Databases Reference
In-Depth Information
In summary, although the security capabilities of relational database
systems have improved in recent years, many areas still require improve-
ment. The next section describes security features of newly emerging data-
base products that are designed to provide more effective controls that are
also more easily managed.
DEVELOPMENTS IN DATABASE SECURITY
New methods of securing databases are being introduced that should sim-
plify administrative tasks, facilitate implementation of least privilege and
separation of functions, and offer improved overall database capabilities.
These features shift more of the burden of enforcing security controls from
the application to the database, thereby providing greater consistency of
security enforcement across multiple applications that use the same data.
Privilege Management
The proper enforcement of system and object privileges is of primary
importance in database management. An object privilege refers to the right
to perform a particular action on a specified table, view, or other named
database object (e.g., to update the DEPARTMENT table). A system privilege
refers to the right to execute a particular system command or to globally per-
form a particular action on a class of objects (e.g., to select from any table).
A new trend is to provide a finer granularity of database privileges, in par-
ticular, system privileges. It is possible to more narrowly define roles among
administrative staff by unbundling system privileges from a fixed set of three
or four present definitions. For example, rather than the database adminis-
trator having all system privileges, appropriate privileges can be granted for
such specific functions as system backup, user account management, secu-
rity, auditing, and application administration. This capability makes it easier
to enforce controls on the basis of the principle of least privilege.
For example, Oracle Corp.'s relational database product, ORACLE Rela-
tional Database Management System, Version 7.0, allows database privi-
leges to be grouped into entities called roles. The database administrator
can create a role named CLERK and then grant to that role the database
privileges needed for clerks to perform their duties. This role can be
granted to all clerks in the organization, making it unnecessary to grant
individual privileges to each clerk. The CLERK role can also be granted to
the CLERK/MANAGER role, conveniently giving the manager all staff privi-
leges. The use of roles greatly simplifies the assignment and maintenance
of privileges in a relational database.
Cooperative Systems Security
Various system controls are becoming available that enhance database
security. Database systems are being designed to interface with operating
Search WWH ::
Custom Search