KTH-SEECS Applied Information Security Lab

National University of Sciences and Technology (NUST)

Holistic access control framework for database management systems

Domain:Database Security

Status: Completed 
Contact Person(s):  Rahat Masood , Awais Shibli

Date of Completion: July, 2013 

Databases are at the core of successful businesses. In today's era of technological advancement, companies need to implement and utilize database systems which should not only be fast, scalable and efficient but also secure from internal and external threats. The pervasive use of computing technology and increased reliance on information system also instigates various security attacks that may affect organization's sensitive data as well as their daily ongoing operations. Also, different types of information have different protection and privacy requirements; therefore, organizations must take a holistic approach to protect and secure their information. Many organizations are now concerned about changing nature, complexity, and larger scale of outside and inside attacks that have far more damaging business impact. 

One of the most important and effective means of ensuring data integrity and authorized access is through access control. Access control mechanisms have been around since the commercial deployment of databases. These access control mechanisms are not consistent and do not provide holistic security to database applications in terms of authorization and confidentiality. There is need to provide comprehensive security features in terms of confidentiality and access control to database applications. A holistic strategy is required which can be flexible as new threats arise. Organizations now need security policies and solutions that evolve with new business initiatives such as out-sourcing, virtualization, cloud, mobility, Web 2.0 and social networking. Organizations now need security policies and solutions that evolve with new business initiatives such as out-sourcing, virtualization, cloud, mobility, Web 2.0 and social networking. These policies should be generic and flexible enough to meet changing security requirements of organizations.

Our research and development will aim towards providing a holistic access control framework particularly for three types of database technologies: Relational (RDBMS), Object-Oriented (OODB) and NoSQL databases. Under this project, an extensive research will be carried out accompanied with the development of framework which will help database application to securely perform their operations. Proposed framework will enable row and column level security (fine-grained level) on databases. This framework will provide authorization, authentication and confidentiality features which can be used by any database technology (RDBMS, OODB, NoSQL & Cloud DB) to protect data from disruption and disclosure. The proposed framework will focus on providing a restricted level of authorization for databases using well known security standards.

                                                                     
 
More specifically, under the proposed framework, a common access control layer will be provided that will act independently of front-end applications and their underlying databases. Thus any enterprise planning to leverage or host their application with NoSQL and cloud databases will be able to integrate with this framework for the secure authorization of their resources. They will be allowed to provide authorization at row, column and table level depending upon their application requirements.

 


Project Documents:

  1. Absract  (PDF)
  2. Presentation  (PDF)
  3. Publications

      ►"Fine-Grained Access Control in Object-Oriented Databases" (Link)