Databases Reference
In-Depth Information
r
db
)
R
) is annotated with access information specific to the database user
u
db
and role
r
db
, respectively. The process is repeated for the other relations in
DB
obj
until all sub-paths from database accounts/roles to the relations
−→
DB
obj
have been annotated with respective access information.
After completing instantiating access correlations at the database layer,
i.e., sub-paths of the form ((
u
db
−→
R
), the next step is to obtain
more fine-grained information about access correlations between application
users and database accounts, and to annotate respective paths with this in-
formation. Although some database systems provide information about the
remote database calls in their audit trails, audit trails typically do not provide
sucient information to exactly associate a particular application account or
even person with an operation against a relation. While a simple access cor-
relation between an application account and a database account can be de-
termined by inspecting database calls in the application programs, more fine
grained information can only be obtained by
audit log correlation
(see, e.g.,
[4]). A particular case of interest is when accounts are shared, as illustrated
in Figure 3 for applications A
2
and A
3
. For example, in the case of accesses
to the database from application A
2
, if it is known that the database account
u
db
has been used to perform some operations on a relation
R
, one would
like to know what application account (and thus possibly what person) was
responsible for these operations. If the application keeps a log for maintain-
ing logons, authentication events and calls of, e.g., remote procedures, then
such a correlation can be established based on an appropriate comparison of
the timestamps in the application logs and the database audit trail. In the
ideal case, a respective technique would be able to associate an application ac-
count (and application session) with exactly one user session in a user profile.
Such fine-grained information then is used to annotate sub-paths connecting
application accounts with database accounts.
The above annotation techniques for different components of access paths
demonstrate that a focused, data-centric discovery of access correlations in
a complex information system infrastructure is feasible using existing tech-
niques for data and user profiling as well as for log correlation. In particular,
the techniques show the utility of a reverse engineering approach to extract
access information at different components and to present this information to
security personnel for further explorations. Such explorations and subsequent
security re-engineering tasks can take various forms, the most important one
dealing with
unused privileges
violating the principle of least privilege.
Using access profile information associated with database accounts and
relations, it is now possible to evaluate how a database account
u
db
operates
on a relation
R
over time. For example, during the instantiation of access
path components using information from the data dictionary, an access cor-
relation
u
db
−→
r
db
)
−→
R
is established. Assume this edge represents update and
select permission
u
db
has on
R
. If the access profile for this path component
only contains information about select statements again
R
and the time win-
dow has been chosen appropriately, then the account
u
db
likely does not need
