Database Security and Web Applications - Term Paper Example

Database Security and Web Applications Introduction Without a doubt, technological advancements allowed organizations and individuals to be efficient as well as connected in ways that were not possible in the past. This ever-increasing reliance on the technology brought a large number of benefits, however has as well made businesses increasingly vulnerable to intimidation from outsiders and entities inside their business. As an effect of these challenges, businesses struggle to defend their intellectual property as well as stop the remediation costs as well as harm to brand that result unintended exposure of employees and customers data. In this scenario, database security becomes necessary to defend the business against security threats. In addition, security threats vary from state to state for instance, illegal access to the computer, storage rooms to destruction through fire, flood, earthquake and hurricane. Moreover, present researches focus on defending databases from unauthorized or accidental access, alteration, disclosure or destruction of data (Loch and Carr; Guimaraes, Murray and Austin). However, a database is not simply an entity which is designed to store data; it is intended to accumulate information for its users. Database security should therefore not only concern with the protection of complex data, it should also look into tools that permit users to access information in an organized manner. This remark highlights the two topics that distinguish database security from operating system security. You should control access to information more than access to data, notwithstanding the fact that the protection of data remains an important issue. Nowadays, the number of access to internet has increased, which caused huge personal data stored online. This data is stored in database. There is a wide of attacks on database server and database of web application. Those attacks happen to corrupt the internal functioning of the database server. This attack is hard to detect. However there is several numbers of methods to prevent the database from those attacks, to increase database security. This research is aimed at discussing potential threats to the database when it is connected to a web application and implementation of database security. This research will discuss various security threats that can create problems for the databases. Why Database Security? A database is a most precious asset for an organization that is necessary to run its business. Therefore, security of this asset is very necessary. Here, “database security means the guidelines, activities, and actions that can be used to stop illegal access or modification, theft, and physical damage to database” (Turban, Leidner and McLean 51; Laudon and Laudon 502) . Dawson, Vimercati, Lincoln, & Samarati (2001) stated that despite the advancements in current years in the database systems and technologies, nowadays information repositories continue to be vulnerable to data association attacks and inference that cause severe information leakage. If some effective security techniques are not applied to secure the database, sensitive business information can be used by bad people for wrong purposes. The capability to defend information disclosure beside similar offensive outflow would be of huge benefit to public, governmental as well as private institutions. However, these require more security nowadays and require making sure than data is accessible to only authorized people (Dawson, Vimercati and Lincoln). Cryptography in Database Security Cryptography is a simple form of keeping and transmitting data in a certain form so that only the individuals for whom it is intended must be able to read or process them. This technique is usually applied on ordinary or simple text which is transformed into scrambled text or ciphered text. It can afterwards be transformed into its original form by deciphering the text. A traditional database was considered secured but at presently a database is mostly considered unsecured if it is not backed up by proper security walls. Having this particular assumption it is required to have extreme security especially from external attacks such as hackers and from the users who are in search of obtaining confidential information beyond their assigned privileges. Considering some of the database applications such as health information systems there is always a probability of having conflicting interests or data breach. The users who interact with the database cannot be considered trustworthy (Green). It must be ensured that database should be installed on a clean operating system, secure and trusted hardware and network. Encryption File System is a type of NTFS file system especially designed for windows operating system which establishes a secure communication. This Encryption File System is a special feature that allows encryption and decryption related services. Moreover it also provides protection of confidential information by applying specialized cryptographic techniques. Another best suited technology based solution is to encrypt the data for sharing on the network and also on the storage. Moreover the organization can make use of a hybrid combination of symmetric and asymmetric encryption structure which will provide them with secret key to members of their peer-to-peer circle (Walsh). Application Layer Security It has become customary that most of the web based applications are becoming the standard for almost every form of electronic transaction as they are easy to operate access and manage. Moreover the best thing about these applications is that it is highly interoperable. The transactions which are performed online traverse through the network in common and easily intercept able formats which make them inappropriate for most of the commercial and communal transactions. The application layer is the highest layer of the seven layered OSI communication model and is present at the fifth level of the five layer TCP/IP (transmission control protocol/Internet protocol) model. Database application is considered as the gate point of a company’s sensitive data or information, so the security is considered foremost for the protection of company’s data. Meanwhile it is difficult to maintain balance among security and business use. In an Open System Interconnect communications model, application layer provide services for an application program to authenticate the connectivity with a new application program in a network (Tipton and Krause). Application based security has the ability of interpreting and responding in a certain format with the information contained in the message. The applications are secured through proxies which are used in firewalls for file transfer protocols. Some proxies have the ability to restrict certain user commands while most of the commands are controlled by datagram (Gorden). Lower Level Security The lower level security protocol includes IPsec which do not possess the capability of restricting its usage but can only encrypt certain commands for having confidentiality and authentication. A data warehouse normally include access control lists both at the application level and the lower level to limit user access to files, records or field level. Hence when security is applied at the application or the lower level it allows these layers to control any form of security threats (Oppliger). Database Security in Web Applications Web applications are targeted by attackers very frequently as they contain data base of the organizations. The web applications are an easy target as they are designed for accessibility and can be accessed from any place from all over the world. The web applications are also targeted because they provide gateway to the valuable data that is being stored by the organization. The threat of attackers hacking the web applications of companies have initiated steps that are taken by different organizations in saving the data from the hackers but at the same time making it available for the official staff, customers and partners (Basta and Zgola). For this purpose, many organizations have followed certain strategies that are developed to protect the web applications from unauthorized access. It is clear that the attackers are not interested the web application but in the data that is accessible through it. Data security should be the first and foremost step taken by any organization. Data integrity should also be considered as a security issue. There are many threats that are faced by the data base of an organization other than theft and vandalism. These may include if the data is maliciously modified or deleted all together or the data can become worthless if an ad hoc manipulation takes place. In this paper, we will provide a series of strategies that a company can implement to avoid any attack to its web application and to secure the data base (Afyouni). There are various sources that can create problems for the databases security. In many cases the workers managing the databases system are the major security threat for the databases. In this scenario, different categories of people create different databases security problems. For instance, the user of a database can get un-authorized access by using another persons username and password. In the same way, various people can work as hackers and create viruses to harmfully affect the functioning and operation of the databases system. In some cases, database designers and programmers can also create database security threats. In addition, a displeased database manager can also create problems by not implementing an adequate and dominant security policy (Gregory; Ponemon; Hoffer, Prescott and McFadden). In the past few years, the use of databases in web applications has increased to a huge level. In fact, the majority of websites now integrate huge databases at the back end in order to support their working. Basically, these web applications use databases to store a wide variety of information such as, customers’ details, financial information, passwords, and information about interest and so on. If these information are not stored and processed in a secure manner then it can become easier for hackers and unauthorized people to make use of these information for carrying out their illegal tasks. Hence, there is need for applying strict security measures in order to ensure the security of databases used in web applications. Authorization Authorization is a process by which the access to any computer program like a web application is specified and only certain individuals can access the application and its data related to information security and computer security. By authorization, it is ensured that the authenticated user has the authorized privileges to access the resources. The objective of authorization is to ensure that the allowed users can perform actions within their privilege level. This authorization also controls the access to the protected resource and only limited number of people can access who are selected according to their role of privileges (owasp.org). Access Control Access control relates to security features that govern who should be provided certain access in the operating system. Applications known as access control utilities set the authorization on a limited number of individuals who can access and control the specific resources provided by the application. In access control many functions like a time limit for a certain web application can be ensured along with auditing user actions (microsoft.com). The SQL Security SQL server is an application that provides security to data base applications on the web. It provides over lapping layers of security. It provides such a security architecture that can be employed to provide the administrators and the developers to make such web application which are secured and at the same time are able to combat any attack or threat to the secured information. There are many version of SQL server present that may provide different features for securing the data of a company. The security requirement for SQL server should be considered at the time of integration in the system and not afterwards. This may help the organization in mitigating the potential damage whenever vulnerability is found in the security of the system (Tipton). Granting & Revocation of privileges Many applications provide the feature of granting or revoking the accessibility of any individual to a system. Such application can help the administration is allowing access to the information or can terminate the accessibility to a web application by a staff member. It should be kept in mind that potential management problems can occur if the access to a web application is provided to many staff members (Simth). Types of Threats Inferences An inference channel can occur in a data base when one infers a data of classified as high level to a data classified at low level. This difficultly is vital for the designers of the application and the developers. Data base managerial systems are used in storing information in the correct and efficient way. Database management systems are planned to offer the prospects for well-organized storage and retrieval of information (Jajodia and Medows). This means that if the systems are not correctly planned to stop illegal implications then they will not only inhibit such inferences to occur but will highly support users in creating them. Direct attack Direct attack is known as when an illegal user gets access to a computer which can execute many functions like install devices which can compromise the security of the web application which may include modifications in the operating system. It is also possible that modifications in the software may take place along with key loggers and covert listening devices. Indirect attack Indirect attack is done when a third party launches an attack through another computer. When an attacker use a computer which does not belong to him than it becomes extremely difficult to find the real culprit behind the attack. There are many cases where the attackers take advantage of public computers (Brankovic and Giggins). Tracker Attacks A tracker attack can fool the manager by asking small queries whereas on the back drop the attacker in busy in retrieving information or executing modifications in the data base. On the other hand the tracker attacker can add supplementary records to be accessed for two different enquiries. This is done when the two sets of registers stop each other out, which further separates the statistic or data desired (Stallings). Aggregation Organizations collect large aggregated data about the company which they can store, access and process this large volume of electronic or aggregated data. The large data stores known as aggregated data, is valuable information of the company. Data Aggregation is any process in which the information of a company is stored in a summary form for purpose of statistical analysis. This aggregated data faces many threats by the attackers which include being targeted by the cyber criminals. This data can be easily copied, modified and distributed which makes it hard to check and confirm if data tempering has been done or some part of data has been stolen. The owners of the data stores take the responsibility of securing the data from cyber-attacks (us-cert.gov). Statistical Database Security Statistical data base security focuses on the protection of confidential information which is stored in a statistical data base. The security of statistical data bases is done in two ways; one is noise addition and the other is restriction. In noise addition, the data that is available in not exact but approximately close to the original value. In restriction, the data provided for analysis is deemed not as important unlike the other part of the data which is totally hidden from the user. The goal of statistical data base security is to maximize the privacy while minimizing the loss of information (Brankovic and Giggins). Security Issues The database security issues are managed by the organization and the manager which deal with the issue in the security of the database is one the important assets of the company. These managers are required to do multi-tasking in order to make sure that the data is properly secured from the many threats and the cyber-attacks. The following actions mentioned below help in curtailing the occurrence of any security issues (spamlaws.com). Data base daily log: The management should make sure that the data base log is checked daily so that no misuse of data occurs and if it does, it is checked before any loss of information takes place. This also means the user access accounts are updated daily and the privileges are checked consistently. Different security Methods: Most of the time different security applications are used for different programs. This brings difficulty in following different policies of security for these programs. This brings a risk to the web based application of theft and vandalism as different privacy setting and access settings cannot be maintained by the manager. Application spoofing: Hackers are able to create such applications that resemble the original application of the company. This brings a threat for the data base security program as these fake applications are difficult to identify. Manage user password: Passwords rules and the maintenance rules in companies need to be adhered upon strictly so that any issue concerning password theft does not occurs. Post upgrade evaluation: Whenever a data bases is upgraded, it is mandatory for the database manager to sue a post upgrade evaluation to ensure that the security of the database is up to the mark. If the manager fails to perform this duty then the consequences will be that the whole data base will be at risk of a cybercrime (Stallings). Privacy: The privacy settings of the data base web application should be checked frequently to make sure that the settings are according to the roles and the duties assigned to the employees. In case the privacy settings are not properly executed, the protection and the privacy of the corporate database are at high risk (spamlaws.com). Reliability & Integrity: Database integrity is an ongoing issue which needs new and improved technologies to be implemented. Having complete trust is considered vital and main for the appropriateness of the database system which is also a prerequisite for using data in the business, decision making or even research based applications. The staff that is selected for the work of storing and collecting the valuable information of an organization should be trustworthy and have integrity in their official activities. This will ensure that the employees are honest in their responsibility of protecting the data and are implementing ethical rules in the official dealings (Gorden). Conclusion Corporate organization, research labs and many other businesses rely on data base and its proper availability to make sure that their valuable information is well stored and is available for work whenever needed. The value of the data depends upon the reliability of the data and its source. The more reliable the organization and its data are; the more will be the chances of malicious attacks on the data. There are many tools available that can be employed by companies to detect any theft or make specific arrangements to take care of threats. The companies should make sure that the perfect program is installed to protect the data base and the security of the web applications are considered as the top priority as it gives negative effects to the organization and the customers. Works Cited Afyouni, Hassan. Database Security and Auditing: Protecting Data Integrity and Accessibility. Cengage Learning, 2005. Basta, Alfred and Melissa Zgola. Database Security. Cengage Learning, 2011. Brankovic, lijiljana and Helen Giggins. "Statistical database Security." The university of newcastle Austerlia (2007). Dawson, Steven, et al. "Maximizing Sharing of Protected Information1." Journal of Computer and System Sciences 64 (2002): 496-541. Gorden, Susan. "Database Integrity: Security, Reliability, and Performance Considerations." (2007). Green, Matthew Daniel. Cryptography for Secure and Private Databases: Enabling Practical Data Access Without Compromising Privacy. ProQuest, 2009. Gregory, Adrian. "Conserving customer value: Improving data security measures in business." Journal of Database Marketing & Customer Strategy Management 15.4 (2008): 233 – 238. Guimaraes, Mario, Meg Murray and Richard Austin. "Incorporating database security courseware into a database security class ." Proceedings of the 4th annual conference on Information security curriculum development. Kennesaw, Georgia: ACM New York, USA, 2007. Hoffer, Jeffrey A., Mary B. Prescott and Fred R. McFadden. Modern Database Management, Eighth Edition. Pearson Education, Inc., 2007. Jajodia, Sushil and Catherine Medows. "Inference Problems in Multilevel Secure Database." information security (2001). Laudon, Kenneth. C. and Jane. P. Laudon. Management Information Systems, Sixth Edition. New Jersey: Prentice Hall , 1999. Loch, Karen D. and Houston H. Carr. "Threats to Information Systems: Todays Reality,Yesterdays Understanding." MIS Quarterly 6.2 (1992): 173-186. microsoft.com. (2015). Oppliger, Rolf. Security Technologies for the World Wide Web. Artech House, 2003. owasp.org. "Guide to Authorization." (2009). Ponemon, Larry. "Database Security 2007: Threats and Priorities within IT Database Infrastructure." White Paper. 2007. Simth, Albert. "User Admin Privilege Granted or Revoked." Security Management (2015). spamlaws.com. "Database Security Issues." (2015). Stackpole, Bill. APPLICATION LAYER SECURITY PROTOCOLS FOR NETWORKS. 2004. 29 January 2014. . Stallings, William. "Computer Security and Statistical Databases." informIT (2007). Tipton. Information Security Management Handbook. CRC Press, 2014. Tipton, Harold F. and Micki Krause. Information Security Management Handbook, Sixth Edition. CRC Press, 2007. Turban, Efraim, et al. Information Technology for Management: Transforming Organizations in the Digital Economy . New York: Wiley, 2005. us-cert.gov. "Protecting Aggregated Data." (2005). Walsh, Tom. Security Risk Analysis and Management: An Overview. 2011. 29 January 2014. . Read More