1. Data and Applications Security Developments and Directions Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #3 Access Control in Data Management Systems January 21, 2011

2. Outline l Discretionary Access Control in Relational Databases l Mandatory Access Control in Relational Databases - Security Constraints l Types of Access Control - Inference problem, Role-based, Temporal, Usage l Access Control in Other Databases - Objects, Federated l Current Trends in Access Control - Date Warehousing, Semantic Web, Privacy Control l Next Steps in Access Control

3. Access Control in Relational Databases: 1975 - Present l Access Control policies were developed initially for file systems - E.g., Read/write policies for files l Access control in databases started with the work in System R and Ingres Projects - Access Control rules were defined for databases, relations, tuples, attributes and elements - SQL and QUEL languages were extended l GRANT and REVOKE Statements l Read access on EMP to User group A Where EMP.Salary Security - Query Modification: l Modify the query according to the access control rules l Retrieve all employee information where salary < 30K and Dept is not Security

4. Query Modification Algorithm l Inputs: Query, Access Control Rules l Output: Modified Query l Algorithm: - Given a query Q, examine all the access control rules relevant to the query - Introduce a Where Clause to the query that negates access to the relevant attributes in the access control rules l Example: rules are John does not have access to Salary in EMP and Budget in DEPT l Query is to join the EMP and DEPT relations on Dept # l Modify the query to Join EMP and DEPT on Dept # and project on all attributes except Salary and Budget - Output is the resulting query

5. Mandatory Access Control (MAC) in Databases: 1982- Present l Bell and LaPadula Policy adapted for databases - Read at or above your level and Write at your level; Granularity of classification: Databases, Relations, Tuples, Attributes, Elements l Security Architectures - Operating system providing mandatory access control and DBMS is untrusted with respect to MAC (e.g., SRI’s SeaView) - Trusted Subject Architecture where DBMS is trusted with respect to MAC (e.g., TRW’s ASD and ASD Views) - Integrity Lock where Trusted front-end computes checksums (e.g., MITRE’s MISTRESS Prototype) - Distributed Architecture where data is distributed according to security levels and access through trusted front-end (e.g., NRL’s SINTRA) Extended Kernel for Security Policy Enforcement such as constraints (e.g., Honeywell’s Lock Data Views)

6. Security Constraints / Access Control Rules l Simple Constraint: John cannot access the attribute Salary of relation EMP l Content-based constraint: If relation MISS contains information about missions in the Middle East, then John cannot access MISS l Association-based Constraint: Ship’s location and mission taken together cannot be accessed by John; individually each attribute can be accessed by John l Release constraint: After X is released Y cannot be accessed by John l Aggregate Constraints: Ten or more tuples taken together cannot be accessed by John l Dynamic Constraints: After the Mission, information about the mission can be accessed by John

7. Enforcement of Security Constraints User Interface Manager Constraint Manager Security Constraints Query Processor: Constraints during query and release operations Update Processor: Constraints during update operation Database Design Tool Constraints during database design operation Database Relational DBMS

8. Other Developments in Access Control l Inference Problem and Access Control - Inference problem occurs when users pose queries and deduce unauthorized information from the legitimate responses - Security constraint processing for controlling inferences - More recently there is work on controlling release information instead of controlling access to information l Temporal Access Control Models - Incorporates time parameter into the access control models l Role-based access control - Controlling access based on roles of people and the activities they carry out; Implemented in commercial systems l Positive and Negative Authorizations - Should negative authorizations be explicitly specified? How can conflicts be resolved?

9. Some Examples l Temporal Access Control - After 1/1/05, only doctors have access to medical records l Role-based Access Control - Manager has access to salary information - Project leader has access to project budgets, but he does not have access to salary information - What happens is the manager is also the project leader? l Positive and Negative Authorizations - John has write access to EMP - John does not have read access to DEPT - John does not have write access to Salary attribute in EMP - How are conflicts resolved?

10. Usage Control l Usage Control (UCON) Model goes beyond traditional access control - Developed by Sandhu et al l Consists of the following - Policies of authorizations, Obligations and Conditions - Authorization decisions are determined by policies of the subject, objects and right - Obligations are actions that are required to be performed before or during the access process - Conditions are environment restrictions that are required to be valid before or during the access process l Many policies can be expressed using UCON l Extensions being proposed for temporal usage control

11. Access Control in Other Types of Databases l Object Databases - Controlling access to classes, object instances, instance variables, method execution etc. - E.g., MCC’s ORION model both for discretionary security and mandatory security l Distributed Databases - Extend access control for relational databases to a distributed environment across the nodes l Federated Databases - Integrate security policies exported by the component database systems and form a federated policy l Deductive Databases - Logic for secure data and knowledge base systems – e.g., NTML Non-monotonic Typed Multilevel Logic

12. Access Control in Databases: Current Trends (1996 – Present) l Data Warehousing - Controlling access to aggregate information in the Warehouse l Multimedia Database Systems - Geospatial Information Systems l Web Databases - E-Commerce and Knowledge Management, Collaboration/Workflow l Semantic Web - XML, RDF, Information Integration l Dependable Databases - Real-time/Embedded Database Systems - Sensor/Stream Database Systems

13. Data Warehouse Oracle DBMS for Employees Sybase DBMS for Projects Informix DBMS for Travel Data Warehouse: Data correlating Employees With Travel patterns and Projects Could be any DBMS e.g., relational Users Query the Warehouse Challenge: Controlling access to the Warehouse and at the same time enforcing the access control policies enforced by the back-end Database systems Data

14. Enforcing Access Control for Data Mining Algorithms l Query the data and extract information previously unknown\ l Whenever data is accessed check the access control rules l Examine the access control rules to determine whether the mined information can be released to the user l Extensions to the Inference problem

15. Access Control for Multimedia Databases l Access Control for Text, Images, Audio and Video l Granularity of Protection - Text l John has access to Chapters 1 and 2 but not to 3 and 4 - Images l John has access to portions of the image l Access control for pixels? - Video and Audio l John has access to Frames 1000 to 2000 l Jane has access only to scenes in US - Security constraints l Association based constraints E.g., collections of images are classified

16. Access Control for Web Databases l Secure web data management issues include: - Extending traditional security mechanisms for web databases l Access control models l Integrating security policies l Secure query, indexing and transaction management strategies l Security impact for integrating heterogeneous databases - Security specific for the web l Security for unstructured databases such as multimedia, XML and RDF documents l Security impact on Ontology management l Privacy violations due to data mining l Protecting intellectual property, e-payment systems

17. Secure Semantic Web l According to Tim Berners Lee, The Semantic Web supports - Machine readable and understandable web pages l Layers for the semantic web: Security cuts across all layers l Challenge: Not only integrating the layers for the semantic web, but also ensuring secure interoperability XML, XML Schemas Rules/Query Logic, Proof and Trust SECURITYSECURITY Other Services RDF, Ontologies URI, UNICODE PRIVACYPRIVACY

18. XML Security l Some ideas have evolved from research in secure multimedia/object data management l Access control and authorization models - Protecting entire documents, parts of documents, propagations of access control privileges; Protecting DTDs vs Document instances; Secure XML Schemas l Update Policies and Dissemination Policies l Secure publishing of XML documents - How do you minimize trust for third party publication l Use of Encryption l Inference problem for XML documents - Portions of documents taken together could be sensitive, individually not sensitive

19. Security and Ontologies l Access control for Ontologies - Who can access which parts of the Ontologies - E.g, Professor can access all patents of the department while the Secretary can access only the descriptions of the patents in the patent ontology - Can we apply the research on secure metadata management for secure ontology management? l Ontologies for Security Applications - Use ontologies for specifying security/privacy policies - Integrating heterogeneous policies may involve integrating ontologies and resolving inconsistencies

20. Privacy Constraints / Access Control Rules l Privacy constraints processing - Simple Constraint: an attribute of a document is private - Content-based constraint: If document contains information about X, then it is private - Association-based Constraint: Two or more documents taken together is private; individually each document is public - Release constraint: After X is released Y becomes private l Augment a database system with a privacy controller for constraint processing

21. Integrated Architecture for Privacy Constraint Processing User Interface Manager Constraint Manager Privacy Constraints Query Processor: Constraints during query and release operations Update Processor: Constraints during update operation XML Database Design Tool Constraints during database design operation Database Relational DBMS

22. Federated Data Management Systems for National Security and Privacy Export Data/Policy Component Data/Policy for Agency A Federated Data Mining/Federated Security Policy Export Data/Policy Component Data/Policy for Agency C Component Data/Policy for Agency B Export Data/Policy

23. Other Policies l Trust Policies - To what extent do you trust the source of the data - How can trust be propagated - Adding trust value to each piece of data - A trusts B and B trusts C, does this mean A trusts C? - A department head sends messages to all the faculty; however he/she may not trust a particular person - Developing a language to specify trust l Integrity Policies - Maintaining the quality of the data - Adding an attribute to each piece of data to specify the quality - Quality also depends on how much you trust the source - Algebra for data quality

24. Access Control in Databases: Next Steps l Access Control in Databases will continue to be very important - We also need to examine alternatives l We need new kinds of access control models - 1975 models may not be suitable for emerging applications such as semantic web, e-commerce and stream data management - Role-based access control has become very popular and is implemented now in commercial systems. What variations of this model are appropriate for emerging applications? l End-to-end security is critical - We cannot have secure databases and have insecure networks and middleware; Composability l Flexible security policies - Confidentiality, Authenticity, Completeness, Integrity, Trust, Privacy, Data Quality, etc.