication: Weak authentication schemes allow attackers to assume the identity
of legitimate database users by stealing or otherwise obtaining login credentials.

Weak Audit Trail: Audit trails are used to record each user activities in the DB. So, the
weakness of an audit trail poses a danger to the organization's Databases.

Backup Data Exposure: Many cases of security breaches have included the theft of hard
disks and backup tapes, because the backup DB storage media have seldom been protected
from any attack.

-3-
 2.2. Database Security Policies

Database security is the mechanisms that ensure the protection of the Database from
unauthorized users, deliberate threats, data loss, and hackers [4] To eliminate threats, it is
necessary to define proper security policy. Security policies are governing principles adopted
by organizations. They capture the security requirements of an organization, specify what
security properties the system must provide and describe steps an organization must take to
achieve security.

The following list gives features of a security policy for databases [1]:

 Access Control Policy: These policies ensure that direct access to the system objects
should proceed according to the privileges and the access rules.
 Inference Policy: These policies specify how to protect classified information from
disclosure when the information is released indirectly in the form of statistical data.
 User identification/authentication policy: This policy indicates the requirements for
correct identification of users. The user identification is the basis of every security
mechanism. A user is allowed to access data after identification as an authorized user
only.
 Accountability and audit policy: This policy provides the requirements for the
record keeping of all accesses to the database.
 Consistency policy: This policy defines the state in which the database is considered
valid or correct and includes operational, semantic and physical integrity of database.
2.3. Security and Access Control in Database

The objective of database access controls is to ensure the secrecy and integrity of data stored
in the database. As stated in paper [5] security controls to ensure the security of databases
include control elements that are not based on the computer. Here we include policies,
agreements and other administrative control elements different than the ones who sustain
control elements based on the computer. Secrecy requires that the data be protected from
unauthorized disclosure through direct retrievals, browsing, inference and leakage.

Integrity or authenticity requires that the data be protected from unauthorized modification
through updates, insertions, and deletions.

-4-
To manage a database system, database administrators have to take actions including account
creation, privilege granting, privilege revocation, and security level assignment to control a
group of users who need to access DBMS with certain privileges [6] . If some privileges
previously have been given to specific accounts, the database administrators could be able to
revoke or cancel certain privileges. For every user account, it needs to be assigned to the
appropriate security clearance level in accordance with the policy of the organization. The
main purpose of granting certain privileges, revoking privileges, and assigning security level,
is to control discretionary database authorization and to control mandatory authorization [7].

There are some of external threats from hackers and internal threats from employees or end
users who get unauthorized access to sensitive data with malicious intent or compromised
credentials. Secondly, severe financial and reputational consequences for organizations may
result from data breaches which make unauthorized disclosure of sensitive information
including personal data, financial records, and intellectual property and DBAs may not ensure
protected databases. The third reason of insider threats risks is from partners, employees, and
contractors who may get affected by intentional or unintentional actions that compromise
data security, such as negligence, data theft, or sabotage when they have legitimately
accessed to database. Weaken authentication and authorization mechanisms have affected on
control access to the database which some users have inappropriate permission to perform
their tasks. Both of inadequate authentication and authorization could contribute to data
breaches and unauthorized access [6].

To protect sensitive data, DBAs should run strong encryption process in case of unauthorized
access, but they have come across challenges in weak encryption algorithms and improper
key management in transit and at the rest periods [5]. For database administrators, they are
mainly responsible for enforcing security policies of a firm, which means whether end users
or categories of users should be permitted to access to certain database attribute. Therefore,
we should carefully think of some vital factors for making the correct decision of whether it
is safe to reveal the data [6]. To update a field, data may temporarily not be available to users,
as users should not review inaccurate data.

-5-
 Figure 1: Main control measures for database security [6].

Access controls are modelled in terms of subjects (users), data objects, and access rights,
where a subject is permitted access to an object in accordance with the authorized access
rights. The access rights can be simple database operations such as retrieve, insert, etc., or
they can be more complex and include predicates over the database or execution of access
functions. The authorization information can be implemented using authorization lists, which
are lists of users permitted access to a given object, capability lists, which are lists of objects
permitted to a given user, or general rules, which apply to all users and objects [2].

2.4. Database Security Measures

Database security is the mechanisms that ensure the protection of the Database from
unauthorized users, deliberate threats, data loss, and hackers. It addresses many issues such as
legal, ethical, policy, and system-related [4]. Database security is a difficult process that any
organization should improve to run its activities easily and efficiently. Each organization that
is running successfully demand the confidentiality and the integrity of their data are protected
against unauthorized access and any malicious or accidental modification.

The protection of data is accomplished with different aspects of a database management

system (DBMS). DBMS is the group of applications which manages the data presented in the
Database and helps to organize data for better performance. In all DBMSs to reduce the
threats, they provide some kinds of security techniques designed for these purposes. There
are many security measures that have been created for protecting the Databases. The four
main control measures that are implemented to protect Databases from threats are the
following; the first one is he access control, the second is inference control, the third is flow
control and finally, data encryption.

-6-
These authorizations are administered by following a Discretionary Access Control (DAC)
policy, Mandatory Access Control (MAC) policy, Role-Based Access Control (RBAC)
policy, or Attribute-based access control (ABAC). The inference control prevents users, when
they have access to only the statistical or summary information, from being able to infer
confidential information, which they are not authorized to read. The flow control ensures that
the information cannot be flown to reach unauthorized users[8].

Figure 2: Control measures.

3. How the Database Security and Access Control works

3.1. Access Control Mechanism

As we discuss in introductory part of the paper database security involves a range of

principles, measures, and techniques aimed at protecting the integrity, confidentiality, and
availability of data stored in databases. As stated in paper [9] to establish effective security
measures, it is crucial to comprehend the fundamental concepts and terminology associated
with database security. Authentication verifies the identity of users, ensuring that only
authorized individuals can access the database. Common authentication methods include
passwords, biometrics, tokens, and multi-factor authentication. Access control is another
critical aspect, governing user permissions and privileges within the system. Access control
mechanisms like discretionary access control (DAC), mandatory access control (MAC), and

-7-
role-based access control (RBAC) restrict users to appropriate levels of data access based on
their assigned roles [2].

Figure 3: Access control for complex data models [3].

Mechanisms for controlling and enforcing allowed access to system resources are important
to any robust security architecture. These safeguards make sure that only verified users can
access private data and carry out allowed operations.

Table 1: Comparison between DAC, MAC, RBAC, and ABAC [4]

-8-
Role-based access control (RBAC) is a method of controlling user permissions that is widely
used. Permissions in RBAC are doled out in accordance with predetermined roles that
correspond to particular tasks or duties. Each user has a certain set of privileges based on the
role they have been given. By allowing administrators to grant permissions to roles rather
than individual users, RBAC streamlines the permissions assignment process and ensures that
all users have the same level of access. The goal of attribute-based access control (ABAC) is
to define access based on a set of attributes connected to persons, objects, and the
surrounding environment. ABAC is a method for making access control decisions based on a
number of factors, including human attributes (such as job title, department), object attributes
(such as sensitivity level, classification), and environmental attributes (such as time,
location). ABAC allows for granular control of access, enabling companies to set nuanced
policies depending on a variety of circumstances.

Figure 4: Access Control and Security Services[1]

Encryption plays a vital role in safeguarding sensitive data within databases. It involves
transforming data into an unintelligible form using techniques like the Advanced Encryption
Standard (AES) or RSA. Only those with the appropriate decryption key can convert the
encrypted data back into its original form. Encryption secures data both when stored in the
database (at rest) and during transmission over a network (in transit).

Auditing and logging are integral to database security. Auditing involves capturing and
recording various activities within the database system, such as user actions, system events,
and security incidents. Audit logs provide a trail of evidence for monitoring, investigating,
and identifying security breaches or suspicious activities. Intrusion Detection and Prevention
Systems (IDS/IPS) monitor and analyze network traffic or database activities to detect and

-9-
prevent unauthorized access, intrusions, or malicious behaviour. These systems employ
predefined rules, behavioural analysis, or machine learning algorithms to identify potential
threats and generate alerts [4]. Data masking is a method for concealing sensitive data within
a database by substituting it with plausible but fictitious data. This ensures that the data can
continue to be utilized in non-production environments while maintaining its confidentiality.

There are two techniques that are used to achieve confidentiality. These are access control
policies and encryption techniques [4]. Because the confidentiality can be high assurance by
using both, access control and encryption techniques, and they are widely discussed in many
articles on Database security, and also widely used in many DBMSs such as Oracle.

Security evaluation entails evaluating the efficacy of existing security measures and
identifying vulnerabilities or defects within the database system. Typically, penetration
testing, vulnerability scanning, and security investigations are used to evaluate the database's
security posture. Preventing privilege escalation, classifying data based on its sensitivity or
criticality, implementing data loss prevention (DLP) mechanisms to prevent unauthorized
disclosure or leakage of sensitive data, and complying with various regulatory frameworks
governing database security are additional important concepts in database security.
Understanding these concepts and terms thoroughly is essential for implementing robust
database security measures and protecting sensitive data from illegal access, manipulation, or
disclosure. Database security mechanisms, including authentication, access control,
encryption, auditing, monitoring, intrusion detection, and privacy-enhancing approaches, are
summarized in the following table.

- 10 -
 Table 2: Summary of Database Security Measures

4. Research works in the area

Many researchers do so many researches on database security and access control
mechanisms. From the stated paper the researcher [10][8] discusses on how to prevent the
execution of database access by using GRANT and REVOKE privileges of the database
system user. The researcher uses the mechanisms like:

Mandatory Database Access Control: Research on mandatory database access control has
historically focused on Multi-Level Security (MLS), where both the data and the users are
associated with security levels, which are compared to control data access. The researcher
extends the SQL discretionary access control model with additional mandatory checks to
provide database integrity and data confidentiality. The researcher tries to compare the work
with the access control policies and semantics used by MLS systems. With respect to
policies, the researcher judges that he uses the SQL access control model, where policies are
sets of GRANT statements. In this model, users can dynamically modify policies by
delegating permissions where as in MLS policies are usually expressed by labelling each
subject and object in the system with labels from a security lattice as stated in paper.

- 11 -
With respect to semantics, existing MLS solutions are based on the so called Truman model
where they transparently modify the commands issued by the users to restrict the access to
only the authorized data while the researcher use the same semantics as SQL, that is execute
only the secure commands in his paper which is called the Non-Truman model.

Operationally, MLS mechanisms use poly-instantiation, which is neither supported by the

relational model nor by the SQL standard, and requires adhoc extensions. Furthermore, the
operational semantics of MLS systems differs from the standard relational semantics. But in
the paper discussed by the researcher operational semantics supports the relational model and
is directly inspired by SQL that differences influence how security properties are expressed.
Data confidentiality, which relies on a precise characterization of security based on a possible
worlds semantics, is a key component of the Non-Truman model (and SQL) access control
semantics. Similarly, database integrity requires that any “write” operation is authorized
according to the policy and is directly inspired by the SQL access control semantics. The
security properties in MLS systems while the researcher combine the multilevel relational
semantics with MLS and BIBA properties.

The researcher [3] focuses on the Oracle Virtual Private Database mechanism which is an
interesting approach to context-based access control and the access control mechanism of
SQL Server which has many interesting capabilities, such as the support for roles and
negative authorizations. The researcher cover approaches to fine-grained access control.
These approaches allow one to associate access permissions with fine-grained elements
within a relation, such as a single tuple or even a single cell as shown below.

- 12 -
 Figure 5: The area of access control for the relational data model.

5. The role of the Database Security and Access Control for

developing countries like Ethiopia
Database security and access control have so many roles in developing countries like
Ethiopia in such a way that:

 Securing human resource data from external an authorized access.

 Manage their resources in proper way and making available resources free from hacker.
 To make information security policy strengthens the security and well-being of
information resources.

6. Application areas of Database Security and Access Control

Database security and access control are needed to be applied in so many different sectors
such as:

 Banking
 Airlines
 Universities
 Manufacturing and selling
 Human resources

- 13 -
 6.1. In Enterprise Information
 Sales: For customer, product, and purchase information control and to make it only
accessible by authorized person database security and access control are applicable..
 Accounting: In the process of payments, receipts, account balances, assets and other
accounting information applying database security is an important.
 Human resources: To make information about employees, salaries, payroll taxes,
and benefits and for generation of paychecks secure database security and access
control play significant role.
 Manufacturing: In controlling management of the supply chain and for tracking
production of items in factories, inventories of items in warehouses and stores, and
orders for items database security and access control has vital significance.
 Online retailers: For sales data noted above plus online order tracking, generation of
recommendation lists, and maintenance of online product evaluations database
security and access control has an important role.
6.2. Banking and Finance
 Banking: To secure customer information, accounts, loans, and banking transactions
database security and access control plays significant role.
 Credit card transactions: For purchases on credit cards and generation of monthly
statements database security and access control in an important.
 Finance: For storing information about holdings, sales, and purchases of financial
instruments such as stocks and bonds; also for storing real-time market data to enable
online trading by customers and automated trading by the firm safe from an
authorized access database security and access control is applicable.
 Universities: In University database security and access control system makes student
information, course registrations, and grades (in addition to standard enterprise
information such as human resources and accounting) secured.
 Airlines: Also database security and access control play important role in reservations
and schedule information in airlines reservations
 Telecommunication: In keeping records of calls made, generating monthly bills,
maintaining balances on prepaid calling cards, and storing information about the
communication networks securely database security and access control have
significant role.

- 14 -
 7. Advantages and disadvantages Database Security and
Access Control
7.1. Advantages Database Security and Access Control

Database security and access control have so many advantages hence:

 It used to protect many of confidential or sensitive information such as credit card

numbers, medical records, and student records of organizations from unauthorized
users.
 It used to maintain data confidentiality by inspecting the users' rights against a set of
authorizations.
 The inference control prevents users, when they have access to only the statistical or
summary information, from being able to infer confidential information, which they
are not authorized to read.
 It also used to keep the data integrity, availability and confidentiality of an
organization.
 It also encrypting sensitive data using a cipher will transform it into unreadable form
to other users except the one who has the key to decrypt the data.
 The flow control ensures that the information cannot be flown to reach unauthorized
users.
 It offers dynamic capabilities higher efficiency, flexibility, scalability and security.
 It allows the owners of data or administrators to accept or reject user requests without
further specific information about the user and for a numerous number of users that
might request access to the data.
 It leads to a more dynamic access control management capability and limits long-term
maintenance requirements of data protections.
7.2. Disadvantages Database Security and Access Control

Even if the database security and access control have many advantages it may have the
following disadvantages:

 Apply the database security and access control is very complex due to the specification
and maintenance of the policies.
 Appling different database security and access control is also complex and time-
consuming hence it uses different algorithm.

- 15 -
  The problem of key distribution in symmetric encryption between two parties must
agree to use the same secret key before they start encrypting and decrypting data.
 Because of its complexity and functionality, applying database security and access
control uses large amount of memory. It also needs large memory to run efficiently.
 Database security and access control is written work on the entire systems rather
specific one. Hence some of the application will run slow.

8. Conclusion
Database security and access control is the mechanisms that ensure the protection of the
Database from unauthorized users, deliberate threats, data loss, and hackers. It addresses
many issues such as legal, ethical, policy, and system-related. These techniques can be
applied in order to make data and information owned by an organization free from hacked by
an authorized access. In order to achieve this goals different algorithm and mechanisms can
be discussed in different paper and they registered obvious results. Those securing
information by an organization has vital role to for an organization manage its human
resource, data, and resources and so on.

- 16 -
 9. References
[1] I. Kashyap, “Database Security & Access Control Models: A Brief Overview,” vol. 2,
no. 5, pp. 743–751, 2013.

[2] B. T. Ii, Y. Ii, and R. Sem, “DATABASE MANAGEMENT SYSTEMS LECTURE

NOTES COMPUTER SCIENCE AND ENGINEERING MALLA REDDY
COLLEGE OF ENGINEERING &,” vol. 2, 2018.

[3] E. Bertino, “for Databases : Concepts and Systems Access Control for Databases :
Concepts and Systems.”

[4] E. F. Khalaf and M. M. Kadi, “A Survey of Access Control and Data Encryption for
Database Security,” vol. 28, no. 1, pp. 19–30, 2017, doi: 10.4197/Eng.

[5] S. Analysis, “Software Analysis DATABASE SECURITY - ATTACKS AND

CONTROL METHODS,” pp. 449–454.

[6] X. Pan, A. Obahiaghon, B. Makar, S. Wilson, and C. Beard, “Analysis of Database

Security,” vol. 11, pp. 1–19, 2024, doi: 10.4236/oalib.1111366.

[7] E. T. Mihret, “Advanced Database Systems Estifanos T . ( MSc in Computer

Networking ),” no. July, 2021, doi: 10.13140/RG.2.2.34607.46240.

[8] D. E. Denning, “Database Security 1 Access Controls,” pp. 1–3.

[9] A. Authentication and A. Control, “A Comprehensive Review of Security Measures in

Database Systems : A Comprehensive Review of Security Measures in Database
Systems : Assessing Authentication , Access Control , and Beyond,” no. August, 2023,
doi: 10.58496/MJCSC/2023/016.

[10] M. Guarnieri, “Strong and Provably Secure Database Access Control.”

- 17 -