Databases Reference
In-Depth Information
Some organizations may consider implementing multilevel databases
only for selected applications that process proprietary information, while
continuing to run other applications at a single security level on existing
systems. If this configuration is selected, it should be verified that the mul-
tilevel product can support the interoperability of multilevel and single-
level applications.
There are now several multilevel relational database products from
which to choose. These products can be run either on standard multilevel
operating systems or compartmented mode workstations, which are mul-
tilevel secure workstations that offer window capabilities.
IDENTIFYING SECURITY REQUIREMENTS
In reviewing the security of a database system, the auditor should not
simply evaluate just the security features of the database product itself. It
is also important to identify the security requirements of the overall sys-
tem, of which the database is only one component. What is the minimum
level of security required by the organization as a whole? Are there any spe-
cific applications that require enhanced data protection? Answers to such
questions help determine whether discretionary or mandatory access con-
trols are required.
The architecture of the relational database should also be evaluated to
determine whither it provides a portable, transparent, and secure founda-
tion for applications processing. A database management architecture that
is independent of the operating system platform provides improved sys-
tem portability as well as greater ease in evaluating and implementing sys-
tem controls.
The prospective database system should be designed also to interface
smoothly with other components of the overall system, including the operat-
ing system, network, user authentication devices, and other applications that
affect security. Such a transparent user interface offers users a more seam-
less view of security controls by providing the appropriate controls at each
level of the system (e.g., log-on security at the system access level, file secu-
rity at the operating system level, and database security at the object level).
IMPLEMENTING DATABASE SECURITY
There are two basic approaches to implementing improved database
security controls. As is done in most environments, existing database
applications can be migrated to a more secure database management
system; or, where possible, completely new applications can be built. In
the case of migration, assuming that there are no major compatibility
problems, implementation efforts focus on the transfer of data using
export-import (i.e., migration) utilities and on the implementation of any
new system control features.
Search WWH ::
Custom Search