Skip to content

JA4. Database security

Statement

Database systems are in use everywhere in our society. Discuss your personal experiences with an access control method and explain in detail how it worked. Your entry must be in your own words, with references, and 3-5 paragraphs long.

Answer

In a company I worked for; we had a role-based access control model combined with a label-based access control model. The architecture was three-tier architecture where we had an application server in the middle that handles request authentication and authorization.

The application server itself was connected to the database server and has a wide range of permissions. The database server does not handle authentication or authorization requests from users, but it does handle requests from the application server; hence, the database server was set on a private network and only accepts connection requests from the same network which includes the application server.

For any given request that has reached the database server, it is guaranteed to be legitimate and all permissions have been checked before hand; hence, the overhead of checking permissions on the database server is minimal. The entire structure is known as a safe context where the database server is in a safe context target and the application server is in a safe context initiator.

When a user initiates a request from one of our multiple front-end applications, the request must have an authentication token (either in the cookies or headers), the token then gets validated by the application server and the user gets extracted; Once we have the user, the request is being evaluated against the user roles,if the user has the required role, the user has passed the role-based access control barrier.

After the role-based access control, the request is evaluated against a set of labels called permissions, these permissions are set on the requested resource and the user itself. If the user has the required permission, the user has passed the label-based access control barrier, and the request is forwarded to the database server to be executed.

The combination of the two access control models is very powerful and it is very easy to manage and maintain. Where we can easily add roles to large groups of users; then restrict access to a small set of resources by adding specific permissions to those resources.

References

  • Sharma, N., Perniu, L., Chong, R.F., Iyer, A., Nandan, C., Mitea, A.C., Nonvinkere, M., & Danubianu, M. (2010). Database Fundamentals (1st ed.). Markham, ON: IBM Corporation. Chapter 9.