Database access controls

This summary reviews security associated with database access controls.  Database compromises often involve compromise of access controls (Sandhu & Samarati, 1994). Examples of access control compromise include abuse of legitimate access control, privilege escalation, and privilege abuse (Rohilla & Mittal, 2013). Access control compromises occur due to inherent complexities and the lack of appropriate design and coordination of access controls within the system infrastructure where databases reside. For example, access controls should be separate and segregated from authentication. Authentication establishes or verifies the identity of a user, while access controls determine appropriate access rights and range of actions for legitimate users (Sandhu & Samarati, 1994).

Purpose of Access Controls
The purpose of access controls is to define ownership of objects such as a file and permitted actions on objects within an entity at an individual user, individual object, or group level (Goodrich & Tamassia, 2011). Access controls are implemented through policies and through hardware and software mechanisms (Sandhu & Samarati, 1994). One typical implementation of access controls is the use of Access Control Lists (ACLs) where the relationships between subjects (or users) and objects are explicitly defined. Access controls exist at multiple levels across information systems such as the operating system (OS), file system, software application, and database.

Vet Access Control Policies
Database access controls should be derived from and associated with overall organization access control policies. Ideally, access controls begin with the definition of well-defined access control policies (Sandhu & Samarati, 1994). Policies may be discretionary or mandatory, and should incorporate a role-based approach. Access controls may be specific to a particular information system component, and may need to be tailored to the component. For instance, the Linux operating system employs discretionary access controls (DAC) (Goodrich & Tamassia, 2011). Configuration of the Linux OS should include fine-tuning DAC at folder and file levels to ensure consistent application of centralized access controls. Without appropriate vetting, gaps in access controls could lead to scenarios such as abuse of local user account privilege abuse.

Access control policies should also be designed into a database at multiple levels that include appropriate configuration of database users and roles and well-defined views of data that may combine generic data with highly sensitive data (Bertino, Bruschi, Franzoni, Nai-Fovino, & Valtolina, 2005; Denning, Akl, Morgenstern, Neumann, Schell, & Heckman, 1986). One example view scenario requiring access control definition is generic diagnosis code data is combined with patient data. In more advanced systems, use of frameworks such as INTER-TRUST may be useful in deploying security policies (Horcas, Pinto, Fuentes, Mallouli, & de Oca, 2016).

Employ Layered Controls
Access controls between a database and other information system resources or components should have consistent deployment of access controls. This achieves layered security in that consistency delivers broad reinforcement of acceptable use of database resources while restricting illegitimate use. Such deployment provides for enablement of separation of duties and least privilege (Sandhu & Samarati, 1994). One approach to broad and controlled deployment is the use of role-based access controls.

When there is variation in access controls across system resources such as a restricted database residing on a host with administrative-level user accounts (admin accounts), the restricted database could become more susceptible to compromise. An attacker with an admin account may be able to copy and exfiltrate the database without the need to modify database access controls. Information system resources with different access control policies can be combined to deliver appropriate protections (Sandhu & Samarati, 1994).

In addition to consistent definition of access controls, the privileges afforded to differing levels of users or groups should also be consistently defined. Privileges define the set of actions that may be completed (Goodrich & Tamassia, 2011). Actions are often defined as read, write, and view. In a database, a user role that is defined for viewing a limited set of tables should not have increased privileges for writing data if the purpose of the role is reading data.

Importance of Centralized Controls
Centralization of access controls enables management of the relationship between information system resources and assures consistency between policies and implemented access controls. With respect to databases, access controls can be managed at a local database level or through a centralized mechanism such as Microsoft Active Directory (AD) services. The use of local database controls may be sufficient for smaller databases, but larger database entities should be centralized. As an example, Microsoft SQL server databases can be integrated with Microsoft AD so that a user’s individual Windows account can be used for database logon (Bertino, Bruschi, Franzoni, Nai-Fovino, & Valtolina, 2005). This creates several benefits such reduced number of user accounts and single account access per user. Without centralization, the increased burden of database-specific accounts and access control can contribute to scenarios such as a single database super-user account that is broadly shared for database use. This creates a vulnerability where an insider threat could wrongfully use access rights and compromise the confidentiality and database records by viewing or copying sensitive data (Rohilla & Mittal, 2013).

Changing Default Conditions
Default user accounts and access control settings may be vulnerabilities within databases and across other information systems resources (Bertino, Bruschi, Franzoni, Nai-Fovino, & Valtolina, 2005). Attackers use reconnaissance tools that are pre-programmed with default setting detection in order to pinpoint easier-to-compromise systems. For database vulnerabilities such as SQL injection where manipulated SQL code is used to extract database records, default settings may dramatically reduce the time needed to accomplish compromise and unnecessarily expose sensitive data (Rohilla & Mittal, 2013).

There are several security measures that can be used to address default account and access control configurations (Bertino, Bruschi, Franzoni, Nai-Fovino, & Valtolina, 2005). One option is the removal or disablement of default accounts. Another option is modifying access controls or limited access controls. In the event that default accounts and access controls cannot be modified, other security measures should be employed. This could include using encrypted network communications or limiting systems access such as restricting access to a database’s host system to database administrators.

Auditing Controls for Issues
Auditing access controls is important to ensuring appropriate use and corroborating consistency between physically implemented access controls and access control policies. Auditing may involve review of access control configurations or evaluation of logs. With respect to a database, access controls should be viewed for specifically defined users and roles and for associated database objects (Sandhu & Samarati, 1994). Within many databases, this involves review of users and of granted permissions which are table-specific and may be shared and inherited (Goodrich & Tamassia, 2011). With respect to a database logs, access control logs are likely to exist in the form of user authentication logs. While these logs may not detail access control, they should be reviewed for suspicious user account logon activity that could be correlated to misuse of access controls. In the event of a compromise, logs may also provide evidence to identify the scope, magnitude, timeline, and method of compromise (Ely, 2010).

Access Control Use with Other Security Measures
Access controls are intended to limit the rights of legitimate users (Sandhu & Samarati, 1994). Access controls co-exist with properly defined authentication, secure administration, auditing, and encryption to provide adequate protection in achieving the confidentiality, integrity, and availability of information resources.

With respect to databases, it is critical to use defense-in-depth in the application of security measures within a database and through external mechanism that use and support a database. Within a database, access controls work in concert with privilege establishment, authentication, and potentially encryption. Database design best practices such as not storing cleartext passwords are also important. Externally, the database’s host system, network and associated applications reinforce and contribute vital security protections.

References:

Bertino, E., Bruschi, D., Franzoni, S., Nai-Fovino, I., & Valtolina, S. (2005). Threat modelling for SQL Servers. In Communications and Multimedia Security (pp. 159-171). Springer US.

Denning, D. E., Akl, S. G., Morgenstern, M., Neumann, P. G., Schell, R. R., & Heckman, M. (1986, April). Views for multilevel database security. In Security and Privacy, 1986 IEEE Symposium on (pp. 156-156). IEEE.

Ely, A. (2010, August). What to do when your database gets breached. Retrieved from http://www.darkreading.com/attacks-breaches/what-to-do-when-your-database-gets-breached/d/d-id/1134151

Ferraiolo, D. F., Sandhu, R., Gavrila, S., Kuhn, D. R., & Chandramouli, R. (2001). Proposed NIST standard for role-based access control. ACM Transactions on Information and System Security (TISSEC), 4(3), 224-274.

Goodrich, M. T., & Tamassia, R. (2011). Introduction to computer security. Boston: Pearson.

Horcas, J. M., Pinto, M., Fuentes, L., Mallouli, W., & de Oca, E. M. (2016). An approach for deploying and monitoring dynamic security policies. Computers & Security, 58, 20-38.

Rohilla, S., & Mittal, P. K. (2013). Database security: Threats and challenges. International Journal of Advanced Research in Computer Science and Software Engineering, 3(5).

Sandhu, R. S., & Samarati, P. (1994). Access control: principle and practice. IEEE communications magazine, 32(9), 40-48.