Database Security-Concepts, Approaches, and Challenges: Elisa Bertino, Fellow, IEEE, and Ravi Sandhu, Fellow, IEEE

Download as pdf or txt
Download as pdf or txt
You are on page 1of 18

Database Security—Concepts,

Approaches, and Challenges


Elisa Bertino, Fellow, IEEE, and Ravi Sandhu, Fellow, IEEE

Abstract—As organizations increase their reliance on, possibly distributed, information systems for daily business, they become more
vulnerable to security breaches even as they gain productivity and efficiency advantages. Though a number of techniques, such as
encryption and electronic signatures, are currently available to protect data when transmitted across sites, a truly comprehensive
approach for data protection must also include mechanisms for enforcing access control policies based on data contents, subject
qualifications and characteristics, and other relevant contextual information, such as time. It is well understood today that the
semantics of data must be taken into account in order to specify effective access control policies. Also, techniques for data integrity
and availability specifically tailored to database systems must be adopted. In this respect, over the years the database security
community has developed a number of different techniques and approaches to assure data confidentiality, integrity, and availability.
However, despite such advances, the database security area faces several new challenges. Factors such as the evolution of security
concerns, the “disintermediation” of access to data, new computing paradigms and applications, such as grid-based computing and on-
demand business, have introduced both new security requirements and new contexts in which to apply and possibly extend current
approaches. In this paper, we first survey the most relevant concepts underlying the notion of database security and summarize the
most well-known techniques. We focus on access control systems, on which a large body of research has been devoted, and describe
the key access control models, namely, the discretionary and mandatory access control models, and the role-based access control
(RBAC) model. We also discuss security for advanced data management systems, and cover topics such as access control for XML.
We then discuss current challenges for database security and some preliminary approaches that address some of these challenges.

Index Terms—Data confindentiality, data privacy, relational and object databases, XML.

1 INTRODUCTION

A S organizations increase their adoption of database


systems as the key data management technology for
day-to-day operations and decision making, the security of
and human points of view as a consequence of unauthorized
data observation. Incorrect modifications of data, either
intentional or unintentional, result in an incorrect database
data managed by these systems becomes crucial. Damage state. Any use of incorrect data may result in heavy losses
and misuse of data affect not only a single user or for the organization. When data is unavailable, information
application, but may have disastrous consequences on the crucial for the proper functioning of the organization is not
entire organization. The recent rapid proliferation of Web- readily available when needed.
based applications and information systems have further Thus, a complete solution to data security must meet the
increased the risk exposure of databases and, thus, data following three requirements: 1) secrecy or confidentiality
protection is today more crucial than ever. It is also refers to the protection of data against unauthorized
important to appreciate that data needs to be protected disclosure, 2) integrity refers to the prevention of unauthor-
not only from external threats, but also from insider threats. ized and improper data modification, and 3) availability
Security breaches are typically categorized as unauthor- refers to the prevention and recovery from hardware and
ized data observation, incorrect data modification, and data software errors and from malicious data access denials
unavailability. Unauthorized data observation results in the making the database system unavailable. These three
disclosure of information to users not entitled to gain access requirements arise in practically all application environ-
to such information. All organizations, ranging from ments. Consider a database that stores payroll information.
commercial organizations to social organizations, in a It is important that salaries of individual employees not be
variety of domains such as healthcare and homeland released to unauthorized users, that salaries be modified
protection, may suffer heavy losses from both financial only by the users that are properly authorized, and that
paychecks be printed on time at the end of the pay period.
Similarly, consider the Web site of an airline company.
Here, it is important that customer reservations only be
available to the customers they refer to, that reservations of
a customer not be arbitrarily modified, and that information
on flights and reservations always be available. In addition
to these requirements, privacy requirements are of high
relevance today. Though the term privacy is often used as
a synonym for confidentiality, the two requirements are
quite different. Techniques for information confidentiality
may be used to implement privacy; however, assuring when transmitted over a network in the case of distributed
privacy requires additional techniques, such as mechanisms systems. Both authentication and encryption techniques are
for obtaining and recording the consents of users. Also, widely discussed in the current literature on computer
confidentiality can be achieved be means of withholding network security and we refer the reader to [62] for details
data from access, whereas privacy is required even after the on such topics. We will, however, discuss the use of
data has been disclosed. In other words, the data should be encryption techniques in the context of secure outsourcing
used only for the purposes sanctioned by the user and not of data, as this is an application of cryptography which is
misused for other purposes. specific to database management. We do not attempt to be
Data protection is ensured by different components of a exhaustive, but try to articulate the rationale for the
database management system (DBMS). In particular, an approaches we believe to be promising.
access control mechanism ensures data confidentiality. When-
ever a subject tries to access a data object, the access control 1.1 A Short History
mechanism checks the rights of the user against a set of Early research efforts in the area of access control models
authorizations, stated usually by some security adminis- and confidentiality for DBMSs focused on the development
trator. An authorization states whether a subject can of two different classes of models, based on the discretionary
perform a particular action on an object. Authorizations access control policy and on the mandatory access control policy.
are stated according to the access control policies of the This early research was cast in the framework of relational
organization. Data confidentiality is further enhanced by database systems. The relational data model, being a
the use of encryption techniques, applied to data when declarative high-level model specifying the logical structure
being stored on secondary storage or transmitted on a of data, made the development of simple declarative
network. Recently, the use of encryption techniques has languages for the specification of access control policies
gained a lot of interest in the context of outsourced data possible. These earlier models and the discretionary models
management; in such contexts, the main issue is how to in particular, introduced some important principles [45]
perform operations, such as queries, on encrypted data that set apart access control models for database systems
[54]. Data integrity is jointly ensured by the access control from access control models adopted by operating systems
mechanism and by semantic integrity constraints. When- and file systems. The first principle was that access control
ever a subject tries to modify some data, the access control models for databases should be expressed in terms of the
mechanism verifies that the user has the right to modify logical data model; thus authorizations for a relational
the data, and the semantic integrity subsystem verifies that database should be expressed in terms of relations, relation
the updated data are semantically correct. Semantic correct- attributes, and tuples. The second principle is that for
ness is verified by a set of conditions, or predicates, that databases, in addition to name-based access control, where the
must be verified against the database state. To detect protected objects are specified by giving their names,
tampering, data can be digitally signed. Finally, the content-based access control has to be supported. Content-
recovery subsystem and the concurrency control mechan- based access control allows the system to determine
ism ensure that data is available and correct despite whether to give or deny access to a data item based on
hardware and software failures and accesses from con- the contents of the data item. The development of content-
current application programs. Data availability, especially based access control models, which are, in general, based on
for data that are available on the Web, can be further the specification of conditions against data contents, was
strengthened by the use of techniques protecting against made easy in relational databases by the availability of
denial-of-service (DoS) attacks, such as the ones based on declarative query languages, such as SQL.
machine learning techniques [25]. In the area of discretionary access control models for
In this paper, we focus mainly on the confidentiality relational database systems, an important early contribution
requirement and we discuss access control models and was the development of the System R access control model
techniques to provide high-assurance confidentiality. Be- [51], [42], which strongly influenced access control models
cause, however, access control deals with controlling of current commercial relational DBMSs. Some key features
accesses to the data, the discussion in this paper is also of this model included the notion of decentralized author-
relevant to the access control aspect of integrity, that is, ization administration, dynamic grant and revoke of
enforcing that no unauthorized modifications to data occur. authorizations, and the use of views for supporting
We also discuss recent work focusing specifically on content-based authorizations. Also, the initial format of
privacy-preserving database systems. We do not cover well-known commands for grant and revoke of authoriza-
transaction management or semantic integrity. We refer the tions, that are today part of the SQL standard, were
reader to [50] for an extensive discussion on transaction developed as part of this model. Later research proposals
models, recovery and concurrency control, and to any have extended this basic model with a variety of features,
database textbook for details on semantic integrity. It is also such as negative authorization [27], role-based and task-
important to note that an access control mechanism must based authorization [80], [87], [47], temporal authorization
rely for its proper functioning on some authentication [10], and context-aware authorization [74].
mechanism. Such a mechanism identifies users and con- Discretionary access control models have, however, a
firms their identities. Moreover, data may be encrypted weakness in that they do not impose any control on how
information is propagated and used once it has been as inheritance hierarchies, aggregation, methods, and stored
accessed by subjects authorized to do so. This weakness procedures. An important requirement arising from those
makes discretionary access controls vulnerable to malicious applications is that it is not only the data that needs to be
attacks, such as Trojan Horses embedded in application protected, but also the database schema may contain
programs. A Trojan Horse is a program with an apparent or sensitive information and, thus, accesses to the schema
actually useful function, which contains some hidden need to be filtered according to some access control policies.
functions exploiting the legitimate authorizations of the Even though early relational DBMSs did not support
invoking process. Sophisticated Trojan Horses may leak authorizations with respect to schema information, today
information by means of covert channels, enabling illegal several products support such features. In such a context,
access control policies may also need to be protected
access to data. A covert channel is any component or feature
because they may reveal sensitive information. As such,
of a system that is misused to encode or represent
one may need to define access control policies the objects of
information for unauthorized transmission, without violat-
which are not user data, rather they are other access control
ing the stated access control policy. A large variety of
policies. Another relevant characteristic of advanced appli-
components or features can be exploited to establish covert cations is that they often deal with multimedia data, for
channels, including the system clock, operating system which the automatic interpretation of contents is much
interprocess communication primitives, error messages, the more difficult, and they are in most cases accessed by a
existence of particular file names, the concurrency control variety of users external to the system boundaries, such as
mechanism, and so forth. The area of mandatory access through Web interfaces. As a consequence both discre-
control and multilevel database systems tried to address tionary and mandatory access control models developed for
such problems through the development of access control relational DBMSs had to be properly extended to deal with
models based on information classification, some of which additional modeling concepts. Also, these models often
were also incorporated in commercial products. Early need to rely on metadata information in order to support
mandatory access control models were mainly developed content-based access control for multimedia data and to
for military applications and were very rigid and suited, at support credential-based access control policies to deal with
best, for closed and controlled environments. There was external users. Recent efforts in this direction include the
considerable debate among security researchers concerning development of comprehensive access control models for
how to eliminate covert channels while maintaining the XML [14], [72].
essential properties of the relational model. In particular,
1.2 Emerging Research in Database Security
the concept of polyinstantiation, that is, the presence of
Besides the historical research that has been conducted in
multiple copies with different security levels of the same
database security, several new areas are emerging as active
tuple in a relation, was developed and articulated in this
research topics. A first relevant recent research direction is
period [81], [55]. Because of the lack of applications and
motivated by the trend of considering databases as a service
commercial success, companies developing multilevel
that can be outsourced to external companies [54]. An
DBMSs discontinued their production several years ago.
important issue is the development of query processing
Covert channels were also widely investigated with con-
techniques for encrypted data. Several specialized encryp-
siderable focus on the concurrency control mechanisms
tion techniques have been proposed, such as the order-
that, by synchronizing transactions running at different
preserving encryption technique by Agrawal et al. [3]. A
security levels, would introduce an obvious covert channel.
second research direction deals with privacy-preserving
However, solutions developed in the research arena to the
techniques for databases, an area recently investigated to a
covert channel problem were not incorporated into com-
considerable extent. Research in this direction has been
mercial products. Interestingly, however, today we are
motivated, on one side, by increasing concerns with respect
witnessing a “multilevel security reprise” [82], driven by
to user privacy and, on the other, by the need to support
the strong security requirements arising in a number of
Web-based applications across organization boundaries. In
civilian applications. Companies have thus recently re-
particular privacy legislation, such as the early Federal Act
introduced such systems. This is the case, for example, of
of 1974 [43] and the more recent Health Insurance
the Labeled Oracle, a multilevel relational DBMS marketed
Portability and Accountability Act of 1996 (HIPAA) [53]
by Oracle, which has much more flexibility in comparison
and the Children’s Online Privacy Protection Act (COPPA)
to earlier multilevel secure DBMSs.
Early approaches to access control have since been [33], require organizations to put in place adequate privacy-
extended in the context of advanced DBMSs, such as preserving techniques for the management of data concern-
object-oriented DBMSs and object-relational DBMSs, and ing individuals. The new Web-based applications are
other advanced data management systems and applica- characterized by the requirement of supporting cooperative
tions, such as data made available through the Web and processes while ensuring the confidentiality of data. This
represented through XML, digital libraries and multimedia research direction is characterized by a number of different
data, data warehousing systems, and workflow systems. approaches and techniques, including privacy-preserving
Most of these systems are characterized by data models that data mining [92], privacy-preserving information retrieval,
are much richer than the relational model; typically, such and databases systems specifically tailored toward enfor-
extended models include semantic modeling notions such cing privacy [2].
1.3 Organization of the Paper 2.1.1 The System R Authorization Model and
The remainder of the paper is organized as follows: Its Extensions
Section 2 discusses past and current developments for One of the first authorization models developed for
relational database systems. It discusses both discretionary relational DBMSs was defined by Griffiths and Wade [51],
and mandatory access control models and also briefly [42] in the framework of the System R DBMS [6]. Under this
surveys other topics such as RBAC models. Section 3 model, protection objects are tables and views, also referred
presents an overview of relevant requirements for access to as virtual tables.1 The possible access modes that subjects
control models for advanced data management systems and can exercise on tables correspond to SQL operations that
outlines the main approaches, including access control can be executed on tables. Thus, relevant access modes
systems for XML. Section 4 summarizes privacy-preserving include: select (to retrieve tuples from a table), insert (to add
data management techniques, which are the focus of several tuples to a table), delete (to remove tuples from a table), and
research efforts today, and Section 5 discusses current update (to modify tuples in a table). The same access modes
factors and trends which make database security more are defined for views with the difference that some access
challenging. Finally, Section 6 presents some concluding modes may not be applicable to a view depending on the
remarks. view definition. For example, very often, delete, insert, and
update operations are not allowed on views defined as joins
or containing aggregate functions. In the remainder, we use
2 RELATIONAL DATABASE SYSTEMS the term table to refer to both base tables and views. It is
2.1 Discretionary Access Control for Relational important to point out that this basic model is still prevalent
Databases today in commercially available DBMSs. Of course, current
Access control mechanisms of current DBMSs are based on DBMSs have extended the basic model by introducing new
discretionary policies governing the accesses of a subject to types of objects to be protected as a consequence of
data based on the subject’s identity and authorization rules. extensions to the data model, and the set of protection
These mechanisms are discretionary in that they allow modes that one finds in such DBMSs is much larger than
subjects to grant authorizations on the data to other the set defined as part of the basic model. For example, the
subjects. Because of such flexibility, discretionary policies introduction of trigger mechanisms in relational DBMSs
are adopted in many application environments and this is [93] has required the introduction of a specific access mode
the reason that commercial DBMSs adopt such policies. An allowing a subject to create a trigger on a table. Similarly,
important aspect of discretionary access control is thus the introduction of mechanisms for referential integrity
related to the authorization administration policy. Authoriza- through the use of foreign key has required the introduction
tion administration refers to the function of granting and of a related access mode allowing a subject to reference a
revoking authorizations. It is the function by which table from another table.
authorizations are entered into or removed from the access Authorization administration in the System R model is
control mechanism. Common administration policies in- based on the ownership approach coupled with adminis-
clude centralized administration, by which only some tration delegation. Any database user authorized to do so
can create a new table. When a user creates a table, he
privileged subjects may grant and revoke authorizations,
becomes the owner of the table and is solely and fully
and ownership administration, by which grant and revoke
authorized to exercise all access modes on the table. The
operations on data objects are entered by the creator (or
owner, however, can delegate privileges on the table to
owner) of the object. Ownership-based administration is
other subjects by granting these subjects authorizations
often provided with features for administration delegation,
with the so-called grant option. The possibility of delegating
allowing the owner of a data object to assign other subjects
authorization administration introduces some interesting
the right to grant and revoke authorizations. Delegation issues concerning the semantics of the revoke operations. A
thus supports decentralized authorization administration. subject, to whom the administration right on a given table
Most commercial DBMSs adopt ownership-based adminis- has been granted and then revoked, may have granted to
tration with administration delegation. More sophisticated another subject an authorization to access the table. The
administration mechanisms can be devised such as joint question is what happens to this authorization when the
administration, by which several subjects are jointly respon- revokation takes place. The semantics of the revokation of
sible for authorization administration [17]. an authorization from a subject (revokee) by another subject
In this section, we review some discretionary models (revoker) is to consider as valid only the authorizations that
proposed for relational DBMSs. We start by describing the would have been present had the revoker never granted the
System R authorization model and then we survey some revokee the privilege. As a consequence, every time an
recently proposed extensions to it. We then discuss role- authorization is revoked from a subject, a recursive
based access control (RBAC), a relevant extension to current revocation takes place to remove all authorizations for this
authorization models, which finds application not only to
1. There are usually other objects to be protected in a database, such as
database systems, but also to the more general context of application programs and stored procedures. We limit the discussion to
enterprise security [60] and of multidomain systems [28]. tables and views to simplify the presentation.
table from the revokee. The revoke operation takes into The notion of explicit denial has also been proposed in
account the temporal sequence according to which the grant the context of the Sea View system [59]. In Sea View,
operations were made. The temporal sequence is deter- authorizations can specify which users or groups are
mined according to the timestamps that are associated with authorized to access particular tables and which users and
the granted authorizations. groups are specifically denied for particular tables. Unlike
A number of extensions to the basic model have been positive authorizations, negative authorizations cannot
proposed with the goal of enriching the expressive power of specify an access mode. A special access mode, called
the authorization languages in order to address a large “null,” is used to denote a negative authorization. If a
variety of application requirements. A first extension deals subject receives a null access mode on a table, the subject
with negative authorizations [27]. The System R authoriza- cannot exercise any access mode on the table. Conflicts
tion model, as the models of most DBMSs, uses the closed between positive and negative authorizations are solved on
world policy. Under this policy, whenever a subject tries to the basis of the following policy: 1) authorizations directly
access a table and no authorization is found in the system granted to a user take precedence over authorizations
catalogs, the subject is denied access. Therefore, the lack of specified for groups to which the user belongs and 2) a null
authorization is interpreted as no authorization. This mode authorization given to a subject overrides any other
approach has the major drawback that the lack of an authorization granted to the same subject. Thus, negative
authorization for a subject on a table does not prevent this authorizations always override positive authorizations. It is
subject from receiving this authorization some time in the of interest to remark here that explicit denials have been
future. Any subject holding the right to administer that also introduced in operating systems, e.g., Windows, as a
table can grant any other subject the authorization to access mechanism for expressing exceptions. In such a context,
the table. The introduction of negative authorization can specifying that a subject can access all the files in a
overcome this drawback. An explicit negative authorization directory, but one specific file can be concisely expressed
expresses a denial for a subject to access a table under a by two authorizations, one giving the subject a positive
specified mode. Conflicts between positive and negative authorization to the directory and all the files contained in
it, and another one specifying an explicit denial on the
authorizations are resolved by applying the denials-take-
specific file to which access from this subject has to be
precedence policy under which negative authorizations
precluded.
override positive authorizations. That is, whenever a subject
A second major extension deals with a more articulated
has both a positive and a negative authorization for a given
semantics for the revoke operation [95]. In the System R
privilege on a table, the subject is prevented from exercising
model, as in all DBMSs, whenever an authorization is
the privilege on the table. The subject is denied access even
revoked from a subject, a recursive revocation takes place.
if a positive authorization is granted after a negative one
This approach can be very disruptive. In many organiza-
has been granted. Negative authorizations can also be used
tions, the authorizations a user possesses are related to his
to temporarily block possible positive authorizations of a
particular task or function within the organization. If a user
subject and to specify exceptions. For example, it is possible
changes his task or function, it is desirable to remove only
to grant an authorization to all members of a group, but for
the authorizations of this user without triggering a
one specific member, by granting the group a positive recursive revocation of all the authorizations granted by
authorization for the privilege on the table and the given this user. To support this requirement, a different kind of
member the corresponding negative authorization. Such a revoke operation called noncascading revoke has been
model has been further extended with a more flexible proposed. Whenever a noncascading revoke operation is
conflict resolution policy, based on the concept of more executed, the authorizations granted by the user from
specific authorization. Such a concept introduces a partial whom the authorization is being revoked are not revoked;
order relation among authorizations which is taken into instead, they are respecified as if they had been granted by
account when dealing with conflicting authorizations. For the user requiring the revocation. Thus, all authorizations
example, the authorizations granted directly to a user are granted by the revokee to other users remain in place. By
more specific than the authorizations granted to the groups providing two different types of revoke operations, cascad-
of which the user is a member. Therefore, a negative ing and noncascading, the resulting access control system is
authorization can be overridden by a positive authorization, able to better support a large variety of application
if the latter is more specific than the former. If, however, requirements. A different approach to overcome the draw-
two conflicting authorizations cannot be compared under backs of conventional revoke operations is represented the
the order relation, the negative authorization prevails. This use of RBAC, which by introducing the notion of role and
line of work has been further extended by several other assigning authorizations to roles instead of directly to users,
researchers and today we find a variety of approaches greatly simplifies administration management and reduces
dealing with conflict resolution policies and with logical the need for recursive revoke operations (see Section 2.1.3).
formalizations of access control policies. Such logical A third extension is related to the duration of authoriza-
formalizations provide sound underlying semantics which tions. In all systems, an authorization is valid from the time
is essential when dealing with complex access control it is entered into the system, by a grant operation, until it is
models [16]. explicitly removed by a revoke operation. In many
7

applications, however, permissions may hold only for specified by the application developer and can refer to any
specific time intervals. A further requirement concerns relevant information, such as the organizational position of
periodic authorizations. In many organizations, authoriza- or the geographical location of the user. Predicates against
tions given to users must be tailored to the pattern of their such attributes can be specified as part of access control
activities within the organization. Therefore, users must be policies and, thus, they concur to define a virtual private
given access authorizations to data only for the time periods database. Notice that several contexts can be defined for the
in which they are expected to need the data. We can same table, each related to different application sectors from
consider this requirement as an instantiation of the well which the table is accessed.
known “need-to-know” security principle. An example of
policy with temporal requirements is that “all programmers 2.1.2 Content-Based and Fine-Grained Access Control
can modify the project files every working day except Content-based access control is an important requirement
Friday afternoons.” In most current DBMSs, such a policy that any access control mechanism for use in a data
would have to be implemented as code in application management system should satisfy. Essentially, content-
programs. Such an approach makes it very difficult to verify based access control requires that access control decisions
and modify the access control policies and to provide be based on data contents. Consider an example of a table
assurance that these policies are actually enforced. An recording information about employees of a company; a
authorization model addressing such requirements has content-based access control policy would be the one
been recently proposed [10]. Under such a model, each “stating that a manager can only access the employees that
authorization has a temporal interval of validity; an work in the project that he manages.” Whenever a manager
authorization is valid only in this interval. When the issues a query, the system has to filter the query result by
interval expires, the authorization is automatically revoked returning only the tuples related to the employees that
without requiring any explicit revoke operations from the verify the condition of working in the project managed by
security administrator. The interval associated with an this manager. Support for this type of access control has
authorization may also be periodic, thus consisting of been made possible by the fact that SQL is a language for
several intervals which are repeated in time. In addition, the which most operations for data management, such as
model provides deductive temporal rules supporting the queries, are based on declarative conditions against data
automatic derivation of new authorizations based on the contents. In particular, the most common mechanism,
presence or absence of other authorizations in specific time adopted by relational DBMSs to support content-based
periods. The resulting model provides a high degree of access control is based on the use of views; this important
flexibility and is able to meet a large number of protection use of views was recognized by the differentiation of views
requirements that cannot be met by traditional access into two categories [24]: protection views specifically tailored
control models. to support content-based access control and shorthand views
The previous temporal authorization model represents specifically tailored to simplify query writing. A view can
one of the earliest proposals recognizing the need for be considered as a dynamic window able to select subsets of
context-based access control; time can indeed be seen as a column and rows; these subsets are specified by defining a
special contextual condition. A context-based access control query, referred to as a view definition query, which is
model is able to incorporate into access control decision associated with the name of the view. Whenever a query
functions a large variety of context-dependent information, is issued against a view, the query is modified through an
such as time and location. In addition to being investigated operation called view composition by replacing the view
as part of research projects [8], context-based access control referenced in the query with its definition. An effect of this
has been recently incorporated in the Oracle commercial operation is that the “where clause”2 in the original query is
DBMS [74], through the notion of a virtual private database. A combined, through the AND Boolean connective, with the
virtual private database allows fine-grained access control “where clause” of the view definition query. Thus, the
down to the tuple level based on the use of predicates. The query which is executed against the base table, that is, the
predicates, specified as part of an access control policy, table on which the view is defined, filters out the tuples that
identify the tuples, in a given table, to which the access do not satisfy the predicates in the view. There are several
control policy applies. Whenever a user, to whom the access advantages to such an approach. Content-based access
control policy is granted, issues a query against the table, control policies are expressed at a high level in a language
the DBMS transparently modifies the query by appending consistent with the query language. Modifications to the
to it the predicates specified in the access control policies. data do not need modification to the access control policies;
Because such predicates can be expressed also against some if new data are entered that satisfy a given policy, these data
special system variables, such as SYSDATE, such an will be automatically included as part of the data returned
approach allows one to take context-dependent information by the corresponding view.
into account when specifying policies. Such a mechanism is Recently, pushed by requirements for fine-grained
complemented by the notion of application context. Each mechanisms that are able to support access control at the
application context has a unique identifier and consists of a
2. The “where clause” is the clause containing predicates against tables
number of attributes, identifying security-relevant proper- and is a component of several SQL commands, such as Select, Update, and
ties. The attributes that are part of a given context are Delete.
tuple level, new approaches have been investigated. The function. Complicated authorization revoke operations,
reason is that conventional view mechanisms, like the ones such as the ones discussed in the previous sections, are
sketched above, have a number of shortcomings. A naive no longer needed.
solution to enforce fine-grained authorization would re- In addition, most RBAC models include role hierarchies,
quire the specification of a view for each tuple or part of a allowing one to represent role-subrole relationships, thus
tuple that is to be protected. Moreover, because access enabling authorization inheritance and separation of duty
control policies are often different for different users, the (SoD) constraints [5], [67]. SoD constraints typically prevent
number of views would further increase. Furthermore, as a subject from receiving too many authorizations. If a user
pointed out in [78], application programs would have to that has a large number of authorizations is compromised
code different interfaces for each user, or group of users, as —for example, by a malicious subject impersonating that
queries and other data management commands would need user—the entire database would be compromised. It is thus
to use for each user, or group of users, the correct view. preferable to spread authorizations among different sub-
Modifications to access control policies would also require jects; in this case, the compromise of a subject would result
the creation of new views with consequent modifications to in limited compromise of the database. Also, separation of
application programs. Alternative approaches that address conflicting permissions such as ability to cut checks and to
some of these issues have been proposed, and these issue purchase orders is crucial for reducing the potential
approaches are based on the idea that queries are written for fraud in organizations. RBAC SoD constraints, repre-
against the base tables and, then, automatically rewritten by sented in terms of constraints on the roles that users may
the system against the view available to the user. The Oracle take, are often classified into static and dynamic SoD. Static
Virtual Private Database mechanism [74] and the Truman SoD typically impose restrictions on role intersections—two
model [78] are examples of such approaches. These roles cannot have common users—and on the number of
approaches do not require that we code different interfaces users that can be assigned to a role—a given role can only
for different users and, thus, address one of the main be assigned to two users. Dynamic SoD constraints are
problems in the use of conventional view mechanisms. based on the history of role usage by users. Their
However, they introduce other problems, such as incon- enforcement is related to the notion of a session, which is
sistencies between what the user expects to see and what another important notion underlying the RBAC model. A
the system returns; in some cases, they return incorrect session represents a set of accesses performed by a user
results to queries rather than rejecting them as unauthor- under one or more roles that can be considered as an atomic
ized. Approaches that address this problem, as the solutions unit of work. A session could be a transaction execution in a
proposed as part of the Truman model [78], have some conventional relational database system, or a task in a
decidability problems and, thus, do not appear to be workflow. Dynamic SoD essentially restricts access to roles
applicable in practice. Thus, different solutions need to be by a user based on the history of role usage by the user
investigated. during the same session, or even, in some proposals, during
previous sessions. As such roles can be considered as
2.1.3 RBAC Models
another type of “context sensitive” relation; an important
RBAC models represent arguably the most important research issue when dealing with SoD constraints is the
recent innovation in access control models. RBAC has verification of their consistency, especially when dealing
been motivated by the need to simplify authorization with large constraint sets.
administration and to directly represent access control RBAC models have been widely investigated [48]. A
policies of organizations. RBAC models are based on the standard has been developed [47] as well as an XML-based
notion of role. A role represents a specific function within encoding of RBAC [28]. Relevant extensions include: the
an organization and can be seen as a set of actions or development of administration models [34], [63], [65]; the
responsibilities associated with this function. Under an introduction of temporal constraints, resulting in the
RBAC model, all authorizations needed to perform a given TRBAC model [11], [68]; and the development of security
activity are granted to the role associated with that activity, analysis techniques [56]. RBAC models are also supported
rather than being granted directly to users. Users are then by commercial DBMSs [76]. However, commercial imple-
made members of roles, thereby acquiring the roles’ mentations provided as part of DBMSs are very limited and
authorizations. User access to objects is mediated by roles; only support a simple version of RBAC, referred to as flat
each user is authorized to play certain roles and, on the RBAC, that does not include role hierarchies or constraints.
basis of the roles, he can perform accesses to the objects. Finally, it is worth mentioning that RBAC systems are also
Because a role groups a number of related authorizations, being developed for use in Web-service architectures, such
authorization management is greatly simplified. Whenever as the Permis system [31], and as part of products for
a user needs to perform a certain activity, the user only enterprise security management [61].
needs to be granted the authorization of playing the proper
role, rather than being directly assigned the required 2.2 Mandatory Access Control and
authorizations. Also, when a user changes his function Multilevel Secure DBMSs
within the organization, one only needs to revoke from the Mandatory access control (MAC) policies regulate accesses
user the permission to play the role associated with the to data by subjects on the basis of predefined classifications
of subjects and objects in the system. Objects are the with an access class c contains all tuples whose access class
passive entities storing information, such as relations, is c. A subject having access class c can read all tuples in
tuples in a relation, or elements of a tuple. Subjects are partitions of access classes that are equal to or lower than c;
active entities performing data accesses. The classification such a set of tuples is referred to as a view of the multilevel
is based on a partially ordered set of access classes, often relation at access class c. By contrast, a subject having access
referred to as labels, that are associated with every subject class c can write tuples at access classes that are equal or
and object in the system. A subject is granted access to a higher than c. In some implementations of the multilevel
given object if and only if some order relationship, relational model, write operations at higher access classes
depending on the access mode, is satisfied by the access are not allowed for integrity reasons. Such a restriction is
classes of the object and the subject. In a very well-known usually known as a no write-up restriction. The multilevel
instantiation of this model [9], an access class consists of relational model is further complicated if tuples are allowed
two components: a security level and a set of categories. The to have attributes classified at different access classes. Each
security level is an element of a totally ordered set. A well- attribute of each tuple thus has an attribute label, denoting
known example of such set is the one that contains the the access class of the attribute in the tuple, and a tuple label,
levels Top Secret (TS), Secret (S), Confidential (C), and which is the lowest element in the set of access classes
Unclassified (U), where TS > S > C > U. The set of associated with the attributes of the tuple. A consequence is
categories is an unordered set (e.g., NATO, Nuclear, that the same tuple may belong to several partitions of a
Army). Access classes are partially ordered as follows: multilevel relation, resulting in tuple polyinstantiation and,
An access class ci dominates ( ) an access class cj if and thus, in update anomalies. Handling polyinstantiation
only if the security level of ci is greater than or equal to that requires revisiting several classical notions of the relational
of cj and the categories of ci include those of cj . Two classes model, such as the notion of a key. Because of such
are said to be incomparable if neither ci  cj nor cj  ci problems, commercial implementations of the multilevel
holds. The security level of the access class associated with relational model only support tuple-based labeling.
a data object reflects the sensitivity of the information The development of multilevel secure (MLS) DBMSs
contained in the object, that is, the potential damage that entailed, however, extending not only the data model, but
could result from unauthorized disclosure of the contents also the system architecture to make sure that covert
of the object. The security level of the access class channels would be closed [39]. A covert channel allows a
associated with a subject reflects the user’s trustworthiness transfer of information that violates the security policy.
not to disclose sensitive information to subjects not cleared Covert channels are usually classified into two broad
to see it. Categories provide finer grained security categories: timing channels, under which information is
classifications of subjects and objects than the classification conveyed by the timing of events or processes; and storage
provided by security levels alone, and are the basis for channels that do not require any temporal synchronization
enforcing need-to-know restrictions. Denning [36] developed in that information is conveyed by accessing system
the mathematical theory that underlies such lattices and a information. A well-known type of covert channel in a
comprehensive survey and discussion is given in [79]. DBMS is represented by the 2-phase locking (2PL) protocol
Access control in MAC models is based on the following used for transaction synchronization [15]. Much academic
two principles, formulated by Bell and LaPadula in 1975 [9]: research has been thus devoted to the development of
No read-up. A subject can read only those objects whose concurrency control mechanisms that are secure against
access classes are dominated by the access class of the covert channels. Most of these approaches were based on
subject. the principle that transactions cannot be delayed or aborted
No write-down. A subject can write only those objects due to a lock conflict with a higher-level transaction. Hence,
whose access classes dominate the access class of the low-level transactions have higher priority on low-level
subject. data than higher-level transactions. The consequence is that
The enforcement of these principles prevents informa- even though a transaction may have acquired a read lock on
tion in a sensitive object from flowing, through either read a lower-level data item, it may be forced to release this lock
or write operations, into objects at lower or incomparable if a lower-level transaction requires a write lock on it. Due
access classes. to such prioritization, transaction execution histories may
The application of MAC policies to relational databases not always be serializable. Several approaches have been
has been extensively investigated in the past. The introduc- proposed to address the issue of how to synchronize
tion of such access control models requires addressing transactions so that timing channels do not occur and, at the
several difficult issues. Solutions to some of these issues same time, serializability is achieved. However, they suffer
have required extensions to the definition of the relational from several shortcomings, such as starvation of high-level
model itself, resulting in the so-called multilevel relational transactions that can be repeatedly aborted, or require
model, and to fundamental notions such as the notion of multiple versions of data, or force high-level transactions to
relational key. A multilevel relation is characterized by the read stale data. A different approach [14] was later defined
fact that different tuples may have different access classes. based on application-level recovery and notification-based
The relation is thus partitioned into different security locking protocols combined with a nested transaction
partitions, one for each access class. A partition associated model [70].
We conclude this section by mentioning that multilevel for example, of XML data [14] and object database
access control models have also been applied to commercial systems, such object-oriented (OO) and object-rela-
relational DBMSs both in the past in products such as tional (OR) database systems [75], [41].3 Because
Trusted Oracle and Secure Informix and more recently. The applications may directly access data at various
most recent extension of a commercial product supporting granularity levels from sets of data objects to specific
MAC is the label security mechanism introduced in Oracle9i portions of a single data object, mechanisms are
[74]. Such a mechanism allows the application developers to needed to control access at varying granularity
associate classification labels with both data and users, and levels and to be able, at the same time, to support
to apply MAC access control policies. The labeling concise formulation of authorizations. Typical ex-
granularity supported by this mechanism is a row; thus, tensions that have been proposed to address such
labels can only be associated with tuples and not with single requirements include the notions of positive/nega-
attributes within tuples. Labels in Oracle have quite an tive authorizations, and implicit/explicit authoriza-
articulated structure, as each label consists of three tions [44] that we discuss in the context of access
elements. In addition to the classical security level and control models for object-based systems. The pre-
category (referred in Oracle as compartment) set compo- sence of multimedia data makes content-based
nents, a label includes a third component, referred to as access control very difficult and, to date, the few
group. The group specifies one or more subjects that own or proposed models are based on the use of metadata
access the data. Furthermore, groups can be organized information [20], [66] rather than directly on the
according to hierarchies. Labels and all their components object contents.
can be defined by the applications and, thus, one can . Flexible user specification mechanisms based on
introduce levels, categories, and groups that are applica- user credentials and profiles. Most Web-based
tion-specific. Each user is associated with a label range, applications are characterized by a user population
denoting a set of access classes, within which the user can which is far more heterogeneous and dynamic than
read and write data. Finally, it is worth mentioning that, the user population typical of conventional infor-
mation systems. In such a scenario, traditional
though secure concurrency control algorithms were widely
identity mechanisms, based on login or user names,
investigated, most of the proposed concurrency control
for qualifying the subjects to which a policy applies
algorithms did not find their way into commercial DBMSs.
are no longer appropriate in that they would
The only concurrency control algorithm of a commercial
require the specification and management of a large
DBMS which is documented by the scientific literature was
number of policies. There is thus the need for using
based on a combination of 2PL protocol and multiversion-
other properties of subjects (e.g., age, nationality,
ing and was adopted in the Trusted Oracle product. Such an
job position) besides their login names, in the
algorithm however was proven incorrect in that it would
specification and enforcement of access control
generate nonserializable transaction schedules.
policies. Such properties that can be considered as
a form of partial identity are often encoded into user
3 SECURITY FOR ADVANCED DATA MANAGEMENT profiles and certified by means of credentials and
SYSTEMS attribute certificates.
Though the relational database technology has today a . Access control mechanisms tailored to information
central role to play in the data management arena, in the dissemination strategies and third party publish-
past 20 years, we have seen numerous extensions to this ing architectures. An important requirement of
today’s Web-based information systems is to sup-
technology. These extensions have been driven on one hand
port a variety of information dissemination strategies
by requirements from advanced applications, needing to
[40]. A dissemination strategy regulates how a data
manage complex, multimedia objects, and from decision-
source delivers data to subjects. In conventional
support systems, requiring data mining techniques and
database systems, data are delivered according to a
data warehousing systems, and on the other hand by the
strategy known as pull strategy. According to such a
widespread use of Internet and Web-based applications,
strategy, data are delivered to subjects upon an
that have fueled the development of interoperability
explicit request. However, in a Web environment, an
approaches, like XML and Web services. A key requirement
alternative strategy can be adopted, which is more
underlying all those extended data management systems
suitable when information has to be delivered to a
and tools is a demand for adequate security and, in
large community of subjects. According to such
particular, tailored access control systems. Relevant features
strategy, referred to as push strategy or as publish/
of such systems include: subscribe, the data source periodically (or when some
. Fine-grained flexible authorization models for
3. Object-oriented DBMSs, often referred to as pure object DBMSs, refer
complex, multimedia objects. Most innovative to systems developed by starting directly from object-oriented program-
applications are characterized by objects whose ming languages, such as GemStone and ObjectStore, as opposed to object-
relational DBMSs which are essentially relational DBMSs extended with
structure is far more complex than the simple flat object modeling features. The term object-based DBMSs is used when it is
structure typical of relational data. This is the case, not necessary to distinguish between the two types of systems.
predefined events happen) sends data to authorized application of these solutions to XML data has not been
subjects, without the need of an explicit access fully explored.
request by the subjects. In some cases, the data that
are sent to subjects also depend on the specific
3.1 Access Control Systems for Object-Based
Database Systems
subject interests, that are recorded in some special
subject profiles managed by the data source [98]. As we mentioned in the introduction, today, access control
Supporting different dissemination strategies may systems are a basic component of every commercial DBMS.
require the adoption of different access control Existing access control models, defined for relational
techniques depending on the data dissemination DBMSs, are not suitable for an object-based database
strategy adopted. A comprehensive access control system because of the wide differences in data models.
system should thus provide a large variety of access These models, in particular the discretionary ones, consider
control techniques able to enforce a given policy the relation, or the attribute as the access control unit, in the
under a variety of dissemination strategies. sense that authorizations are granted on relations or, in
Because of the relevance of efficient information some cases, on relation attributes. Moreover, an access
dissemination in a large variety of environments, not control system for object-based database systems should
only several dissemination strategies have been take into account all semantic modeling constructs com-
developed, but also approaches supporting third- monly found in object-oriented data models, such as
composite objects, versions, and inheritance hierarchies.
party information publishing architectures have
We can summarize these two observations by saying that
been proposed [13]. The main idea is that an
the increased complexity in the data model corresponds to
organization producing and owning some data
an increased articulation in the types and granularity of
may outsource the publishing function to a third-
protection objects. In particular, as we will discuss in the
party, which would typically be in charge of
remainder of this section, a key feature of both discretionary
executing user queries; a well-known example is and mandatory access control models for object-based
that of UDDI registries managing information con- systems is to take into account all modeling aspects related
cerning services provided by organizations on the to objects.
Web. The main issue here is how to ensure the
integrity and confidentialiy of data when their 3.1.1 Discretionary Access Control Systems for
publication is outsourced to other parties. Object-Based Database Systems
. Support for distributed cooperative data modifica- The first and most comprehensive discretionary access
tions and complex workflow-based activities. The control model has been defined in the context of the Orion
Web has enabled a new class of applications, object-oriented DBMS [75]. Other systems implement less
including B2B and B2C, virtual organizations, sophisticated models or have no access control at all. A key
e-contracting, and e-procurement, that are character- aspect of the Orion authorization model is the use of
ized by the need of collaborative processes across authorization implication rules supporting the derivation of
organization’s boundaries. Such applications require additional authorizations, called implicit authorizations, from
not only data being securely exchanged, but also that the ones explicitly specified by the application, called
data flow policies be specified, stating which party has explicit authorizations. Implication rules are defined for all
to receive and/or modify data according to which the three domains of authorizations, that is, objects,
order. Also, protocols are required allowing a party subjects, and modes. In particular, implication rules on
to verify that a given piece of data has been modified objects support the derivation of authorizations from an
by subjects, that have accessed the data as part of a object to all objects semantically related to it. For example, a
cooperative process, according to the stated access read authorization on the root of a version hierarchy4
control policies. implies read authorizations on all the versions in the
In the remainder of this section, we elaborate on the hierarchy. However, it is also possible for an authorization
above features and requirements by discussing solutions to be granted on a single version of an object. The use of
proposed by various systems and research proposals. We implication rules is instrumental in providing varying
start by first discussing object-based DBMS, in the context granularity levels of protection without performance
of which several innovative solutions for access control had penalties. The Orion model also supports negative author-
been developed. Though object-oriented DBMSs have not izations; the main purpose of this type of authorization is
been very successfull from a commercial point of view, the the support for exceptions in derived authorizations. In
development of access control models suitable for these particular, the combined use of derived and negative
systems required to address a large number of novel issues authorization allows one to concisely express a large
arising from the extended complexity of the data models number of access control policies. For example, consider a
characterizing such DBMSs. Several of these solutions can class with 1,000 instances; suppose that a subject has to be
be directly applied to more recent ORDBMSs and to XML authorized to access all those instances except one. Under a
data, as we discuss in Section 3.2, and in general to complex 4. A version hierarchy consists of an object and all the version objects
data. It is important to notice that to date the potential that have been derived directly or indirectly from it.
conventional authorization model one would have to enter since an object-oriented approach enforces the principle that
999 authorizations. Under the Orion model, one would changes to method implementation and object structures
need to enter only two authorizations, that is, a positive should not impact the clients of an object, it is possible to
authorization on the class, which would automatically modify access rules without requiring changes to the
propagate to all instances, and a negative authorization on clients. Of course, clients must be able to deal with
the instance to be excluded. It is important to notice that, in exceptions arising from the lack of authorization. Note that
Orion, authorization implication is only possible among the possibility of dynamically modifying access rules is a
objects that are related by structural semantic relationships direct consequence of the fact that, in an object-oriented
specified according to the data model. Recently, the notion database, some of the high-level operations on data are
of derived authorizations has been extended in the context moved into the data. Moving these operations into the
of logic-based access control models to support arbitrary database, by implementing them as methods, implies that
authorization derivation rules, not necessarily based only access rules implement as part of these operations are also
on the structural relationships among objects. The Orion moved into the database. Thus, access rules are centralized
authorization model also provides the notion of authoriza- and applied to all accesses made to objects. A number of
tion object schema (AOS), modeled as a graph, to represent all authorization models have been developed based on the
database granule types, modeled as nodes, and structural use of methods; among these the most notable are the
relationships among these granule types, modeled as edges. models by Ahad et al. [4], exploiting the notions of guard
The notion of AOS, which can be considered as part of a functions and proxy functions to enforce content-based access
metaschema for the authorization model, has been recently control, and by Richardson et al. [77], providing the
applied to the representation of an access control model for
concepts of method implementor—the user who has written
XML data [94].
the method’s code—and method principal—the user on
The above authorization model could be termed “struc-
whose behalf the method is executed.
tural authorization model” in that it does not exploit the
A similar trend can also be observed in object-relational
encapsulation property typical of object systems. Encapsula-
DBMSs which today provide functions for managing stored
tion is, however, one of the most important features of the
procedures that, very much like object methods, are stored
object-oriented paradigm. Encapsulation entails a separa-
and centralized in the database. Even though stored
tion between an object’s status and interface. Such separa-
procedures are not usually associated with strong encapsu-
tion enables the clients of an object to use the services
lation principles, they can be very much used to provide an
provided by the object without having to be aware of how
additional layer of access control and to implement
the services are implemented (information hiding). Therefore,
arbitrarily complex access control. In particular, the use of
an object’s implementation may change without impacting
stored procedures for improving database security is often
other objects or applications that use the services provided
by the object. The information hiding capability has, in recommended among best practices for protecting data-
addition, a great potential for data protection. By “sur- bases against various types of threats, such as SQL injection
rounding” an object with methods, it is possible to interpose [12]. However, the use of stored procedures requires
an additional layer between the object and its users. making sure that only those stored procedures are used
Therefore, arbitrary complex content-based access policies whose origin and behavior are well-known.
can be supported. In particular, a relational DBMS typically
3.1.2 Mandatory Access Control Systems for
allows a user to develop an application program and then
Object-Based Database Systems
grant the run authorization on this program to other users.
The users receiving authorizations on a program do not The application of a typical MAC model to object-based
usually need to have the authorizations on the data systems in not straightforward, due to the semantic richness
accessed by the program, as these authorizations are of object data models. Moreover, the differences both in
checked against the program owner. In this way, it is possible theory and implementation among the various OODBMSs
to support authorizations on an application basis. Methods and ORDBMSs makes it very difficult to define sound and
in object-oriented databases could be used in the same way, general principles upon which a suitable MAC model can
thus providing an extensible authorization mechanism. be based. To date the problem of MAC models for
However, the use of methods for authorization differs with object-based database systems has been investigated only
respect to the use of application programs in the following in the context of object-oriented databases; no work has
aspect. When application programs are used, application- been reported dealing specifically with object-relational
dependent access rules tend to be dispersed among the databases. However, despite such difficulties, the use of an
various application programs. Therefore, it is more difficult object-oriented approach offers an important advantage
to verify that the correct authorization policies are applied with respect to mandatory policies. In particular, the fact
and moreover modifications to these policies may require that messages are the only means by which objects
extensive changes in the application code. By contrast, exchange information makes information flow [36] in object
methods are tightly coupled with data objects. Application- systems have a natural and direct representation in terms of
dependent access rules, of arbitrary complexity, are thus message exchange among objects. By properly filtering
centralized and all redundancies eliminated. Therefore, messages among objects, according to the specified access
control policies, it is possible to develop effective signature standards. Access control models and mechan-
approaches to access control enforcement. isms have also been widely investigated and several access
MAC models can be classified in two main categories: control systems, specifically tailored to XML, have been
single-level models and multilevel models. Models in the first developed [18], [49], [52], [71]. A standard access control
category require that an object and all its features, e.g., model, known as XACML, has also been developed [72]
attributes and methods, be classified at the same access which, however, has a limited set of features with respect to
class. Models in the second category do not impose such a those of more advanced data models.
restriction; however, they are rather difficult to implement The main requirements toward an access control system
in practice. Most proposed models are thus single-level. The for XML derive from the nested structure of XML data and
main reason is the simplicity of such an approach and its from the main context of use for XML, that is, Web-based
compatibility with a security kernel. By using an underlying environments. The nested structure of XML data calls for a
security kernel for the enforcement of MAC properties, the flexible protection object granularity. The system must be
layer implementing the object data management system able to support a wide spectrum of protection granularity
need not be trusted. The main drawback of single-level levels, identified on the basis of both the data structure and
models, despite their simplicity of implementation, is that contents. Examples of protection granularity levels are a
applications often need objects that are multilevel. In order single document, a set of documents, an element of a
to accommodate such applications, the most common document, and an attribute of a document. Moreover, it
approach is to use a single-level object system and map must be possible to exploit the intended description
the multilevel application objects onto several single-level provided by a DTD or XMLSchema in the specification of
objects. This approach, first proposed by Thuraisingham in protection objects. For example, it must be possible to
a seminal paper [89] and referred to as multilevel object view specify access control policies at the DTD/XMLSchema
approach, has two variants depending on whether inheri- level, which apply to all valid documents conforming to
tance or aggregation is used to support the multilevel view. that DTD/XMLSchema. To address such requirement, the
Real multilevel object models are more difficult to handle same techniques proposed for access control in object-based
and no satisfactory approach has been proposed. database systems that we discussed in the previous
subsection have been adopted. Most of the proposed XML
3.2 Access Control Systems for XML access control models thus provide positive/negative
XML [96] is today widely used in a large variety of authorizations and explicit/implicit authorizations that
applications and industry products as it has become the can associated with a DTD, a single document, or to specific
standard for describing data and documents circulated portions (elements, subelements, attributes) of a document.
across the Web. The most important feature of XML that Authorization propagation, typical of implicit authorization
distinguishes it from other markup languages such as mechanisms, can apply to various types of semantic
HTML is the notion of semantic tags, allowing one to mark relationships among protection objects (for instance, ele-
different portions, called elements, of a given data item and ment-to-subelement and element-to-attribute/link relation-
to assign to them names that are semantically meaningful. ships). With respect to protection objects, however, an
XML can thus be seen as the “equivalent” for Web data of important difference between object databases and XML
the notion of data models underlying modern DBMSs. data is that in the former each object is necessarily an
Elements may in turn contain other elements, called instance of some class and, thus, if access control policies
subelements; thus, an XML data item or document is often are specified at class level, each database object is “covered”
characterized by a nested organization. An element may by some access control policy. By contrast, in an XML data
also have associated attributes, whose purpose is to provide source, not necessarily each data is an instance of some
additional information on the element. XML data can also DTD (or XMLSchema); it may happen, for example, that a
be interlinked through some special attributes, e.g., source imports XML data for which no DTD (or XMLSche-
IDREFs/URI attributes. Finally, some key features of XML ma) is specified. Thus, not every data in an XML source is
are the notions of Document Type Definition (DTD) and necessarily covered by some access control policy. If the
XMLSchema, that are used for specifying document system uses a closed world access control policy,6 users
structures, very much like a relation schema is used for may unnecessarily be denied access to some data items. To
intensionally describing the structure of tuples in a relation. date, this problem has not been investigated much and the
Note that, unlike relational data, an XML data or document only solutions that have been proposed are those that are
does not necessarily have a DTD or XMLSchema of which it part of the Author-X system [14].
is an instance. A valid5 XML data or document which is The main context of use for XML data, that is, Web-based
instance of some DTD (XMLSchema) is said to conform to environments, introduces a number of requirements against
the DTD (XMLSchema). both models and architectures of access control systems.
Because XML security is a key requirement, a large Relevant requirements include flexible subject specifica-
number of efforts have been reported dealing with various tions in terms of credentials and profiles, support for
security standards for XML, such as encryption and dissemination strategies, and distributed and cooperative

5. A valid XML data (document) is a data (document) whose syntax is 6. Under a closed world access control policy, a subject is denied access
correct. to a data item if there is no authorization for the subject.
updates. However, whereas most of the proposed systems removing identity information, such as names or social-
address in some form the first of these requirements, security-numbers, from the released data may not be
solutions to the other two requirements are largely enough to anonymize the data. There are many examples
unexplored. To date, the only solutions that have been that show that even when such information is removed
reported are those that are part of the Author-X system [14], from the released data, the remaining data combined with
which among other features provides flexible credential- other information sources may link the information to the
based access control policies and different access control individuals it refers to. To overcome this problem,
techniques for use under two different data dissemination approaches based on generalization techniques have been
strategies. In particular, it implements an encryption proposed, the most well-known of which is based on the
strategy, based on a hierarchical key management scheme notion of k-anonymity [86].
[88]; this encryption strategy which requires the generation A second class of techniques deals specifically with
of a number of encryption keys linear in the number of privacy-preservation in the context of data mining. Data
access control policies is used by Author-X in combination mining techniques are very effective today. Thus, even
with the push dissemination strategy. The Author-X though a database is sanitized by removing private
approach to push-based information dissemination strategy information, the use of data mining techniques may allow
is based on encrypting a given document with different one to recover the removed information. Several ap-
keys [18]; the keys are determined according to the access proaches have been proposed, some of which are specia-
control policies in such a way as to minimize the number of lized for specific data mining techniques, such as tools for
keys that have to be generated. Such an approach has been association rule mining or classification systems, whereas
recently extended and combined with proxy reencryption others are independent from the specific data mining
schemes for use in content-based publish/subscribe sys- technique. In general, all approaches are based on modify-
tems [64]. Other notable features of Author-X include ing or perturbing the data in some way; for example,
support for: distributed cooperative updates through a techniques specialized for privacy-preserving mining of
combination of hash functions, digital signature techniques association rules modify the data so to reduce the
and digital certificates [21], specification and enforcement of confidence of sensitive association rules. A problem
data flow policies, and third-party data publishing, through common to most of these techniques is the quality of the
the use of the well-known Merkle hash trees [13]. An resulting database; if data undergo too many modifications,
interesting research issue is to investigate how the above they may not be useful any longer. To address these
techniques could be extended in order to support applica- problems, techniques have been developed to estimate the
tions related to content-data networks in peer-to-peer errors introduced by the modifications [73]; such estimates
environments. can be used to drive the data modification process. A
different technique in this context is based on data sampling
[32]. The idea is to release a subset of the data, chosen in
4 PRIVACY-PRESERVING DATA MANAGEMENT
such a way that any inference that is made from the data
TECHNIQUES has a low degree of confidence. Finally, in the area of data
Data represent an important asset. We see an increasing mining, techniques have been developed, mainly based on
number of organizations that collect data, often concerning commutative encryption techniques, whose goals is to
individuals, and use them for various purposes, ranging support distributed data mining processes on encrypted
from scientific research, as in the case of medical data, to data [92]. In particular, the addressed problem deals with
demographic trend analysis and marketing purposes. situations when the data to be mined is contained at
Organizations may also give access to the data they own multiple sites, but the sites are unable to release the data.
or even release such data to third parties. The number of The solutions involve algorithms that share some informa-
increased data sets that are thus available poses serious tion to calculate correct results, where the shared informa-
threats against the privacy of individuals and organizations. tion can be shown not to disclose private data.
Because privacy is an important concern, several research Finally, some preliminary efforts have been reported
efforts have been devoted to address issues related to the dealing with database systems specifically tailored to
development of privacy-preserving data management support privacy policies, such as the policies that can be
techniques. expressed by using the well-known P3P standard [97]. In
A first important class of techniques deals with privacy- particular, Agrawal et al. [2] have recently introduced the
preservation when data are to be released to third parties. In concept of Hippocratic databases, incorporating privacy
this case, data once are released are no longer under the protection in relational database systems. In their paper,
control of the organizations owning them. Therefore, the Agrawal et al. introduce the fundamental principles
organizations that are owners of the data are not able to underlying Hippocratic databases and then propose a
control the way data are used. The most common approach reference architecture. An important feature of such an
to address the privacy of released data is to modify the data architecture is that it uses some privacy metadata consist-
by removing all information that can directly link data ing of privacy policies and privacy authorizations stored
items with individuals; such a process is referred to as data in privacy-policy tables and privacy-authorization tables,
anonymization [86]. It is important to note that simply respectively. The privacy policy defines the intended use,
the external-recipients, and retention period for each We see increasing “disintermediation”7 in data accesses.
attribute of a table, while the privacy authorization The intermediate information processing steps typically
defines the authorized users. The proposed architecture carried out by corporate employees such as typing an order
also adds a special attribute, “purpose,” to each table, received over the phone are removed. Users who are
which encodes the set of purposes users, to whom the outside the traditional corporate boundary can have direct
data are referred, agree with during the data collection and immediate online access to business information which
process. The Hippocratic database performs privacy pertain to them. In a traditional environment, any access to
checking during query processing. Every query is sub- sensitive information is through employees. Although
mitted to the database with its intended purpose. The employees are not always reliable, at least they are known,
system first checks if the user who issued the query is their access to sensitive data is limited by their function, and
present in the set of authorized users for that purpose in employees violating access policies may be subject to
the privacy-authorizations table. Next, the system ensures disciplinary action. When activities are moved to the
that the query accesses only the fields that are explicitly Internet, the environment drastically changes. Today, due
listed for the query purpose in the privacy-authorizations also to the offshoring of data management functions and the
table. If the query is allowed to run, the system ensures globalization of business enabled by the Internet, compa-
that only records whose purpose attribute includes the nies may know little or nothing about the users (including,
query purpose are visible to the query during the in many cases, employees) accessing their systems and it is
execution. It is important to note that purposes are a more difficult for companies to deter users from accessing
very different notion with respect to the notion of role, in information contrary to company policies. Finally, as a
that purposes characterize data whereas roles characterize result of trends toward ubiquitous computing, data must be
users. Moreover, though purposes may be considered a available to users anywhere anytime.
form of data labels and, thus, similar to labels used in Because of these increased risks, the adequate protection
MLS DBMSs, recent approaches [30] to purpose-manage- of information systems, managing and making available
ment have some important differences with respect to large data volumes, is not an option any longer. Not only
label-based approaches developed as part of MLS. These will damage to the data affects a company’s businesses and
approaches support the association of multiple purposes operations, it could also have legal consequences on
with the same data item and, thus, are not restricted to a companies especially if, as discussed by Schneier [83], laws
single label, and the specification of negative purposes, were to be promoted enforcing liability of software
specifying that certain data items should not be used for products and applications. As Schneier argues in his paper,
a given set of purposes. In their paper, Agrawal et al. in the very near future insurance companies will move into
also discuss various technical challenges and problems in
cyber-insurance and we can certainly expect that “they will
designing Hippocratic databases, such as efficiency,
start charging different premiums for different security
disclosure, retention, and safety. To date, many of those
levels.” All the above motivations are thus strong drives for
problems have yet to be addressed.
the systematic adoption of solutions that are more articu-
lated and comprehensive than the ones available today. Not
5 CHALLENGES—WHY PROTECTING DATABASES IS only must adequate solutions be developed and deployed,
EVEN MORE DIFFICULT TODAY but organizations also need to show that they comply with
Despite the increased focus by research and industry security and privacy requirements. In particular, research
toward improving security of our cyber infrastructures, efforts need to be devoted on a large number of topics
today the protection of data, entrusted to enterprise including:
information systems, is more challenging than ever. There . Data Quality and Completeness. Users increasingly
are several factors underlying this trend. rely on information they find on the Web. This is
Data security concerns are evolving. In addition to the the case for example of medical information.
traditional requirements of data confidentiality, integrity However, users do not, in general, have guaran-
and availability, new requirements are emerging such as tees that the data is complete and of acceptable
data quality [69], completeness, timeliness, and provenance quality. We need techniques and organizational
[35]. In particular, it is important that data be complete, solutions to assess and attest the quality of data.
correct, and up-to-date with respect to the external world. Techniques in this respect may include simple
The increasing quality of data will make data more mechanisms such quality stamps that are posted
valuable. Highly valuable data increases the potential to on Web sites. Other techniques include providing
be gained from unauthorized access and the potential more effective integrity semantics verification and
damage that can be done if the data is corrupted. The the use of tools for the assessment of data quality,
amount of data is increasingly large: “It is estimated that the based on techniques such as record linkage.
amount of information in the world is doubling every 20
months, and the size and number of databases are 7. The term “disintermediation” means removing the middleman. It is
today a popular buzzword used to describe many Internet-based businesses
increasing even faster” [1]. Therefore, protection mechan- that use the WWW to sell products directly to customers rather than going
isms must be able to scale well. through traditional retail channels.
Application-level recovery techniques are also management system. In this paper, we have outlined
needed for automatically repairing incorrect data. research results and practical developments and we have
. Intellectual Property Rights (IPR). Data in many cases discussed open research issues. The area of database
are the results of intellectual activities of individuals security includes several other relevant topics, such as
and organizations. Questions concerning IPR are inference control and statistical database security, for which
thus becoming increasingly relevant. To address we refer the readers to [91] and [37], [38], respectively.
some of these concerns, watermarking techniques Though these topics have been investigated several years
for relational data have been recently proposed [84],
ago, they are still relevant today especially in the context of
[85] which can be used to detect IPR violations.
privacy-preserving techniques. Other relevant issues that
Research is however needed to assess the robustness
we have not covered here include security for GIS data, an
of such techniques and to investigate different
increasingly important area for homeland security, for
approaches aimed at preventing IPR violations.
. Access control and privacy for mobile users. Users will information-grid architectures and for sensor data as well
be increasingly mobile and will have a large variety as privacy and security for Web services and the semantic
of devices available to them. Moreover, the deploy- Web [46]. These applications all have interesting and novel
ment of computing power and sensors in every-day security requirements that are still largely unexplored.
environments will make it possible for users to be
always connected, sometimes without even being ACKNOWLEDGMENTS
aware of it. In such contexts, several issues are
The authors would like to thank the anonymous referees
relevant. Users will execute many more activities
online; information about user identities, profiles, and Mahesh Tripunitara of Purdue University for the many
credentials, and permissions will be more frequently invaluable suggestions that lead to a much improved
required. Such information will need to be secure version of this paper. The work of Elisa Bertino is supported
and reliable; reliable user identification will be in part by the US National Science Foundation under the
increasingly crucial. It is thus important on one side Project “Collaborative Research: A Comprehensive Policy
to develop techniques for efficient storage of security —Driven Framework For Online Privacy Protection: Inte-
relevant information on small devices; a relevant grating IT, Human, Legal, and Economic Perspectives,” by
example in this respect is represented by the notion an IBM Fellowship, and by the sponsors of CERIAS.
of portable access rights recently proposed by
Bykova and Atallah [29]. On the other side, it is
REFERENCES
important that access control mechanisms be inte-
[1] R. Agrawal, R. Srikant, and Y. Xu, “Database Technologies for
grated with standards being developed for identity Electronic Commerce,” Proc. Very Large Databases Conf. (VLDB),
management [57] as well as with trust negotiation 2002.
techniques [23]. Because large-sized streams of data [2] R. Agrawal, J. Kiernan, R. Srikant, and Y. Xu, “Hippocratic
Databases,” Proc. 28th Int’l Conf. Very Large Databases (VLDB),
are generated in such environments, efficient tech- 2002.
niques for access control must be devised and [3] R. Agrawal, J. Kiernan, R. Srikant, and Y. Xu, “Order-Preserving
integrated with processing techniques for continu- Encryption for Numeric Data,” Proc. 2004 ACM Sigmod Conf.,
2004.
ous queries. Finally, the privacy of user location [4] R. Ahad, J. Davis, S. Gower, P. Lyngbaek, A. Marynowski, and E.
data, acquired from sensors and communication Onuegbe, “Supporting Access Control in an Object-Oriented
networks, must be assured. Database Language,” Proc. Int’l Conf. Extending Database Technol-
ogy (EDBT), 1992.
. Database survivability. This is an important topic [5] G.J. Ahn and R. Sandhu, “Role-Based Authorization Constraints
which has been largely unexplored, despite its Specification. ” ACM Trans. Information and System Security, vol. 3,
relevance. Survivability refers to the ability of the no. 4, pp. 207-226, 2000.
[6] M.M. Astrahan, M.W. Blasgen, D.D. Chamberlin, K.P. Eswaran, J.
database system to continue its functions, may be Gray, P.P. Griffiths, W.F. King III, R.A. Lorie, P.R. McJones, J.W.
with reduced capabilities, despite disruptive events, Mehl, G.R. Putzolu, I.L. Traiger, B.W. Wade, and V. Watson,
such as information warfare attacks. To date, issues “System R: A Relational Approach to Database Management,”
ACM Trans. Database Systems, vol. 1, no. 2, pp. 97-137, 1976.
related to database survivability have not been [7] S. Axelsson, “Intrusion Detection Systems: A Survey and
investigated much. Liu [58] has proposed four Taxonomy,” Technical Report No. 99-15, Dept. of Computer
database architectures for intrusion-tolerant data- Eng., Chalmers Univ. of Technology, Sweden, 2000.
[8] J. Bacon, K. Moody, and W. Yao, “A Model of OASIS Role-Based
base systems that focus on the containment of Access Control and its Support for Active Security,” ACM Trans.
malicious transactions. Even though this is an Information and System Security, vol. 5, no. 4, pp. 492-540, 2002.
important initial step, much more research needs [9] D.E. Bell and L.J. LaPadula, “Secure Computer Systems: Unified
Exposition and Multics Interpretation,” Technical Report MTR-
to be devoted to techniques and methodologies 2997, The Mitre Corp., Bedford, Mass., 1976.
assuring database system survivability. [10] E. Bertino, C. Bettini, E. Ferrari, and P. Samarati, “An Access
Control Model Supporting Periodicity Constraints and Temporal
Reasoning,” ACM Trans. Database Systems, vol. 23, no. 3, pp. 231-
6 CONCLUDING REMARKS 285, 1998.
[11] E. Bertino, P. Bonatti, and E. Ferrari, “TRBAC: A Temporal Role-
Data security and in particular protection of data from Based Access Control,” ACM Trans. Information and System
unauthorized accesses remain important goals of any data Security, vol. 4, no. 3, pp. 191-233, 2001.
[12] E. Bertino, D. Bruschi, S. Franzoni, I. Nai-Fovino, and S. Valtolina, [36] D.E. Denning, “A Lattice Model of Secure Information Flow,”
“Threat Modeling for SQL Server,” Proc. Eighth IFIP TC-6 and Comm. ACM, vol. 19, no. 5, pp. 236-243, 1976.
TC-11 Conf. Comm. and Multimedia Security (CMS 2004), Sept. [37] D.E. Denning, “Secure Statistical Databases with Random Sample
2004. Queries,” ACM Trans. Database Systems, vol. 5, no. 3, pp. 291-315,
[13] E. Bertino, B. Carminati, E. Ferrari, B. Thuraisingham, and A. 1980.
Gupta, “Selective and Authentic Third-Party Distribution of XML [38] D.E. Denning and J. Schlörer, “A Fast Procedure for Finding a
Documents,” IEEE Trans. Knowledge and Data Eng., vol. 17, no. 1, Tracker in a Statistical Database,” ACM Trans. Database Systems,
pp. 4-23, 2004. vol. 5, no. 1, pp. 88-102, 1980.
[14] E. Bertino, S. Castano, and E. Ferrari, “Securing XML Documents [39] US Dept. of Defense, Trusted Computer System Evaluation Criteria,
with Author-X,” IEEE Internet Computing, vol. 5, no. 3, pp. 21-30, DOD 5200. 28-STD, Dept. of Defense, Washington, D.C., 1975.
2001. [40] Y. Diao, S. Rivzi, and M. Franklin, “Toward an Internet-Scale XML
[15] E. Bertino, B. Catania, and E. Ferrari, “A Nested Transaction Dissemination Service,” Proc. Very Large Databases Conf., 2004.
Model for Multilevel Secure Database Management Systems,” [41] A. Eisenberg and J. Melton, “SQL:1999, Formerly Known as SQL
ACM Trans. Information and System Security, vol. 4, no. 4, pp. 321- 3,” SIGMOD Record, 1999.
370, 2001. [42] R. Fagin, “On an Authorization Mechanism,” ACM Trans. Database
[16] E. Bertino, B. Catania, E. Ferrari, and P. Perlasca, “A Logical Systems, vol. 3, no. 3, pp. 310-319, 1978.
Framework for Reasoning About Access Control Models,” ACM [43] Federal Trade Commission, “FTC Announces Settlement with
Trans. Information and System Security, vol. 6, no. 1, pp. 71-127, Bankrupt Website, Toysmart.com, Regarding Alleged Privacy
2003. Policy Violations,” July 2000, available at www.ftc.gov/opa/
[17] E. Bertino and E. Ferrari, “Administration Policies in a Multipolicy 2000/07/toysmart2.htm.
Authorization System,” Proc. 10th Ann. IFIP Working Conf. [44] E.B. Fernandez, R.C. Summers, and T. Lang, “Definition and
Database Security, Aug. 1997. Evaluation of Access Rules in Data Management Systems,” Proc.
[18] E. Bertino and E. Ferrari, “Secure and Selective Dissemination of Very Large Databases Conf., 1975.
XML Documents,” ACM Trans. Information and System Security, [45] E.B. Fernandez, R.C. Summers, and C. Wood, Database Security and
vol. 5, no. 3, pp. 290-331, 2002. Integrity. Addison-Wesley, Feb. 1981.
[19] E. Bertino, E. Ferrari, and V. Atluri, “An Approach for the [46] E. Ferrari and B.M. Thuraisingham, “Security and Privacy for Web
Specification and Enforcement of Authorization Constraints in Databases and Services,” Advances in Database Technology—EDBT
Workflow Management Systems,” ACM Trans. Information and 2004, Proc. Ninth Int’l Conf. Extending Database Technology, Mar.
System Security, vol. 2, no. 1, pp. 65-104, 1999. 2004.
[20] E. Bertino, J. Fan, E. Ferrari, M.S. Hacid, A. Elmagarmid, and X. [47] D. Ferraiolo, R. Sandhu, S. Gavrila, R. Kuhn, and R. Chandra-
Zhou, “A Hierarchical Access Control Model for Video Database mouli, “Proposed NIST Standard for Role-based Access Control,”
Systems,” ACM Trans. Information Systems, vol. 21, no. 2, pp. 155- ACM Trans. Information and System Security, vol. 4, no. 3, pp. 224-
191, 2003. 274, 2001.
[21] E. Bertino, E. Ferrari, and G. Mella, “An Approach to Cooperative [48] D. Ferraiolo, R. Chandramouli, and R. Kuhn, Role-Based Access
Updates of XML Documents in Distributed Systems,” J. Computer Control. Artech House, Apr. 2003.
Security, to appear. [49] A. Gabillon and E. Bruno, “Regulating Access to XML Docu-
[22] E. Bertino, E. Ferrari, and L. ParasilitiProvenza, “Signature and ments,” Proc. 15th Ann. IFIP WG 11.3 Working Conf. Database
Access Control Policies,” Proc. 2003 European Symp. Research in Security, July 2001.
Computer Security (ESORICS-03), Oct. 2003. [50] J. Gray and A. Reuter, Transaction Processing: Concepts and
[23] E. Bertino, E. Ferrari, and A. Squicciarini, “A Peer-to-Peer Techniques. Morgan Kaufmann, 1993.
Framework for Trust Establishment,” IEEE Trans. Knowledge and [51] P.G. Griffiths and B. Wade, “An Authorization Mechanism for a
Data Eng., vol. 16, no. 7, pp. 827-842, 2004. Relational Database,” ACM Trans. Database Systems, vol. 1, no. 3,
[24] E. Bertino and L.M. Haas, “Views and Security in Distributed pp. 242-255, 1976.
Database Management Systems,” Proc. Int’l Conf. Extending [52] H. He and R.K. Wong, “A Role-Based Access Control for XML
Database Technology, Mar. 1988. Repositories,” Proc. First Int’l Conf. Web Information Systems Eng.
[25] E. Bertino, D. Leggieri, and E. Terzi, “Securing DBMS: Character- (WISE ’00), 2000.
izing and Detecting Query Flood,” Proc. Ninth Information Security [53] HIPAA, Health Insurance Portability and Accountability Act of
Conf. (ISC ’04), Sept. 2004. 1996, available at http://www.hep-c-alert.org/links/hipaa.html,
[26] E. Bertino, S. Jajodia, and P. Samarati, “Database Security: 1996.
Research and Practice,” Information Systems, vol. 20, no. 7, [54] B. Iyer, S. Mehrotra, E. Mykletun, G. Tsudik, and Y. Wu, “A
pp. 537-556, 1995. Framework for Efficient Storage Security in RDBMS,” Proc.
[27] E. Bertino, S. Jajodia, and P. Samarati, “An Extended Authoriza- Seventh Int’l Conf. Extending Database Technology (EDBT 2004),
tion Model,” IEEE Trans. Knowledge and Data Eng., vol. 9, no. 1, Mar. 2004.
pp. 85-101, 1997. [55] S. Jajodia, R. Sandhu, and B. Blaustein, “Solutions to the
[28] R. Bhatti, E. Bertino, A. Ghafoor, and J. Joshi, “XML-Based Polyinstantiation Problem,” Information Security: An Integrated
Specification for Web Services Document Security,” Computer, Collection of Essays, vol. 1, M.A. Abrams et al. eds., IEEE CS Press,
vol. 37, no. 4, pp. 41-49, 2004. pp. 493-529, 1994.
[29] M. Bykova and M. Atallah, “Succint Specification of Portable [56] N. Li and M. Tripunitara, “Security Analysis in Role-Based Access
Document Access Policies,” Proc. Ninth ACM Symp. Access Control Control,” Proc. Ninth ACM Symp. Access Control Models and
Models and Technologies (SACMAT 2004), June 2004. Technologies (SACMAT 2004), June 2004.
[30] J.W. Byun, E. Bertino, and N. Lui, “Purpose-Based Access Control [57] Liberty Alliance Project (www.projectliberty.org), 2001.
for Privacy Protection in Relational Database Systems,” CERIAS [58] P. Liu, “Architectures for Intrusion Tolerant Database Systems,”
Technical Report 2004-52, Purdue Univ., 2004. Proc. 18th Ann. Computer Security Applications Conf. (ACSAC 2002),
[31] D.W. Chadwick, A. Otenko, and E. Ball, “Role-Based Access Dec. 2002.
Control With X.509 Attribute Certificates,” IEEE Internet Comput- [59] D.E. Denning, T.F. Lunt, R.R. Schell, W.R. Shockley, and M.
ing, vol. 7, no. 2, pp. 62-69, 2003. Heckman, “The Sea View Security Model,” IEEE Trans. Software
[32] C. Clifton, “Using Sample Size to Limit Exposure to Data Mining,” Eng., vol. 16, no. 6, pp. 593-607, 1990.
J. Computer Security, vol. 8, no. 4, Nov. 2000. [60] G. Karjoth, “Access Control with IBM Tivoli Access Manager,”
[33] COPPA, Children’s Online Privacy Protection Act of 1998, Oct. 1998, ACM Trans. Information and System Security, vol. 6, no. 2, pp. 232-
available at www.cdt.org/legislation/105th/privacy/coppa.html. 257, 2003.
[34] J. Crampton and G. Loizou, “Administrative Scope: A Foundation [61] G. Karjoth, M. Schunter, E. VanHerreweghen, “Translating
for Role-Based Administration,” ACM Trans. Information and Privacy Practices into Privacy Promises—How to Promise What
System Security, vol. 6, no. 2, pp. 201-231, 2003. You Can Keep,” Proc. IEEE POLICY Workshop, 2003.
[35] Y. Cui and J. Widom, “Lineage Tracing for General Data [62] C. Kaufman, R. Perlman, and M. Speciner, Network Security:
Warehouse Transformations,” VLDB J., vol. 12, no. 1, pp. 41-58, Private Communication in a Public World, second ed. Prentice-Hall,
2003. 2002.
18 IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 2, NO. 1, JANUARY-MARCH 2005

[63] A. Kern, M. Kuhlmann, R. Kuropka, and A. Ruthert, “A Meta [88] W.G. Tzeng, “A Time-Bound Cryptographic Key Assignment
Model for Authorisations in Application Security Systems and Scheme for Access Control in a Hierarchy,” IEEE Trans. Knowledge
their Integration into RBAC Administration,” Proc. Ninth ACM and Data Eng., vol. 14, no. 1, pp. 182-188, 2002.
Symp. Access Control Models and Technologies (SACMAT 2004), June [89] B. Thuraisingham, “Mandatory Security in Object-Oriented
2004. Database Systems,” Proc. Int’l Conf. Object-Oriented Programming
[64] H. Khurana, “Scalable Security and Accounting Services for Systems, Languages, and Applications (OOPSLA), 1989.
Content-Based Publish/Subscribe Systems,” Proc. Symp. Applied [90] B. Thuraisingham, Database and Applications Security: Integrating
Computing (SAC05), Mar. 2005. Databases and Applications Security. CRC Press, Dec. 2004.
[65] M. Koch, L. Mancini, and F. Parisi-Presicce, “Administrative [91] B.M. Thuraisingham, W. Ford, M. Collins, and J. O’Keeffe,
Scope in the Graph-based Framework,” Proc. Ninth ACM Symp. “Design and Implementation of a Database Inference Controller,”
Access Control Models and Technologies (SACMAT 2004), June Data Knowledge Eng., vol. 11, no. 3, pp. 271-285, 1993.
2004. [92] J. Vaidya and C. Clifton, “Privacy Preserving Association Rule
[66] N. Kodali, C. Farkas, and D. Wijesekera, “An Authorization Mining in Vertically Partitioned Data,” Proc. Eighth ACM SIGKDD
Model for Digital Libraries,” Int’l J. Digital Libraries, vol. 4, no. 3, Int’l Conf. Knowledge Discovery and Data Mining, July 2002.
pp. 156-170, 2004. [93] J. Widom and S. Ceri, Active Database Systems: Triggers and Rules
[67] R. Kuhn, “Mutual Exclusion of Roles as a Means of Implementing For Advanced Database Processing. Morgan Kaufmann, 1996.
Separation of Duty in Role-Based Access Control Systems,” Proc. [94] J. Wang and S. Osborn, “A Role-Based Approach to Access
Second ACM Workshop Role-Based Access Control, June 1997. Control for XML Databases,” Proc. Ninth ACM Symp. Access
[68] J.B. Joshi, E. Bertino, U. Latif, and A. Ghafoor, “A Generalized Control Models and Technologies (SACMAT 2004), June 2004.
Temporal Role Based Access Control Model,” IEEE Trans. Knowl- [95] C. Wood and E.B. Fernandez, “Decentralized Authorization in a
edge and Data Eng., vol. 17, no. 1, pp. 4-23, 2005. Database System,” Proc. Conf. Very Large Databases, 1979.
[69] P. Missier, G. Lalk, V.S. Verykios, F. Grillo, T. Lorusso, and P. [96] World Wide Web Consortium, Extensible Markup Language
Angeletti, “Improving Data Quality in Practice: A Case Study in (XML), 1.0, 1998, available at: http://www.w3.org/TR/REC-xml.
the Italian Public Administration,” Distributed and Parallel Data- [97] World Wide Web Consortium, Platform for Privacy Preferences
bases, vol. 13, no. 2, pp. 135-160, 2003. (P3P), available at www.w3.org/P3P, 1994.
[70] J.E. Moss, Nested Transactions: An Approach to Reliable Distributed [98] T.W. Yan and H. Garcia-Molina, “The SIFT Information Dis-
Computing. MIT Press, 1985. semination System,” ACM Trans. Database Systems, vol. 24, no. 4,
[71] M. Murata, A. Tozawa, M. Kudo, and S. Hada, “XML Access pp. 529-565, 1999.
Control Using Static Analysis,” Proc. 10th ACM Conf. Computer and
Comm. Security, Nov. 2003.
[72] OASIS Consortium, eXtensible Access Control Markup Language
(XACML) Committee Specification, Version 1.1, available at:
http://www.oasis-open.org/committees/xacml/, 2000.
[73] S.R.M. Oliveira and O.R. Zaiane, “Privacy Preserving Frequent
Itemset Mining,” Proc. IEEE ICDM Workshop Privacy, Security and
Data Mining, 2002.
[74] Oracle, The Virtual Private Database in Oracle9iR2, available at
http://otn.oracle.com/deploy/security/oracle9iR2/pdf/
VPD9ir2twp.pdf, 2000.
[75] F. Rabitti, E. Bertino, W. Kim, and D. Woelk, “A Model of
Authorization for Next-Generation Database Systems,” ACM
Trans. Database Systems, vol. 16, no. 1, pp. 88-131, 1991.
[76] C. Ramaswamy and R. Sandhu, “Role-Based Access Control
Features in Commercial Database Management Systems,” Proc.
21st Nat’l Information Systems Security Conf., pp. 503-511, Oct.
1998.
[77] J. Richardson, P. Schwarz, and L.F. Cabrera, “CACL: Efficient
Fine-Grained Protection for Objects,” Proc. Int’l Conf. Object-
Oriented Programming Systems, Languages, and Applications (OOP-
SLA), 1992.
[78] S. Rizvi, A. Mendelzon, S. Sudarshan, and P. Roy, “Extending
Query Rewriting Techniques for Fine-Grained Access Control,”
Proc. ACM Sigmod Conf., June 2004.
[79] R. Sandhu, “Lattice-Based Access Control Models. ” Computer,
vol. 26, no. 11, pp. 9-19, 1993.
[80] R. Sandhu, E.J. Coyne, H.L. Feinstein, and C.E. Youman, “Role-
Based Access Control Models,” Computer, vol. 29, no. 2, pp. 38-47,
1996.
[81] R. Sandhu and F. Chen, “The Multilevel Relational Data Model,”
ACM Trans. Information and System Security, vol. 1, no. 1, pp. 93-
132, 1998.
[82] O. SamySayadjari, “Multilevel Security: Reprise,” IEEE Security
and Privacy, vol. 3, no. 5, 2004.
[83] B. Schneier, “Hacking the Business Climate for Network Secur-
ity,” Computer, vol. 37, no. 4, pp. 87-89, 2004.
[84] R. Sion, M. Atallah, and S. Prabhakar, “Resilient Rights Proofs for
Sensor Streams,” Proc. Conf. Very Large Databases, Sept. 2004.
[85] R. Sion, M. Atallah, and S. Prabhakar, “Protecting Rights Proofs
for Relational Data using Watermarking,” IEEE Trans. Knowledge
and Data Eng., vol. 16, no. 12, pp. 1509-1525, 2004.
[86] L. Sweeney, “Achieving k-Anonymity Privacy Protection Using
Generalization and Suppression,” Int’l J. Uncertainty, Fuzziness and
Knowledge-Based Systems, vol. 10, no. 5, 2002.
[87] R. Thomas and R. Sandhu, “Task-Based Authorization Controls
(TBAC) Models for Active and Enterprise-Oriented Authorization
Management,” Database Security XI: Status and Prospects, T.Y. Lin
and S. Qian, eds., pp. 262-275, 1998.
BERTINO AND SANDHU: DATABASE SECURITY—CONCEPTS, APPROACHES, AND CHALLENGES 19

Elisa Bertino is a professor of computer Ravi Sandhu received the BTech and MTech
science and of electrical and computer engineer- degrees in electrical engineering from the Indian
ing at Purdue University and serves as the Institutes of Technology at Bombay and Delhi,
research director of CERIAS. She is also a respectively, and the MS and PhD degrees in
faculty member in the Department of Computer computer science from Rutgers University. He is
Science and Communication of the University of a professor of information security and assur-
Milan where she is the director of the DB&SEC ance and the director of the Laboratory for
laboratory. She has been a visiting researcher at Information Security Technology (www.list.
the IBM Research Laboratory (now Almaden) in gmu.edu) at George Mason University, and chief
San Jose, at the Microelectronics and Computer scientist and cofounder of TriCipher, Inc. He is a
Technology Corporation, at Telcordia Technologies. Her main research leading authority on access control, authorization, and authentication
interests include security, privacy, database systems, object-oriented models and protocols, and is especially known for his seminal and highly
technology, and multimedia systems. In those areas, she has published influential work in role-based access control. He is a fellow of the ACM
more than 250 papers in all major refereed journals and in international and a fellow of the IEEE. He has published more than 150 technical
conferences and symposia proceedings. Her research has been funded papers on computer security in refereed journals, conference proceed-
by several entities and organizations both in the USA and Europe, ings and books. He founded the ACM Transactions on Information and
including the US National Science Foundation, the European Union Systems Security (TISSEC) in 1997 and served as editor-in-chief until
under the Fifth and Sixth Research Program Framework, IBM, 2004. He served as the chairman of ACM’s Special Interest Group on
Telcordia, Microsoft, and the Italian Telecom. She is a coauthor of the Security Audit and Control (SIGSAC) from 1995 to 2003, and founded
books Object-Oriented Database Systems—Concepts and Architec- and led the ACM Conference on Computer and Communications
tures (Addison-Wesley, 1993), Indexing Techniques for Advanced Security (CCS) and the ACM Symposium on Access Control Models and
Database Systems (Kluwer Academic, 1997), and Intelligent Database Technologies (SACMAT) to high reputation and prestige. Most recently,
Systems (Addison-Wesley, 2001). She is a coeditor-in-chief of the Very he founded the IEEE Workshop on Pervasive Computing Security
Large Database Systems (VLDB) Journal and a member of the advisory (PERSEC) in 2004. His research has been sponsored by numerous
board of the IEEE Transactions on Knowledge and Data Engineering. public and private organizations currently including Intel, the US National
She serves also on the editorial boards of several scientific journals, Science Foundation, and ARDA. He has provided high-level security
incuding IEEE Internet Computing, ACM Transactions on Information consulting services to several private and government organizations. Dr.
and System Security, IEEE Transactions on Secure and Dependable Sandhu has also served as the principal designer and security architect
Computing, the Journal of Computer Security, Data & Knowledge of TriCipher’s identity management appliance which earned the coveted
Engineering, the International Journal of Cooperative Information FIPS 140 level 2 rating from NIST.
Systems, and Science of Computer Programming. She has served as
program committee members of several international conferences, such
as ACM SIGMOD, VLDB, ACM OOPSLA, as program cochair of the . For more information on this or any other computing topic,
1998 IEEE International Conference on Data Engineering (ICDE), as please visit our Digital Library at www.computer.org/publications/dlib.
program chair of 2000 European Conference on Object-Oriented
Programming (ECOOP 2000), as program chair of the Seventh ACM
Symposium on Access Control Models and Technologies (SACMAT
2002), and as program chair of the 2004 Extending Database
Technology (EDBT 2004) Conference. She is a fellow of the IEEE and
a fellow of the ACM. She received the 2002 IEEE Computer Society
Technical Achievement Award for “For outstanding contributions to
database systems and database security and advanced data manage-
ment systems.”

You might also like