Data security has received attention as recently as the 80s, when it was legally acknowledged that misuse of data constitute great losses for victims. There are substantial measures put into place with regard to data security. One of the more important aspects relate to relational database security.
A Brief Introduction to Relational Databases
Mostly everyone knows what a relational database is, without even realizing it. It is known under many names, and implemented in several different ways, but the bare structure remains essentially the same.
Initially, data was stored in delimited text files, also known as flat files. For example, records in a school could store information about each student in a row, with commas separating the various bits of data. This was an inefficient method of storage, very simply because retrieval becomes tedious and prone to error.
In a relational database, the columns are attributes and the rows are considered to be tuples – each representing an object and the attribute values of that object. An important facet of a relational database is that the order of the tuples and those of the attributes have no bearing on each other.
Restricting Database Access
One of the more obvious methods of keeping database records secure is by restricting access to the database altogether. Surprisingly, this aspect is overlooked most of the time. A database needs to be accessed to retrieve records for legitimate reasons, however it is possible to ensure that only the authorized programs have access to it. This can be achieved in a number of ways.
Firstly, a database with sensitive information does not need to be on a public server. It can be put on a private network with requisite security controls. Secondly, the database can be programmed to respond to requests only from the authorized entity, thereby reducing chances of even being able to view the database considerably. Multiple levels of access control can be configured by ensuring that even the server itself is protected.
Row-level security requires stringent programming, and great collaboration between all elements of the IT infrastructure.
As implied by the name, row-level security restricts the access to the data by row. That means, if a user wants to access a specific tuple, their credentials must match the ones stored in the row itself. For example, a customer using an online bank application cannot be allowed to access anyone else’s data except their own. Therefore the customer has to provide the proper username and password to access their account details, as it is stored in the database.
Row-level security is often implemented through the use of virtual private databases. These are actually masks that hide the full contents of the database from the users. Each set of authorized users is then only able to view a certain portion of the database.
One of the more common methods to hack a database is to confuse the application that accesses it into accepting SQL queries. This is known as an SQL injection.
SQL (Structured Query Language) is the language used to interact with a database, and it is common across all types of databases. Submitting a query to the database will result in a certain output – a row or a number of rows, depending on the query in question.
Most users interact with a database indirectly, therefore submitting SQL queries to the database is not a legitimate interaction. These actions can be prevented by the system administrators to avoid unauthorized access – a process known as Database Activity Monitoring (DAM).
Database security is extremely important, and needs to include regular testing and monitoring. Like any other user-based system, permissions for each account should be re-evaluated periodically and checked for inconsistent use.