Научная статья на тему 'Distributed database management system in a multilevel secure'

Distributed database management system in a multilevel secure Текст научной статьи по специальности «Компьютерные и информационные науки»

CC BY
247
52
i Надоели баннеры? Вы всегда можете отключить рекламу.
Ключевые слова
AS P. NET / БАЗЫ ДАННЫХ / РАСПРЕДЕЛЕННЫЕ БАЗЫ ДАННЫХ / БЕЗОПАСНОСТЬ / DATABASES / DISTRIBUTED DATABASES / SECURITY / SQL / SQLSERVER

Аннотация научной статьи по компьютерным и информационным наукам, автор научной работы — Al Kaibi Eman Gabar Abdul Hasen

The article examines problems control systems of a multilevel database. Considered the advantages and disadvantages of distributed databases.

i Надоели баннеры? Вы всегда можете отключить рекламу.
iНе можете найти то, что вам нужно? Попробуйте сервис подбора литературы.
i Надоели баннеры? Вы всегда можете отключить рекламу.

Текст научной работы на тему «Distributed database management system in a multilevel secure»

DISTRIBUTED DATABASE MANAGEMENT SYSTEM IN A MULTILEVEL SECURE

УДК 004.056(043)

Al Kaibi Eman Gabar Abdul Hasen

graduate student at Moscow State University of Economics, Statistics and Informatics Email : Eman [email protected] 8(903) -279-31-91

The article examines problems control systems of a multilevel database. Considered the advantages and disadvantages of distributed databases.

Keywords: databases, distributed databases, security, ASP.NET, SQL, SQL Server

Ал Каиби Еман Габар Абдул Хасен

аспирантка Московского государственного университета экономики, статистики и информатики

Email : Eman [email protected] 8(903) -279-31-91

СИСТЕМА УПРАВЛЕНИЯ РАСПРЕДЕЛЕННОЙ БАЗОЙ ДАННЫХ В МНОГОУРОВНЕВОЙ СИСТЕМЕ ЗАЩИТЫ

В статье рассматриваются проблемы систем управления распределенной базы данных. Рассмотрены достоинства и недостатки систем с распределенными базами данных.

Кпючевые слова: Базы данных, распределенные базы данных, безопасность, ASP.NET, SQL, SQL Server

1. Overview:

With the economic development all over the world, the wide speed use of technology, and increase of using information, there was a need to databases. Databases collect, store and retrieve data in the public, private and academic sectors. These databases can connected via internal or external networks to facilitate the exchange of information.

Every database contains a set of tables and every table has a data structure which use to store organized information for specific institution. Initial database structure can be very basic, easy to build, use and maintain. Databases can be expanded and manipulated as the case of the organization grows and your resources increase. There are a variety of different ways to deal with this database as input screens, reports, special query statements or using mailing lists, and when the institution grows and more users need to track a great deal of different information. This feature allow to multiple users to share the same file over the network by using a lock file to synchronize the write read operations of the database's applications to verify. Today's economic sector has an increasing need for distributed database and it's applications to verify the reliable, scalable and accessible information. In a multilevel secure distributed database management system, users cleared at different security levels access and share a distributed database consisting of data at different sensitivity levels. An approach to assigning sensitivity levels, also called security levels, to data is one which utilizes constraints or classification rules. Security constraints provide an effective classification policy.

2. Distributed Database:

Distributed database systems allow to the data to distribute via different network sites. It give a facility to send and receive the data on the communication channels to process and let the data access faster and make the local control of data to users, as we see the Distributed Database Environment in Figure (1).

ПнГнЬнзк?

DBMS 2

DBMS] ■*—*■ ОшдЬвк!

Cenn]nita(uKi)i£tworii

DtHäl].iSCi

7 \

« » QBMS3

DBMSJ

Figure (1) Distributed Database Environment

3. Database Sharing :

In today's world of universal dependence on information systems, all sorts of people need access to companies' databases. In addition to a company's own employees, these include the company's customers, potential customers, suppliers, and vendors of all types. It is possible for a company to have all of its databases concentrated at one mainframe computer site with worldwide access to this site provided by telecommunications networks, including the Internet. Although the management of such a centralized system and its databases can be controlled in a well-contained manner and this can be advantageous, it poses some problems as well. For example, if the single site goes down, then everyone is blocked from accessing the databases until the site comes back up again. Also the communications costs from the many far-flung PCs and terminals to the central site can be expensive. One solution to such problems, and an alternative design to the centralized database concept, is known as distributed database.

The idea is that instead of having one, centralized database, we are going to spread the data out among the cities on the distributed network, each of which has its own computer and data storage facilities. All of this distributed data is still considered to be a single logical database. When a person or process anywhere on the distributed network queries the database, it is not necessary to know where on the network the data being sought is located. The user just issues the query, and the result is returned. This feature is known as location transparency. This can become rather complex very quickly, and it must be managed by sophisticated software known as a distributed database management system DDBMS.

4. Database Integrity:

The most organizations interested with close correspondence between the facts stored in the database and the real world it models to make sure of database integrity and the database is an accurate reflection of the entity. To execute data integrity there is some duties must perform:

- Take successful logical and physical backup for all databases.

- Can recover any incorrect maintain to the database during any operation (transfer, storage or retrieval).

- Perform the auditing and analysis to the database.

The new organization introduces specialization occupation interested with data integrity and security called quality assurance. This person puts the policies and strategies to ensuring that database is completed and protected from any illegal maintain and the database administration who execute this policies.

5. Distributed Database Management Systems (DDBMS) :

DDBMS is defined as a software system that allows the management of the distributed database and let the distribution clear to the users. Database management systems have many of the same security requirements. Some of the most important security requirements for database management systems are:

1-Multi-level Access Control.

2-Confidentiality.

3-Reliability.

4-Integrity.

5-Recovery.

6. Rules for Distributed Database :

There is formulated twelve rules for Distributed databases . The rules are as follows:

1) Local autonomy: No site should

depend on another site to perform its functions.

2) No reliance on a central site: A DDBMS should not need to rely on one site more than any other site.

3) Continuous operation: Performing any function should not shut down the entire distributed database.

4) Location transparency: Users should feel as if the entire database is stored at their location.

5) Fragmentation transparency: Users should feel as if they are using a single central database.

6) Replication transparency: Users should not be aware of any data replication.

7) Distributed query processing: A DDBMS must process queries as rapidly as possible even though the data is distributed.

8) Distributed transaction management: A DDBMS must effectively manage transaction updates at multiple sites.

9) Hardware independence: A DDBMS must be able to run on different types of hardware.

10) Operating system independence: A DDBMS must be able to run on different operating systems.

11) Network independence: A DDBMS must be able to run on different types of networks.

12) DBMS independence: A DDBMS must be heterogeneous.

7. Advantages of Distributed Database Management Systems:

Local Autonomy: Since data is distributed, a group of users that commonly share such data can have it placed at the site where they work, and thus have local control. By this way, users have some degree of freedom as accesses can be made independently from the global users.

• Improved Performance: Data retrieved by a transaction may be stored at a number of sites, making it possible to execute the transaction in parallel. Besides, using several resources in parallel can significantly improve performance.

• Improved Reliability/Availability: If data is replicated so that it exists at more than one site, a crash of one of the sites, or the failure of a communication line making some of these sites inaccessible, does not necessarily make the data impossible to reach. Furthermore, system crashes or communication failures do not cause total system failure and distributed DBMS can still provide limited service.

• Economics: If the data is geographi-

cally distributed and the application is related to these data, it may be much more economical, in terms of communication costs, to partition the application and do the processing at each site. On the other hand, the cost of having smaller computing powers at each site is much more less than the cost of having an equivalent power of a single mainframe.

• Expandability: Expansion can be easily achieved by adding processing and storage power to the existing network. It may not be possible to have a linear improvement in power but significant changes are still possible.

• Share ability: If the information is not distributed, it is usually impossible to share data and resources.

A distributed database makes this sharing feasible. On the other hand, distribution of the database can cause several problems.

8. Disadvantages of Distributed Database Management Systems:

• Lack of Experience: Some special solutions or prototype systems have not been tested in actual operating environments. More theoretical work is done compared to actual implementations.

• Complexity: Distributed DBMS problems are more complex than centralized DBMS problems.

• Cost : Additional hardware for communication mechanisms are needed as well as additional and more complex software may be necessary to solve the technical problems. The trade-off between increased profitability due to more efficient and timely use of information and to new data processing sites, and increased personnel costs, has to be analyzed carefully.

• Distribution of Control: The distribution creates problems of synchronization and coordination as the degree to which individual DBMSs can operate independently.

• Security: Security can be easily controlled in a central location with the DBMS enforcing the rules.

However, in distributed database system, network is involved which it has its own security requirements and security control becomes very complicated.

• Difficulty of Change: All users have to use their legacy data implemented in previous generation systems and it is impossible to rewrite all applications at once.

A distributed DBMS should support a graceful transition into a future architecture by allowing old applications for obsolete databases to survive with new

applications written in current generation DBMSs .

9. Introduction in Security :

The important of the database security is huge and still growing in modern organizations that because the critical applications need databases and the databases contain data with different level of importance and confidentiality are accessed by a wide variety of users. Integrity violation of database may have dangerous effects on the business processes and detect any attempt to security breaching of confidential data. Database security is more than just avoiding computer viruses and choosing strong passwords. It's covers a wide range of computers and physical security issues, social engineering attacks and privacy concerns.

The important of most databases security programs can be summarize in three aspects:

1-Communications security.

2-Secure different types of data.

3-Develop new ways of data security.

10. Communications Security:

When we use old or new communication services, we are worried a bout the integrity and privacy of our business database. The information society means that governments will employ E-Govern-ment principles and give all it's services on the internet, and the other organizations put their businesses also on the internet and the people in the world using the internet in their daily activities, this type of communications to all users on the internet need deep study to protect the database of each government or companies from any external or internal threats via this communications.

Security is a main concern of governments and companies that doing business on the World Wide Web. By design Information society is a free and open system, but it should also be a society where government and businesses can maintain privacy and remain secure with their information and properties. If one looks at a simple purchase activity of a web customer and traces the data flow, one can see that there are two security issues to be addressed.

1-Secure data transmission: when a customer submits her/his confidential information (e.g. credit card numbers) through her/his web browser, the information should remain confidential on its way to the web server, the application server, and the backend DB server.

2- Secure data storage and access: when the confidential customer data ar-

rives at the DB server, the data should be stored in such a way that only authorized users can access them.

11. Information classification:

Anyone think to design an information classification to the system, he\she must ask the key question "which kind of institution he/she wants to design and what levels of classification he\her need and what grade of security required for each level to protect his\her information??" Estimating the value or importance of information is necessary part in information security. The security policies include also another future enhancement or modifications to organizations there must be a guide to classify the new information in order to be able to deploy proper protective methods. We can say that there is a different information classification systems around, we remember 'Traffic Light Proposal' which have four levels [1] :

1-Highly Sensitive (Personal for named recipients only).

2-Sensitive (Named Groups).

3- Normal Business (Business community wide).

4-Public (Public distribution, unlimited control).

And another classification scheme for example BS17799 which have five levels :

1-Public Documents.

2-Internal Use Only.

3-Proprietary.

4-High confidential.

5-Top Secret.

But in this work we will use simple classification with three levels only that we recommended it for the project depending on the implementation and design and the levels will be:

iНе можете найти то, что вам нужно? Попробуйте сервис подбора литературы.

1-Very Sensitive Data.

2-Sensitive Data.

3-Public data.

12. Using new Technologies in Security improving:

The increasing interest on identification systems on the different sectors presents a model for managing online transactions by using biometrics to reduce the cost and risk of transactions. Biometric technologies may replicate the richness of human trust to a greater degree than other, the term biometrics refers to automatic recognition of an individual based on anatomical like:

1-Fingerprint recognition.

2-Face recognition.

3-Iris recognition.

4-Hand geometry.

5-Ear recognition.

6-Palm print recognition.

7-Signature recognition.

8-Voice recognition.

This biometric systems have several advantages over traditional security methods based on something that you know (password, PIN) or something you have (card, key). In biometric systems, users do not need to remember passwords or PINs (which can be forgotten) or to carry cards or keys (which can be stolen). The systems implementation is to improve a number of areas including simplifying and easing regular employee tasks. Better securing entryways in employee areas, securing computer networks and applications will improve security for customer data and addressing security concerns regarding risk assessment procedures.

13. Statement of the Problem:

The distributed database in the bank system contains a large amount of data which is divided into three types:

1-Public data: The headquarters of the bank announce this type of data in all of communication media to inspire the customers to deal with it. This data like the branches (locations, addresses, telephone numbers and their productions and services).

2-Sensitive data: this type is particular data and each department in the bank have part of this data to perform its jobs, and reserves the right to be consulted inside the department and not to allow other to see except where the nature of the work needs that like internal audit department or financial control department which have the rights to know a bout any movement or a question. Examples of this data: customers, employees' data, account numbers, balances and movements.

It is not entitled to a bank or its employees to give any declaration of this data to others. Because it is a sensitive data and there is a risk to give any private personal or financial customer details to a person not authorized whether this person from the staff of the bank (internal threats) or from outside (external threats). This can be done by using the data to steal the customer information or signature forgery or falsification of credit cards. Therefore the bank try to withhold such data for all staff except the staff responsible on each service for need this data to perform their works.

Each table in distributed database contains a set of fields and tuples. The data may be intended to conceal are some fields on the table or certain tuples from the table which have special data that user should not see it. For this we face a prob-

lem in controlling access to the unauthorized data in the database.

We are interested to give an acceptable solution to this problem and every employee can only see what he/she needs in the work.

3-Very sensitive data: this type is used to introduce necessary reports and statistics by the headquarters of the bank to help them in determine the financial situation and the decision-making and for this they have a full access to the database. This type of data we will not discuss it in our study.

The headquarters of the bank always try to protect their database from any threat may occurred by the staff of the bank. This threat is internal security breaches by employees. We must simplify the job of controlling the access rights of staff by reducing the number of employees who need privileged super user access to make it easier to manage the system. Also the headquarters must keep and audit user activity which will prove the usefulness for compliance purpose and internal investigations. In this work we try to solve some problems of internal unauthorized access to the distributed database of the investment bank.

14. Contribution:

Often the banks do not realize the potential amount of risk associated with the sensitive information within database until they execute an internal audit which shows the employees who can access the sensitive data.

We help the headquarters of the bank to put the policies and complete enterprise security information standard, and to make sure that the privacy protection process does not prevent authorized persons from obtaining the right data at the appropriate times.

We also consider ways to protect sensitive database information by deploying cryptographically enforce access control to information in the database at the investment bank to make sure that only authorized senior-level bankers can obtain what they need , however the access to an encrypted information are not available to the other levels in the bank.

This will increase security and integrity and gives the customers more confidence about the ability of the bank to protect their accounts and personal information.

15. Research hypothesis:

1-We assume that we use an identical system to the bank system.

2-We assume that we use the same

database of the bank.

3-We assume that filtering of some fields and tuples doesn't affect on the speed of the system because of the high speed servers (CPU + RAMs) in the bank.

4-We assume that the policy of the bank allowed using this type of encryption.

5-We assume the classification levels are three only.

6-We assume that we have only three departments in the bank(deposits, facilities and remittance).

7-We assume that the bank delivered in four branches.

16. Research Tools:

The proposed application will create multi-tiers: data, business object, and user interface. The data tier is a database in SQL Server 2005. The business-object tier will build in C# classes which accessing the data and distributing it to the clients. The user-interface tier will consist both a web-based application (ASP.NET) and traditional windows application.

17. SQL Server 2005 Express Edition:

SQL Server is a relational database management system (RDBMS) from Microsoft that's designed for the enterprise environment.

SQL Server is gaining ground in the database space. As more companies turn to the DBMS as the low-cost big player, more DBAs will have to learn its intricacies. With that in mind, we created this learning guide, highlighting basic SQL Server information that can help Oracle and DB2 pros get up to speed on the system.

SQL Server2005 Express Edition (SSE) is a free database management system based on Microsoft SQL Server 2005 that allows you to define, store, and manipulate data in an integrated fashion. It enables you to share data with others, while preserving user security and permission features. You can store data in an application-independent manner while making sure that redundancy and inconsistency are reduced and that data integrity is maintained.

18. Features and Benefits of SSE:

The following list points out some of SSE's best features:

1-Data types: As mentioned, SSE ships with the same database engine that is behind the SQL Server 2005 Enterprise Edition and supports data types such as User-Defined data types (UDT), the XML data type, and VarChar (MAX).

2-Language independent: Supporting

.NET inside SSE allows you to use your favorite .NET language such as C#, VB .NET, or J# for database development.

3-Ease of deployment: Xcopy deployment allows you to copy, move, and delete database files just like normal Windows files. There is support for SSE with all Visual Studio editions so that it is possible to develop simple desktop and web database applications without writing a line of code. Building, debugging, and deploying your application is possible with a few mouse clicks from within Visual Basic Express or Visual Web Developer Express.

4-User instance functionality: SSE

supports the Run as Normal User scenarios, where a non administrator on the local machine can use the functionality of SSE without having to involve the system administrator. This is enabled using the user instance functionality that provides for a private instance of SSE running in each user's context. These user instances are automatically started up by the application using the database owned by the user.

5-Security: Much thought was given to making SSE install and run securely on your machine. Only local machine access is enabled by default because a majority of the SSE use cases are for local data. SSE runs under a low privilege service account. The user instance feature described earlier ensures that SSE runs under the context of each user for singleuser scenarios. For multi-user scenarios, the SQL Server security model ensures appropriate access to authenticated users. Advanced security features including encryption are also included in the product.

6-Replication and messaging capabilities: SSE supports offline capabilities by supporting replication subscription. Retail branches can subscribe to central offices with synchronization between the servers occurring at regular intervals. The SQL Service Broker feature supported by SSE provides asynchronous messaging capabilities so that SSE can send a message to SQL Server. This is particularly relevant for B2B web services.

7-Management tools: The SQL Server Management Studio Express Edition tool, which is available via web download, offers capabilities to develop and test against SSE. It has a query editor that allows you to execute arbitrary T-SQL statements. SQL Server Configuration Manager allows you to change networking protocol settings and the SQL Service options. Rich

command line facilities are available with the SQLCMD command line tool, while the SQL Bulk Copy (BCP) tool provides bulk transfer features.

8-Easy setup options: SSE provides a reliable and robust setup user interface that guides you through the various setup and configuration options. A silent setup option is available where little or no user interface is shown. In a silent install you have to pass in the relevant configuration values as command line parameters or in setup initialization files. The silent option is typically preferred by ISVs who want to completely control the user experience, for instance, they want their application logo to show on the screen during installation.

19. Visual C# 2005 Express:

Of all the Microsoft Express products, Visual C# 2005 Express is the most complete. That's not to say that others are in some way missing something, it's just that C# Express has the most extensive set of tools and options of the entire Express family. In addition, C# Express feels the most focused of all the express tools. Also C# Express has everything the exports need as well. No one stays a beginner forever, so it's important in a development tool such as C# Express that there is enough room to grow. C# as a programming language has everything the experts could ever want, including full object-orientation support, a fantastically lean coding style, and incredible performance. When you couple that with the power of the .NET platform to deliver anything from a simple number counter to an incredibly complex Customer Relationship Management system serving thousands of people all at once.

20. ASP.NET 2.0:

ASP.NET is a set of Web development tools offered by Microsoft. Programs like Visual Studio .NET and Visual Web Developer allow Web developers to create dynamic websites using a visual interface. Of course, programmers can write their own code and scripts and incorporate it into ASP.NET websites as well.

- ASP.NET 2.0 supports the file Web site type. This is a good option when IIS is not installed on the developer's computer and the developer wants to create a Web site without the use of a remote Web server.

- ASP.NET 2.0 supports the FTP Web site type. This option can be used when building a Web site that is being hosted on a remote computer that does not have Front Page Server Extensions installed.

- ASP.NET 2.0 supports the local HTTP Web site type. This option is a good choice when IIS is installed on the developer's computer and the developer has explicit IIS configuration settings

- ASP.NET 2.0 supports the remote HTTP-based Web site type. This option is typically used when the Web site is being hosted on a remote computer that has Front Page Server Extensions installed.

- When using FTP in ASP.NET 2.0, active mode is the default. Passive mode can solve communication problems when the client has a firewall.

- ASP.NET 2.0 supports two programming models for Web pages: in-line and code-behind. With the in-line programming model, all of the Web page markup and code is in a single file. With the code-behind programming model, the serverside code for a Web page is separated into its own page, which is called the code-behind page.

- In ASP.NET 2.0, dynamic compilation refers to the delayed compilation of Web pages that takes place until the user requests the Web page.

21. SQL (Structured Query Language):

SQL is a standardized query language for requesting information from a database. The original version called SEQUEL (Structured English Query Language) was designed by an IBM research center in 1974 and 1975. SQL was first introduced as a commercial database system in 1979 by Oracle Corporation. SQL is a language designed to work with relational databases. It's currently used (and has been for quite some time) as the data manipulation language for most relational database management products on the market today. This includes IBM's DB2, Oracle, XBase (dBase, FoxPro, etc.), MS SQL Server, and Access. Although there are various SQL "standards" (SQL-89, SQL-92, etc.), there are variations in the "dialects" of SQL "spoken" by the different vendors. For example, there are some things you can do in Oracle SQL that you can't do with Access, and vice-versa.

On its own, SQL is a "non-procedural" language, meaning a program is not typically written in "straight SQL". When used on its own, a SQL command is given at a command-line interface provided by the DBMS software. You can then view the results of the single SQL command. Some DBMS's support SQL scripts (also called "stored procedures"), which is a file containing multiple SQL statements

that are executed one after the other. SQL statements can also be embedded in a "host" language (like VB, C, COBOL, etc.), where a SQL statement can be executed and have its results processed by the host language. SQL accomplishes many powerful tasks with a seven statements: SELECT, UPDATE, INSERT, DELETE, CREATE, ALTER, and DROP. Each of these seven statements fall into one of two categories: DML (Data Manipulation Language) statements like select, update, insert and delete or DDL (Data Definition Language) statements like create, alter and drop.

22. SQL Features and Benefits:

There are some major features of SQL and the market forces that have made it successful:

1-Vendor Independent: SQL is provided by all vendors of DBMS, and all new products of database depend of SQL language and SQL-based database and the programs can be moved from one DBMS to other vendors DBMS with minimal conversion effect and little retraining of personnel.

2-Portability Across Computer Systems: The different types of computers (mainframes, workstation, personal computers, wide range of specialized server computers and laptops) can use the SQL-based database production.

3-SQL is a standard: Multi standard organizations give the official standard for SQL, some of these organizations the American National Standards Institute (ANSI) and the International standard organization (ISO) and also US Federal Information Processing Standard (FIPS). The evolving standard serve as an official stamp of approval for SQL and have speeded it's market acceptance.

4-IBM favor and preference : The IBM company which invent the SQL language and this company have a wide range of spread over the world give to the SQL a strategic product for IBM databases like (DB2, SQL server, ODBC and ADO).

5-SQL is Relational Database: The SQL language is a simple and easy to understand and good model for relational database.

6-SQL is an Interactive and ad hoc query language: It's an Interactive query language gives the users ad hoc access to stored data and can answers complex questions in few seconds.

7-SQL is a programmatic Database Access: The programmers use SQL language to write their applications to access the database.

8-Multi views of data: In the SQL language we can create a database and view different structure and contents from this database.

9-SQL is a Complete Database Language: This language built as a complete language to deal with database as creating, managing its security, updating its contents, retrieving and sharing data by a large group of users.

10-SQL is an internet database ac-

cess: With the wide expansion of using the internet ,SQL developed as an internet data access standard, it can use to retrieve and present database information on web pages and used SQL as a common language for database gateways.

References

1. Lori DeLooze, Instructor, United States Naval Academy, Department of

Computer Science, Annapolis, MD 21402.

2. Paul McKean, Education and Training, US Strategic Command, Colorado Springs, CO 80914.

3. John R. Mostow, JR, Project Manager, Atlantic Consulting Services, Shrewsbury, NJ 07702.

4. Christopher Graig, Computer Programmer, Atlantic Consulting Services, Shrewsbury, NJ 07702, [email protected]

Экoнoмикa, ^a^c™^ и Инфopмaтикa

225

№1, 2011

i Надоели баннеры? Вы всегда можете отключить рекламу.