Data and Applications Security Developments and Directions Dr Bhavani Thuraisingham The University of Texas at Dallas Lecture 5 Access Control in Data Management Systems September 10 2008 Outline Discretionary Access Control in Relational Databases Mandatory Access Control in Relational Databases Security Constraints Types of Access Control Inference problem Role based Temporal Usage Access Control in Other Databases Objects Federated Current Trends in Access Control Date Warehousing Semantic Web Privacy Control Next Steps in Access Control Access Control in Relational Databases 1975 Present Access Control policies were developed initially for file systems E g Read write policies for files Access control in databases started with the work in System R and Ingres Projects Access Control rules were defined for databases relations tuples attributes and elements SQL and QUEL languages were extended GRANT and REVOKE Statements Read access on EMP to User group A Where EMP Salary 30K and EMP Dept Security Query Modification Modify the query according to the access control rules Retrieve all employee information where salary 30K and Dept is not Security Query Modification Algorithm Inputs Query Access Control Rules Output Modified Query Algorithm Given a query Q examine all the access control rules relevant to the query Introduce a Where Clause to the query that negates access to the relevant attributes in the access control rules Example rules are John does not have access to Salary in EMP and Budget in DEPT Query is to join the EMP and DEPT relations on Dept Modify the query to Join EMP and DEPT on Dept and project on all attributes except Salary and Budget Output is the resulting query Mandatory Access Control MAC in Databases 1982 Present Bell and LaPadula Policy adapted for databases Read at or above your level and Write at your level Granularity of classification Databases Relations Tuples Attributes Elements Security Architectures Operating system providing mandatory access control and DBMS is untrusted with respect to MAC e g SRI s SeaView Trusted Subject Architecture where DBMS is trusted with respect to MAC e g TRW s ASD and ASD Views Integrity Lock where Trusted front end computes checksums e g MITRE s MISTRESS Prototype Distributed Architecture where data is distributed according to security levels and access through trusted front end e g NRL s SINTRA Extended Kernel for Security Policy Enforcement such as constraints e g Honeywell s Lock Data Views Security Constraints Access Control Rules Simple Constraint John cannot access the attribute Salary of relation EMP Content based constraint If relation MISS contains information about missions in the Middle East then John cannot access MISS Association based Constraint Ship s location and mission taken together cannot be accessed by John individually each attribute can be accessed by John Release constraint After X is released Y cannot be accessed by John Aggregate Constraints Ten or more tuples taken together cannot be accessed by John Dynamic Constraints After the Mission information about the mission can be accessed by John Enforcement of Security Constraints User Interface Manager Security Constraints Constraint Manager Query Processor Constraints during query and release operations Update Processor Database Design Tool Constraints during database design operation Constraints during update operation Relational DBMS Database Other Developments in Access Control Inference Problem and Access Control Inference problem occurs when users pose queries and deduce unauthorized information from the legitimate responses Security constraint processing for controlling inferences More recently there is work on controlling release information instead of controlling access to information Temporal Access Control Models Incorporates time parameter into the access control models Role based access control Controlling access based on roles of people and the activities they carry out Implemented in commercial systems Positive and Negative Authorizations Should negative authorizations be explicitly specified How can conflicts be resolved Some Examples Temporal Access Control After 1 1 05 only doctors have access to medical records Role based Access Control Manager has access to salary information Project leader has access to project budgets but he does not have access to salary information What happens is the manager is also the project leader Positive and Negative Authorizations John has write access to EMP John does not have read access to DEPT John does not have write access to Salary attribute in EMP How are conflicts resolved Usage Control Usage Control UCON Model goes beyond traditional access control Developed by Sandhu et al Consists of the following Policies of authorizations Obligations and Conditions Authorization decisions are determined by policies of the subject objects and right Obligations are actions that are required to be performed before or during the access process Conditions are environment restrictions that are required to be valid before or during the access process Many policies can be expressed using UCON Extensions being proposed for temporal usage control Access Control in Other Types of Databases Object Databases Controlling access to classes object instances instance variables method execution etc E g MCC s ORION model both for discretionary security and mandatory security Distributed Databases Extend access control for relational databases to a distributed environment across the nodes Federated Databases Integrate security policies exported by the component database systems and form a federated policy Deductive Databases Logic for secure data and knowledge base systems e g NTML Non monotonic Typed Multilevel Logic Access Control in Databases Current Trends 1996 Present Data Warehousing Controlling access to aggregate information in the Warehouse Multimedia Database Systems Geospatial Information Systems Web Databases E Commerce and Knowledge Management Collaboration Workflow Semantic Web XML RDF Information Integration Dependable Databases Real time Embedded Database Systems Sensor Stream Database Systems Data Warehouse Challenge Controlling access to the Warehouse and at the same time enforcing the access control policies enforced by the back end Database systems Users Query the Warehouse Oracle DBMS for Employees Data Data Warehouse Data correlating Employees With Travel patterns and Projects Sybase DBMS for