Efficient database management system could be ensured by establishing appropriate database security tools to protect information from illegal access. In this respect, database security relates to the use of various techniques and devices to ensure normal functioning of computers, accurate protection of information flow within the system, and powerful models of risk management. All these spheres should be properly tackled to avoid any security risks and vulnerabilities. Due to the fact that information plays a crucial role in organizational activities, as well as protection of data from unauthorized access and modifications, the availability of valid and reliable security systems ensures its availability to organization’s members and legitimate users, which acquires paramount importance. There are a great number of information security tools, among which access control is the most popular one because it restricts the immediate access of inappropriate access by hackers (Gertz & Jajodia, 2007). Despite the variety of control tools protecting database networks, the threat of the the illegal invasion is on the current agenda due to the constantly developed malware and hacker’s approaches to cracking information systems and accessing confidential data.
The emergence of database systems was explained by the necessity to store and retrieve large amounts of information in an accurate and efficient way. For instance, databases are of increased significance for university libraries that are in need of storing electronic versions of books by indexing them for students to view the availability of books online. Business organizations can also take advantage of information systems while accepting, processing, and organizing clients’ orders (Ward & Dafoulas, 2006). Information about customers, suppliers, and other stakeholders can also save a considerable amount of time. In the 1960s, database systems evolved and relied on hierarchical trees and network models. According to Ward and Dafoulas (2006), “The database approach was an improvement on the shared file solution as the software which was used…to control the data… was quite powerful” (p. 2). Therefore, the very scope of database management system is to isolate specific information from the entire of flow of incoming data, as well as limit access to it. In the 70s of the past century, the database system research shifted to the analysis of relational models underpinnings mathematical principles of logic and set theory. Furthermore, the model is grounded on familiar concepts of diagrams, columns, and tables that are manipulated to achieve a set of simple and acceptable operations. As a result of these manipulations, the query language has been developed to relational databases. At the threshold of the twenty-first century, the emergence of the World Wide Web has created new risks and threats to the security of database systems which should be analyzed and discussed in more detail.
A brief overview of historic background sheds light on the main strengths and weaknesses of database management systems, as well as how they could be managed accurately. What is more important is that estimation of major security risks should be congruent with the currently emerged standards of controlling the reliability of security systems. Therefore, a thorough assessment of potential security risks, along with database security risks, should be provided, to develop a list of sound solutions and recommendations to the problem.
Estimating Threats and Vulnerabilities to Database Security
The range of threats and vulnerabilities to computer systems and information networks is much larger that it can be viewed from a short-term analysis. The emergence of new digital tools and innovations are followed by the development of advanced hacking system, leading to the software failure, information leakages, malware infection, and unauthorized access (Pfleeger & Pfleeger, 2011). All these challenges can also lead to the total dysfunction of information systems, causing serious problems to social, economic, and business activities all over the world. One the one hand, the application of an electronic database has brought numerous advantages to storing, processing, and classifying information because it is less time-consuming and more accurate (Pfleeger & Pfleeger, 2011). One the other hand, the possibility to access this information from any destination point by online users aggravates the situation and creates problems of a global character. Moreover, numerous cases of illegal invasion to a private online space demonstrate the increasing vulnerabilities of databases, causing software dysfunction, uncontrollable traffic, failure to verify the validity of the incoming data, or inadequate information exchange among legal users. The latter can also emerge as a result of ignorance of the existing principle of safe use of database items.
In order to understand the major vulnerabilities to database security, it is important to define the major areas of information protection, such as computer security, risk management, and information protection. Furthermore, the concept of computer security is associated with a set of assets valued by an individual or organization. The assets might involve hardware and software, people, data, or a combination of these times. Value identification, therefore, is vital for defining what should be protected from external access. Computer devices and software are considered to be essential assets (Pfleeger & Pfleeger, 2011). Computer programs, including the operating system, applications, and authentic programs require specific attention when it comes to the intellectual property of an organization. The data placed on a computer, such as documents, music, video, photos and various projects are also considered being important assets which should be protected from unauthorized access.
With regard to the above-presented information, the main purpose of information security is to protect these assets from all possible harms. In this respect, organizations should know the ways of encountering these threats, as well as responding to these hazards. According to Pfleeger & Pfleeger (2011), “vulnerability is a weakness in the system…that might be exploited to cause loss of harm” (p. 10). The threat to a database system is identified as a range of circumstances that can cause damage to the digital information stored within the system. The awareness of these weaknesses can minimize the likelihood of unauthorized invasion, as well as provide new perspectives for research in the field. The potential threats to the information system include computer-driven and human-driven illegal access. However, this invasion will not result in unauthorized retrieval information if the database system is deprived of program failure, or design flaws. Sometimes, computer and software designers are not able to see these drawbacks because they are not detected by the hackers. Therefore, the level of database protection depends largely on the level of predicting these accesses.
Human-initiated illegal accesses are also referred to attacks that can be launched by other computer systems. For instance, information security system can be vulnerable in case of high level of message exchange within the online system between the client and the organization. In this situation, the vulnerability is hard to detect because of excess focus on the quality of exchange operation. Thus, in order to have a better understanding of how vulnerability could be discovered, several criteria should be highlighted. Specifically, such aspects as integrity, confidentiality, and availability are used to evaluate the extent to which the computer system is protected from hacking. The concept of integrity refers to the ability of an information network to ensure that assets maintained on a database are altered by authorized users (Bidgoli, 2006). Availability defines the ability of a computer system to single out a limited number of authorized users who are permitted to access assets. Finally, confidentiality explains the extent to which authorized users can view the data. The above-presented hallmarks of efficient database security are also regarded as the security triad of the database management system for an organization to consider those while checking the vulnerability level. Apart from these aspects, such properties of databases as accountability and authentication have also been included into the list.
The nature of vulnerability is also associated to the type of digital devices used by an organization, as well as to the sphere of business operations. For instance, if a company deals predominantly with online product and services, it is necessary to consider e-commerce hazards. Due to the fact that online trade acquires more popularity, the three security components should be properly tackled to reduce the digital harms, such as revenue loss, reduction of the consumer base, and private information leakage. In this respect, Bidgoli (2006) refers to e-shoplifting as fraud committed online. For instance, an attacker can make use of a fictitious account to buy a specific product online. Use of a false identity is also among the most popular cybercrimes. The main reason of electronic fraud includes poor validation of the client, as well as credit card number identification. Apart from e-commerce vulnerabilities, there are many other sources of unauthorized invasion, which are possible to discover through the input of traffic from the Internet. Indeed, the World Wide Web is overloaded with the so-called cookies, malware and viruses which can access personal computers, corrupt data, and infect all assets placed on it.
Estimating Strengths of Database Security
Prior to considering the strengths of database systems, the emphasis should be placed on the main types of information system protection, such as access control, authentication, encryption, integrity control, auditing, and application security. Therefore, all these control tools are endowed with a number of benefits which are relevant for a specific set of information to be secured. The role of context in implementing a security system is essential because of the different functions performed by organizations. For instance, a company providing services online should enhance its access control system to ensure validation and authentication of their clients. However, access control tools are of secondary importance for systems dealing with internal database storage, which is not available to illegal users, such as the list of evidence-based research articles on a specific topic.
Auditing is another control tool that monitors activities of online users within a database system. The main advantage of the database audit consists in complete checking of the information system by dividing them in small parts and paying attention to certain functional areas, including access control, passwords, account administration, server maintenance, and encryption (Basta & Zgola, n. d.). The monitoring results are delivered in the final report to the auditor community. The audit provides a thorough examination of company’s internal security activities, including risks and vulnerabilities. The strengths can also be defined through auditing.
Database security system is also premised on a combination of control tools used by the system administrators. The appropriate set of security mechanisms can provide information systems with all necessary means for protecting computer assets (Lakshmi, Parish Venkata Kumar, Shahnaz Banu & Anji Reddy, 2013). To achieve the highest level of protection, organization must strike the balance between the introduction of appropriate security tools and performance goals. In this respect, the studies by Mattsson (n. d.) prove the ultimate benefits of employing encryption for protecting database systems. According to the researcher, performance and security are two major aspects which should be considered before introducing efficient database management system. Therefore, it is logical “database-level encryption protects the data within the DBMS and also protects against a wide range of threats, including storage media theft, well knowledge storage attacks, database-level attacks and malicious DBAs” (Mattsson, n. d., pp. 2-3). Further, encryption alleviates all modifications needed in an application-level mode, as well as addresses fast-growing trends embedded in business activities. Due to the fact that the process of encryption relates primarily to database management, the solution does not presuppose organization’s managers to understand the major characteristics of database assets. In addition to simple encryption processes, there is also the Network Attached Encryption implemented for fulfilling all crypto activities and housing the encryption keys. Therefore, when an online user demands information, the protection system controls the process of information retrieval by automatically encryption. In such a way, it is possible to detect whether a user executes an authorized access to the information system.
Establishing passwords on database security system is an integral condition for enhancing access control, which ensures its greater protection from cyber thefts. Therefore, the higher reliability level of the password is, the more chances to protection information appear. The main benefit of password is insurance that it is available to authorized users only. More importantly, it is also easy to detect the IP address from which unauthorized access has been made. Thus, users receiving password should adhere to the security standards to avoid penalties and other serious consequences of personal information leakage.
Overall, the advantage of using sophisticated database security systems, as well as adoption of efficient database management networks, is evident. The availability of control tools of information processing, storage, and retrieval ensure an organization’s good reputation and higher level of competitiveness in a global setting. Employing a relevant combination of control tools, such access control, audit, or encryption, will significantly reduce the threat of information leakage or unauthorized access to confidential data. The availability of security mechanisms also increases the organization’s awareness of their assets, including documents, video, images, and other digital recordings that have a great value for company’s efficient development and growth. It can also protect organizations from illegal access to external information, leading to loss of reputation and regular consumers.
Significance of the Problem
Despite the existence of reliable access control and filter mechanisms, there is growing threat of bypassing and defeating these systems because of the remaining vulnerabilities of database security systems. Moreover, the problem of insufficient protection of private information is explained by the failure of proper adoption of such control tools as integrity and auditability. The seriousness and significance of the problems can be judged on the consequences the loss of these components will have for the security system.
The concept of integrity is directly associated with a correct and accurate prediction of all possible threats and vulnerabilities. In this regard, authorized users should bear responsibility for uploading the relevant data to database networks. However, programs and users are not insured against mistakes while gathering data, analyzing results, and processing assets. Database systems should take the corresponding measures to help avoid and reduce errors, but these attempts are not always sufficient for managing information properly. As a result, most of the database security issues remain unchanged (Pfleeger & Pfleeger, 2003). In addition, access control is a viable tool for protecting information, but the problem is that authorized users are not always aware of the reliability of sources they use while processing confidential data. Some of these users are reluctant to bear responsibilities for the unauthorized user’s intervention in case it happens beyond their control.
Apart from internal security of database systems, the problem of insufficient protection concern database-to-database communication. Indeed, a separate database system is not always isolated system that functions as a confidential source of information. Rather, most of the information networks are connected to other online systems of information. Hence, the importance of database-to-database of communication is immense in the light of the current popularity of Internet education and international relations between companies. While establishing relations between two information networks, the commonly accepted security standards should be adopted. However, the current practice demonstrates that the protection level of such systems is not ensured diligently because of the difference in their security measures. In particular, Natan (2005) emphasizes “Enforcing security on links is first and foremost about making sure that access to links…is provided only to legitimate accounts within database” (p. 242). In this respect, passwords and encryptions do not always ensure safety of information exchange between computers.
The above-presented information on the problems of the database system explains the increased rates of cyber crimes. Due to the fact that the potential threats and vulnerabilities to database systems, cyber investigations are not effective enough to address the existing challenges and develop a powerful framework for reducing crime rates in computer crimes. The problem also concerns the possibility to keep control of the current advances in information security, as well as in the development of powerful protection mechanisms from illegal access and cyber attacks (Casey, 2011). As a result, inappropriate and inconsistent protection mechanisms lead to a failure to adequately respond to the computer crimes. In order to tackle this problem, it is necessary to develop an alternative methodology.
Security enhancement should be carried out by proper management of three elements, consumer, administrator, and security software. These three pillars must be tackled in the way that all the participants can be ensured with accurate delivery and processing of confidential information. In this respect, introducing training programs and new ethical codes of conduct to business organizations will be the best approach chosen in this situation. A plan of action should be premised on both on theoretical and practical perspectives. From a theoretical point of view, all member of an organization should be tested for the level of their competence in addressing database security issues. Most of these tests should involve the basic information about various types of protecting confidential information, such as access control, auditing, encryption, and passwords.
In addition to competence testing, a review of statistical information on crime rates and cyber investigation should be provided to get a better understanding of the situation. Recent research on database system management must also be introduced to provide a transparent and adequate assessment of the situation. Overview of current debates on security information management can allow administrators to proceed with strengthening current systems and promoting new ethical strategies of system protection. Much concern should be connected with the analysis of the global environment, as well as how external factors, such as completion, technology innovation, and overall political situation influences the level of private data protection and management.
Finally, the sensitivity of data being secured should also be reconsidered to develop new alternative frameworks of managing the company’s assets and values. The role of managers and IT administrators will consist in monitoring the process of uploading, processing, and encrypting information (Mena, 2003). The level of protection for each set of information should also be reconsidered to develop different layers of coding. All the mechanisms described above should be used in a unique combination to develop a highly competitive framework for isolating data from unauthorized users. In such a way, the potential harms caused by illegal intervention will be immediately detected.
Recommendations and Solutions
The challenge of constant control and inspection of data within an organization can be carried out at three stages, such as analysis of new facts and innovations, addressing current regulatory requirements, and a reference to the newly emerging research on database security. The first step is analysis of new facts that involves several strategies and actions to reduce the threats and vulnerabilities. To begin with, organizations should protect database infrastructure efficiently to introduce new alternative measures for ensuring security management capabilities. It also involves the increase of administrator’s productivity and reduction of costs on IT management through the development of greater automation. Further, meeting customer requirements for database security management will allow organizations to establish a centralized control of database access and auditing. Third, organizations should constantly discover regulated and sensitive information within databases, as well as analysis new application capabilities fostering the deployment of protection measures, including data masking. New approaches masking capabilities can contribute to better security of production data in various environments, as well as to efficient integration of control tools. Finally, complete protection of information storage through automated patching and change management will significantly promote administrator productivity.
The second stage, an action plan will be directed as increasing security standards, responding to regulatory requirements, and reducing time on managing new software. To begin with, introducing innovative software provide database security system with a comprehensive overview of security measures adopted within an organization. This new system offers a centralized interface connecting authorized users inside and outside the information network. Due to the fact that many organizations face the challenge of recognizing regulatory and sensitive data within an organization, administrators should provide viable assistance with protecting digital databases and address new capabilities in managing new items of data. The tool can also be used for discovering highly sensitive information. There are a number of efficient strategies and features that can significantly improve the system of information exchange and protection, such as integration of testing procedures allowing production and capture of database workloads for safe utilization in non-production environments. Masking data in the database and format-preserving masking are among beneficial approaches to database security. In total, the proposed novelties will ensure greater commitment of the organization to increasing quality of database security and providing consumers with proper assistance in managing confidential information. Moreover, constant upgrade of information systems can reduce the costs on security software, as well as increase organization’s competitiveness over other companies operating globally.
Finally, constant review of literature and research studies can help organizations enrich their research and development departments with new strategies and trends in protecting media assets of an organization. Specifically, recent research on database security shows that consumers should also be concerned with the problem of vulnerabilities and threats posed to confidential information (Middleton, 2010). The problem should be considered in the light of significant crime rates. In this respect, excellence in software and hardware products for protecting data communication system can minimize the harms coming from daily threats of computer crimes. Analysis of legal frameworks is essential for any organization that seeks to strengthen their positions in term of protecting their media assets (Basta & Zgola, n. d.). In addition, the necessity of introducing investigative framework is also necessary to highlight the potential risk management, as well as develop new cyberspace paradigms within which database security will be ensured. Both the quality of incoming data and software checking schemes are recommended to restructure the current standards of regulating confidential information processing and storage. Most of the presented recommendations and techniques are essential for reducing the number of illegal attacks on electronic systems of information management. They do not only prevent the attempt to hack the information, but provide new ethical and regulatory issues for access control.
- Basta, A., & Zgola, M. (n. d.). Database security. New York, NY: Cengage Learning.
- Bidgoli, H. (2006). Handbook of information security, threats vulnerabilities, prevention, detection, and management. Hoboken, NJ: John Wiley & Sons.
- Casey, E. (2011). Digital evidence and computer crime: Forensic science, computers and the Internet. Academic Press.
- Gertz, M, & Jajodia, S. (2007). Handbook of database: Applications and trends. New York: Springer.
- Goel, S. (2010). Digital forensics and cyber crime: First International ICST conference, ICDF 2C 2009, Albany, Ny USA, September 30 – October 2, 2009, revised selected papers. New York: Springer.
- Lakshmi, B. B., Parish Venkata Kumar, K. K., Shahnaz Banu, A. A., & Anji Reddy, K. K. (2013). Data confidentiality and loss prevention using virtual private database. International Journal On Computer Science & Engineering, 5(3), 143-149.
- Mattsson, U. T. (n. d.). Database encryption – how to balance security with performance. 1-16. Retrieved from http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.127.8228&rep=rep1&type=pdf.
- Mena, J. (2003). Investigative data mining for security and criminal detection. Waltham, MS: Butterworth-Heinemann.
- Middleton, B. (2010). Cyber crime investigator’s field guide. UK: Taylor & Francis.
- Pfleeger, C. P. & Pfleeger, S. L. (2011). Analyzing computer security: A threat/vulnerability/countermeasure approach. Upper Saddle River, NJ: Prentice Hall Professional.
- Pfleeger, C. P., & Pfleeger, S. L. (2003). Security in computing. Upper Saddle River, NJ: Prentice Hall Professional.
- Ward, P., & Dafoulas, G. (2006). Database management systems. New York, NY: Cengage Learning FMFA.