Download Database and Cloud Security

Chapter 5
Database and Cloud Security



Structured collection of data
stored for use by one or more
applications
Contains the relationships
between data items and
groups of data items
Can sometimes contain
sensitive data that needs to
be secured
Query language

Provides a uniform interface
to the database
Database management
system (DBMS)
• Suite of programs for
constructing and
maintaining the
database
• Offers ad hoc query
facilities to multiple users
and applications
Database
utilities
User
applications
DDL
processor
User
queries
DML and query
language processor
Database
description
tables
DBMS
Authorization
tables
Transaction
manager
DDL = data definition language
DML = data manipulation language
File manager
Physical
database
Figure 5.1 DBMS Architecture
Concurrent
access
tables

Table of data consisting of rows and columns





Each column holds a particular type of data
Each row contains a specific value for each column
Ideally has one column where all values are unique, forming an
identifier/key for that row
Enables the creation of multiple tables linked
together by a unique identifier that is present in all
tables
Use a relational query language to access the
database

Allows the user to request data that fit a given set of criteria
Primary key
• Uniquely identifies a row
• Consists of one or more column names
Foreign key



Relation/table/file
Tuple/row/record
Attribute/column/field
• Links one table to attributes in another
View/virtual table
• Result of a query that returns selected
rows and columns from one or more
tables
Table 5.1
Basic Terminology for Relational Databases
Records
Attributes
A1
• • •
Aj
• • •
AM
1
x11
• • •
x1j
• • •
x1M
•
•
•
•
•
•
•
•
•
•
•
•
i
xi1
•
•
•
•
•
•
•
•
•
•
•
•
N
xN1
• • •
• • •
xij
xNj
• • •
• • •
Figure 5.3 Abstract Model of a Relational Database
xiM
xNM
Department Table
Did
4
8
9
13
15
Dname
human resources
education
accounts
public relations
services
Employee Table
Dacctno
528221
202035
709257
755827
223945
Ename
Robin
Neil
Jasmine
Cody
Holly
Robin
Smith
primary
key
Did Salarycode
15
23
13
12
4
26
15
22
8
23
8
9
24
21
foreign
key
(a) Two tables in a relational database
Dname
Ename Eid
human resources Jasmine 7712
education
Holly
3054
Ephone
6127099348
6127092729
education
Robin
2976
6127091945
accounts
public relations
services
services
Smith
Neil
Robin
Cody
4490
5088
2345
9664
6127099380
6127092246
6127092485
6127093148
(b) A view derived from the database
Figure 5.4 Relational Database Example
Eid
2345
5088
7712
9664
3054
Ephone
6127092485
6127092246
6127099348
6127093148
6127092729
2976
4490
6127091945
6127099380
primary
key
 Standardized language to define schema, manipulate,
and query data in a relational database
 Several similar versions of ANSI/ISO standard
 All follow the same basic syntax and semantics
SQL statements can be used to:
• Create tables
• Insert and delete data in tables
• Create views
• Retrieve data with query statements
SQL Injection Attacks
(SQLi)
• One of the most
• Most common attack
• Designed to exploit the
• Depending on the
prevalent and
dangerous networkbased security threats
nature of Web
application pages
• Sends malicious SQL
commands to the
database server
goal is bulk extraction
of data
environment SQL
injection can also be
exploited to:
o Modify or delete data
o Execute arbitrary operating
system commands
o Launch denial-of-service (DoS)
attacks
Switch
Internet
Router
Wireless
access point
Firewall
Web servers
Legend:.
Data exchanged
between hacker
and servers
Two-way traffic
between hacker
and Web server
Credit card data is
retrieved from
database
Web
application
server
Database servers
Database
Figure 5.5 Typical SQL Injection Attack
Injection Technique
The SQLi attack typically works by prematurely
terminating a text string and appending a new command
Because the inserted command may have additional strings appended to
it before it is executed the attacker terminates the injected string with a
comment mark “- -”
Subsequent text is ignored at execution time
User input
• Attackers inject SQL commands by providing suitable crafted user input
Server variables
• Attackers can forge the values that are placed in HTTP and network headers and exploit this
vulnerability by placing data directly into the headers
Second-order injection
• A malicious user could rely on data already present in the system or database to trigger an SQL
injection attack, so when the attack occurs, the input that modifies the query to cause an attack does
not come from the user, but from within the system itself
Cookies
• An attacker could alter cookies such that when the application server builds an SQL query based on
the cookie’s content, the structure and function of the query is modified
Physical user input
• Applying user input that constructs an attack outside the realm of web requests
• Uses the same communication channel for injecting SQL
code and retrieving results
• The retrieved data are presented directly in application
Web page
• Include:
Tautology
End-of-line
comment
Piggybacked
queries
This form of attack
injects code in one
or more conditional
statements so that
they always evaluate
to true
After injecting code
into a particular
field, legitimate
code that follows are
nullified through
usage of end of line
comments
The attacker adds
additional queries
beyond the intended
query, piggybacking the attack
on top of a
legitimate request
• There is no actual transfer of data, but the attacker is
able to reconstruct the information by sending particular
requests and observing the resulting behavior of the
Website/database server
• Include:
o Illegal/logically incorrect queries
• This attack lets an attacker gather important information
about the type and structure of the backend database of a
Web application
• The attack is considered a preliminary, information-gathering
step for other attacks
o Blind SQL injection
• Allows attackers to infer the data present in a database
system even when the system is sufficiently secure to not
display any erroneous information back to the attacker
• Data are retrieved using a different channel
• This can be used when there are limitations on
information retrieval, but outbound connectivity
from the database server is lax
SQLi Countermeasures
• Three types:
•Manual defensive
coding practices
•Parameterized query
insertion
•SQL DOM
Defensive
coding
Detection
•Signature based
•Anomaly based
•Code analysis
•Check queries at
runtime to see if they
conform to a model of
expected queries
Run-time
prevention
Database access control
system determines:
Can support a range of
administrative policies
Centralized administration
If the user has access to the entire database
or just portions of it
• Small number of privileged users may grant and
revoke access rights
Ownership-based administration
What access rights the user has (create,
insert, delete, update, read, write)
• The creator of a table may grant and revoke access
rights to the table
Decentralized administration
• The owner of the table may grant and revoke
authorization rights to other users, allowing them to
grant and revoke access rights to the table
• Two commands for managing access rights:
• Grant
o Used to grant one or more access rights or can be
used to assign a user to a role
• Revoke
o Revokes the access rights
• Typical access rights are:
•
•
•
•
•
Select
Insert
Update
Delete
References
Bob
t=
Ann
t=
10
20
Chris
t=
t=
Ellen
David
40
t=
t = 60
Frank
David
t = 60
Frank
30
t = 70
50
Bob
t=
Ann
t=
10
20
Chris
t=
50
Figure 5.6 Bob Revokes Privilege from David
Jim
•
Role-based access control eases administrative burden and improves
security
•
A database RBAC needs to provide the following capabilities:
•
Categories of database users:
•
•
•
Create and delete roles
Define permissions for a role
Assign and cancel assignment of users to roles
Application owner
•An end user who owns
database objects as part
of an application
End user
Administrator
•An end user who operates
on database objects via
a particular application
but does not own any of
the database objects
•User who has
administrative
responsibility for part or all
of the database
Permissions
Role
Fixed Server Roles
sysadmin
Table 5.2
Fixed
Roles
in
Microsoft
SQL
Server
Can perform any activity in SQL Server and have complete control over
all database functions
serveradmin
Can set server-wide configuration options, shut down the server
setupadmin
Can manage linked servers and startup procedures
securityadmin
Can manage logins and CREATE DATABASE permissions, also read
error logs and change passwords
processadmin
Can manage processes running in SQL Server
dbcreator
Can create, alter, and drop databases
diskadmin
Can manage disk files
bulkadmin
Can execute BULK INSERT statements
Fixed Database Roles
db_owner
db_accessadmin
Has all permissions in the database
Can add or remove user IDs
db_datareader
Can select all data from any user table in the database
db_datawriter
Can modify any data in any user table in the database
db_ddladmin
Can issue all Data Definition Language (DDL) statements
db_securityadmin
Can manage all permissions, object ownerships, roles and role
memberships
db_backupoperator
Can issue DBCC, CHECKPOINT, and BACKUP statements
db_denydatareader
Can deny permission to select data in the database
db_denydatawriter
Can deny permission to change data in the database
Nonsensitive
data
Inference
Sensitive
data
Access Control
Authorized
access
Unauthorized
access
Metadata
Figure 5.7 Indirect Information Access Via Inference Channel
Name
Position
Salary ($)
Department
Dept. Manager
Andy
senior
43,000
strip
Cathy
Calvin
junior
35,000
strip
Cathy
Cathy
senior
48,000
strip
Cathy
Dennis
junior
38,000
panel
Herman
Herman
senior
55,000
panel
Herman
Ziggy
senior
67,000
panel
Herman
(a) Employee table
Position
Salary ($)
Name
Department
senior
43, 000
Andy
strip
junior
35,000
Calvin
strip
senior
48,000
Cathy
strip
(b) Two views
Name
Position
Salary ($)
Department
Andy
senior
43,000
strip
Calvin
junior
35,000
strip
Cathy
senior
48,000
strip
(c) Table derived from combining query answers
Figure 5.8 Inference Example
Inference Detection
Inference detection during
database design
Approach removes an
inference channel by
altering the database
structure or by changing the
access control regime to
prevent inference
Techniques in this category
often result in unnecessarily
stricter access controls that
reduce availability
Two approaches
Approach seeks to eliminate
an inference channel
violation during a query or
series of queries
Inference detection at query
time
If an inference channel is
detected, the query is
denied or altered
•
•
Some inference detection algorithm is needed for either of these approaches
Progress has been made in devising specific inference detection techniques for
multilevel secure databases and statistical databases

The database is typically the most valuable information resource for any
organization



Protected by multiple layers of security

Firewalls, authentication, general access control systems, DB access
control systems, database encryption

Encryption becomes the last line of defense in database security
Can be applied to the entire database, at the record level, the
attribute level, or level of the individual field
Disadvantages to encryption:

Key management


Authorized users must have access to the decryption key for the data for which
they have access
Inflexibility

When part or all of the database is encrypted it becomes more difficult to
perform record searching
–
organization that
produces data to be
made available for
controlled release
– human entity
that presents queries to
the system
1. Original query
Data owner
User
– frontend that
transforms user queries
into queries on the
encrypted data stored
on the server
– an
organization that
receives the encrypted
data from a data owner
and makes them
available for distribution
to clients
Meta
Data
metadata
Database
4. Plaintext
result
Client
Query
Processor
2. Transformed
query
Query
Executor
3. Encrypted
result
Meta
Data
Encrypt/
Decrypt
Server
Figure 5.9 A Database Encryption Scheme
Encrypted
database
Cloud Security
NIST SP-800-145 defines cloud computing as:
“A model for enabling ubiquitous, convenient,
on-demand network access to a shared pool of
configurable computing resources (e.g.,
networks, servers, storage, applications, and
services) that can be rapidly provisioned and
released with minimal management effort or
service provider interaction. This cloud model
promotes availability and is composed of five
essential characteristics, three service models,
and four deployment models.”
Essential
Characteristics
Broad
Network Access
Rapid
Elasticity
Measured
Service
On-Demand
Self-Service
Resource Pooling
Software as a Service (SaaS)
Deployment
Models
Service
Models
Platform as a Service (PaaS)
Infrastructure as a Service (IaaS)
Public
Private
Hybrid
Figure 5.11 Cloud Computing Elements
Community
Cloud Application Software
(provided by cloud, visible to subscriber)
Cloud Application Software
(developed by subscriber)
Cloud Platform
(visible only to provider)
Cloud Platform
(visible to subscriber)
Cloud
Infrastructure
(visible only
to provider)
Cloud
Infrastructure
(visible only
to provider)
(a) SaaS
(b) PaaS
Cloud Application Software
(developed by subscriber)
Cloud Platform
(visible to subscriber)
Cloud
Infrastructure
(visible to
subscriber)
(c) IaaS
Figure 5.12 Cloud Service Models
Public cloud
Private cloud
•The cloud infrastructure is
made available to the general
public or a large industry group
and is owned by an
organization selling cloud
services
•The cloud provider is
responsible both for the cloud
infrastructure and for the
control of data and operations
within the cloud
•The cloud infrastructure is
operated solely for an
organization
•It may be managed by the
organization or a third party
and may exist on premise or off
premise
•The cloud provider is
responsible only for the
infrastructure and not for the
control
Community cloud
Hybrid cloud
•The cloud infrastructure is
shared by several organizations
and supports a specific
community that has shared
concerns
•It may be managed by the
organizations or a third party
and may exist on premise or off
premise
•The cloud infrastructure is a
composition of two or more
clouds that remain unique
entities but are bound together
by standardized or proprietary
technology that enables data
and application portability
Enterprise Cloud User
LAN
switch
Router
Network
or Internet
Router
LAN
switch
Cloud
service
provider
Servers
Figure 5.13 Cloud Computing Context
• NIST SP 500-292 establishes a reference architecture
described as follows:
“The NIST cloud computing reference architecture
focuses on the requirements of ‘what’ cloud services
provide, not a ‘how to’ design solution and
implementation. The reference architecture is intended
to facilitate the understanding of the operational
intricacies in cloud computing. It does not represent the
system architecture of a specific cloud computing
system; instead it is a tool for describing, discussing, and
developing a system-specific architecture using a
common framework of reference.”
• NIST developed the reference architecture with the
following objectives in mind:
o To illustrate and understand the various cloud services in the
context of an overall cloud computing conceptual model
o To provide a technical reference for consumers to understand,
discuss, categorize, and compare cloud services
o To facilitate the analysis of candidate standards for security,
interoperability, and portability and reference implementations
Cloud Provider
Service Layer
SaaS
Cloud
Auditor
Security
Audit
PaaS
Business
Support
IaaS
Resource Abstraction
and Control Layer
Privacy
Impact Audit
Physical Resource Layer
Performance
Audit
Facility
Hardware
Cloud
Broker
Cloud
Service
Management
Provisioning/
Configuration
Service
Intermediation
Privacy
Service Orchestration
Security
Cloud
Consumer
Service
Aggregation
Service
Arbitrage
Portability/
Interoperability
Cloud Carrier
Figure 5.14 NIST Cloud Computing Reference Architecture
Cloud Security Risks
The Cloud Security Alliance lists the following as the
top cloud specific security threats:
Abuse and
nefarious use of
cloud computing
Insecure
interfaces and
APIs
Malicious
insiders
Shared
technology issues
Data loss or
leakage
Account or
service hijacking
Unknown risk
profile
Table 5.4
NIST Guidelines on Cloud Security and Privacy
Issues and Recommendations
Data protection
Evaluate the suitability of the cloud provider’s data management solutions for the
organizational data concerned and the ability to control access to data, to secure data while at
rest, in transit, and in use, and to sanitize data.
Take into consideration the risk of collating organizational data with those of other
organizations whose threat profiles are high or whose data collectively represent significant
concentrated value.
Fully understand and weigh the risks involved in cryptographic key management with the
facilities available in the cloud environment and the processes established by the cloud provider.
Availability
Understand the contract provisions and procedures for availability, data backup and
recovery, and disaster recovery, and ensure that they meet the organization’s continuity and
contingency planning requirements.
Ensure that during an intermediate or prolonged disruption or a serious disaster, critical
operations can be immediately resumed, and that all operations can be eventually reinstituted in a
timely and organized manner.
Incident response
Understand the contract provisions and procedures for incident response and ensure that
they meet the requirements of the organization.
Ensure that the cloud provider has a transparent response process in place and sufficient
mechanisms to share information during and after an incident.
Ensure that the organization can respond to incidents in a coordinated fashion with the
cloud provider in accordance with their respective roles and responsibilities for the computing
environment.
(This table can be found on page 190
in the textbook.)
Data Protection in the
Cloud
The threat of data compromise
increases in the cloud
Risks and
challenges
that are
unique to the
cloud
Multi-instance model
Provides a unique
DBMS running on a
virtual machine
instance for each
cloud subscriber
Architectural
or operational
characteristics
of the cloud
environment
Gives the subscriber
complete control
over administrative
tasks related to
security
Multi-tenant model
Provides a predefined environment
for the cloud subscriber that is
shared with other tenants typically
through tagging data with a
subscriber identifier
Gives the appearance of exclusive
use of the instance but relies on the
cloud provider to establish and
maintain a secure database
environment
• SecaaS
• Is a segment of the SaaS offering of a CP
• Defined by The Cloud Security Alliance as the
provision of security applications and services via
the cloud either to cloud-based infrastructure and
software or from the cloud to the customers’ onpremise systems
Encryption
E-mail security
Data loss
prevention
Security assessments
Security information and
event management
Business continuity and
disaster recovery
Web security
Intrusion
management
Identity and access management
Network security
Cloud service clients and adversaries
Figure 5.15 Elements of Cloud Security as a Service
Summary
• The need for
database security
• Database
management
systems
• Relational databases
o Elements of a relational
database system
o Structured Query Language
• SQL injection attacks
o A typical SQLi attack
o The injection technique
o SQLi attack avenues and
types
o SQLi countermeasures
• Inference
• Database access
control
o
o
o
SQL-based access
definition
Cascading authorizations
Role-based access control
• Database encryption
• Cloud computing
o
o
Cloud computing
elements
Cloud computing
reference architecture
• Cloud security risks
and countermeasures
• Data protection in
the cloud
• Cloud security as a
service