Foundations and Trends® in Databases > Vol 3 > Issue 1–2

Access Control for Databases: Concepts and Systems

By Elisa Bertino, CS Department, Purdue University, USA, bertino@cs.purdue.edu | Gabriel Ghinita, CS Department, Purdue University, USA, gghinita@cs.purdue.edu | Ashish Kamra, ECE Department, Purdue University, USA, akamra@purdue.edu

 
Suggested Citation
Elisa Bertino, Gabriel Ghinita and Ashish Kamra (2011), "Access Control for Databases: Concepts and Systems", Foundations and Trends® in Databases: Vol. 3: No. 1–2, pp 1-148. http://dx.doi.org/10.1561/1900000014

Publication Date: 01 Feb 2011
© 2011 E. Bertino, G. Ghinita and A. Kamra
 
Subjects
Private and Secure Data Management
 

Free Preview:

Download extract

Share

Download article
In this article:
1. Introduction 
2. Background 
3. Foundations of Access Control for Relational Database Systems 
4. Case Studies 
5. Fine-Grained Access Control Models and Mechanisms 
6. PSAC: A Privilege State Based Access Control System 
7. Protection from Insider Threats and Separation of Duties 
8. Access Control for Object Databases, XML Data and Novel Applications 
9. Encryption-based Access Control 
10. Concluding Remarks and Research Directions 
References 

Abstract

As organizations depend on, possibly distributed, information systems for operational, decisional and strategic activities, they are vulnerable to security breaches leading to data theft and unauthorized disclosures even as they gain productivity and efficiency advantages. Though several techniques, such as encryption and digital signatures, are available to protect data when transmitted across sites, a truly comprehensive approach for data protection must include mechanisms for enforcing access control policies based on data contents, subject qualifications and characteristics, and other relevant contextual information, such as time. It is well understood today that the semantics of data must be taken into account in order to specify effective access control policies. To address such requirements, over the years the database security research community has developed a number of access control techniques and mechanisms that are specific to database systems. In this monograph, we present a comprehensive state of the art about models, systems and approaches proposed for specifying and enforcing access control policies in database management systems. In addition to surveying the foundational work in the area of access control for database systems, we present extensive case studies covering advanced features of current database management systems, such as the support for fine-grained and context-based access control, the support for mandatory access control, and approaches for protecting the data from insider threats. The monograph also covers novel approaches, based on cryptographic techniques, to enforce access control and surveys access control models for objectdatabases and XML data. For the reader not familiar with basic notions concerning access control and cryptography, we include a tutorial presentation on these notions. Finally, the monograph concludes with a discussion on current challenges for database access control and security, and preliminary approaches addressing some of these challenges.

DOI:10.1561/1900000014
ISBN: 978-1-60198-416-6
152 pp. $99.00
Buy book (pb)
 
ISBN: 978-1-60198-417-3
152 pp. $150.00
Buy E-book (.pdf)
Table of contents:
1. Introduction
2. Background
3. Foundations of Access Control for Relational Database Systems
4. Case Studies
5. Fine-Grained Access Control Models and Mechanisms
6. PSAC: A Privilege State based Access Control System
7. Protection from Insider Threats and Separation of Duties
8. Access Control for Object Databases, XML Data and Novel Applications
9. Encryption-based Access Control
10. Concluding Remarks and Research Directions
References

Access Control for Databases

Today's organizations rely on database systems as the key data management technology for a large variety of tasks, ranging from day-to-day operations to critical decision making. Such widespread use of database systems make them the main target of many security attacks aimed at corrupting or exfiltrating data outside the organization. On the other hand data cannot be strictly segregated and need to be readily available for users who have legitimate authorizations to use them.

Access Control for Databases: Concepts and Systems provides a comprehensive survey of the foundational models and recent research trends in access control models and mechanisms for database management systems. In addition to surveying the foundational work in the area, it presents extensive case studies covering advanced features of current database management systems, such as the support for fine-grained and context-based access control, the support for mandatory access control, and approaches for protecting the data from insider threats. It also covers novel approaches, based on cryptographic techniques, to enforce access control and surveys access control models for object-databases and XML data.

For the reader not familiar with basic notions concerning access control and cryptography, it includes a tutorial presentation on these notions. The discussion is complemented by an analysis of access control functions provided by selected commercial products. It concludes with a discussion on current challenges for database access control and security, and preliminary approaches addressing some of these challenges.

 
DBS-014