This assignment contains reading the following journal paper: Bertino, E.   Sandhu, R. , “Database security - concepts, approaches, and challenges”, IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 2, NO. 1, JANUARY-MARCH 2005.

Assume that this paper is submitted to a journal and you are the reviewer of this paper. Provide a review for this paper, your review must contains following.

1. Paper description:
1. Write a 2 to 3 page summary of this paper. Your summary must include all the concepts discussed in this paper and must use your own wording (no copy paste from the paper).
2. What were the main contributions?

The first major concept of this paper is that security threats are two types: external and internal. Threats could happen from an external source from the outside of the network perimeter, and it could easily come from the inside as well as an internal threat. System engineers would rarely think of the threats that come from the inside. Because of all these threats, database security must conform to the following four requirements: confidentiality, integrity, availability and privacy requirements. Database confidentiality protects against unauthorized disclosure, integrity can be achieved by preventing unauthorized data modification, availability refers to preventing hardware and software failures and privacy refers to protecting the data even after the data has be disclosed.

The next concept is that a DBMS – a database management system – has several components to ensure data protection. These components are: access control mechanisms, authorization and semantic correctness. Each of these mechanism protect the database in different ways.

The major concepts described in this paper is that database management systems focus on the development of two policies, the discretionary access control policy and the mandatory access control policy. The discretionary access control policy introduces the following access control principals: the access control should be expressed as a logical data model and name-based access control and content-based access control has to be supported. In the early ages of database management systems, System R access control model was developed. Unfortunately discretionary access control model is vulnerable to attacks such as Trojan horses that are embedded in certain application programs. In the database management systems not only the data must be protected, but also the database schema must be protected. The database schema could also contain very sensitive information.

The final concepts discussed in the paper is in the area of research for database security. The first of these research topics is to consider databases as a service that can be outsourced to external companies. The second area of research is privacy preserving techniques for databases such as privacy-preserving data mining and privacy-preserving information retrieval.

The authors of this paper introduced many principles, but the main concept of this paper focuses on the discretionary access control and the mandatory access control for the relational database systems.

The main policy of the discretionary access control is the authorization administration policy. The goal of this is to provide centralized administration and ownership administration. The idea of centralized administration is that certain privilege users can grant and revoke authorizations. The ownership administration is centered around the creator owner of the object who has the right to grant and revoke certain operations. The ownership administration delegation also includes the feature to administration delegation, such that an owner of an object can delegate other users the right to grant and revoke authorizations. This is known as granting users privileges. An interesting issue came about when a revocation took place. When the authorization was removed from the object a recursive revocation took place that removed all authorizations.

The authors talk about a system named System R that was used to develop these concepts. To improve System R a number of extensions were proposed. One of them was known as the negative authorization extension. This extension resolved problems between positive and negative authorizations. One of the benefits of this was that when two conflicting authorizations could not be compared under an order relations than the negative authorization would take precedence. For example, if a user was a member of a group, and this group had privileges on an object, and if the user was denied access to it then the denial for the user would take precedence even though he was a member of a group that had privileges on that object.

Another extension to System R was concerned with the revoke operation. Instead of performing a recursive revoke operation a non-cascading revoke was implemented. This means that the new authorizations were respecified rather than recursively revoked. This way it only affected the user in question and not all the members. Later on this feature was improved by implementing a Role Based Access Control (RBAC) where the authorizations were assigned to roles instead of users.

Role Based Access Control (RBAC) models are based on the notion of roles. This means that certain functions, rights have been predefined and the user is assigned to these functions instead of being assigned directly to the user. Users are made members to these groups with specific functions and once they don't need those functions anymore they are simply removed from the groups. Role Based Access Control (RBAC) have a feature called Separation of Duty (SoD) constraints. Separation of Duty (SoD) prevents the user for having too many authorizations. Owning too many authorizations for a user could compromise the entire database system if a security breach has been compromised.

Another extension to System R was related to the duration of the authorization, known as periodic authorizations. This means that authorizations are permitted only for the time the data is needed, otherwise the authorizations are removed automatically. This is known as the "need-to-know" principle. When a time interval expires the privileges are automatically removed.

One of the benefit of this temporary authorization gave birth to context based access control. This means that access control decisions were based on the content of the data. In a database management system these were applied to views. Views are usually subsets of rows and columns that are dynamically created.

Next, the authors describe Discretionary and Mandatory Access Control systems for Object Oriented Databases Management Systems (OODBMS). Some of the key concepts in the Orion OODBMS is the use of implicit and explicit authorization systems. The Orion OODBMS system also supports negative authorizations as described earlier. In the OODBMS stored procedures provide and additional layer of security. Stored procedures could protect the user against SQL injections, a series threat to all databases.

Then, the authors describe access control systems for XML. A great number of security encryption standards have been implemented for XML. XML also supports positive/negative authorizations and implicit/explicit authorizations that can be associated with a single document or a portion of the document.

The final concept the authors describe is the privacy-preserving data management. Data anonymization is one of the techniques that deals with information released to third parties. Data anonymization deals with removing private information from the database. Another technique of privacy-preservation deals with data mining. Even though information has been removed from the database, advanced data mining techniques could recover the missing information.

To close off this summary, data represents the most important assets for the company. The authors suggest many new research areas in the database security field to protect against data confidentiality, integrity and data availability.

2. What are the most important reasons to accept the paper [when you review for a journal] or why you like this work?

   The main reason to accept this paper is that it does a very good job in describing and introducing many important concepts in database security. The authors main focus is on the data confidentiality, integrity and availability. It also focuses intensively on discretionary and the mandatory access control policies. I liked very much that the author focuses on the centralized database management. The technical bibliography is very well organized and defined.

3. What are the most important reasons to reject the paper [when you review for a journal] or why you dislike this work? Possible reasons:
1. has serious technical mistakes (describe them)
2. isn't novel (provide/suggest related work/papers)
3. doesn't demonstrate (all) its point by proofs, simulations, experiments (be specific)
4. makes unreasonable assumptions (describe them)

The main reason I would reject this paper is that it covers very little about the other serious malicious threats such as viruses, Trojan horses, SQL injections, Denial-of-service attacks, database encryption and encapsulation mostly that could come from as an external threat. It focuses too much on authorizations and user privileges, negative and positive authorizations, implicit and explicit authorizations. Protecting data and databases has many components and it is a very complex task. Some of these components omitted in this journal are: physical security, hardware and software security, network security and other database security concepts such as encryption, encapsulation, protecting tables, views, stored procedures and so forth. The authors refer the reader to the technical bibliography for further reading on each particular subject.

4. Detailed comments on the paper
1. What did you learn reading the paper?
2. What are the technical things that you appreciated?

The things that I learned and the technical things that I appreciated are as follows:
I learned about what a "covert channel" is. A "covert channel" is any part of the system that is misused to encode information for unauthorized access. This means that malicious users could get to confidential information breaching the security policy. These are used in sophisticated viruses and Trojan horse attacks.
Next, I learned about the concept of negative and positive authorizations and about the "denials-take-precedence" concept. Although these are already part of some of the operating systems appreciated the way the author explained the concepts. Also, I learned about the concept of Role Based Access Control (RBAC) for database security. Applying and revoking privileges becomes an easy part of the system using RBAC. This is also part of some of the operating systems policies. Also I really appreciated the concepts on privacy preserving data management techniques especially when data has been release to third party vendors.

5. Comments on their references & related work. The authors listed 98 references for this journal. They certainly did their research extensively to refer the reader to all the concepts described in this paper for further reading.

6. Comment its presentation style:
1. Does the paper describe clearly its goals?
2. Did the paper deliver what originally promised?
3. What were the motivations (what issues/problems inspired this research), assumptions (of the setting, requirements), contributions?
4. Is the bibliography format/list of keywords complete?
5. List any writing style remarks/corrections (English grammar/syntax, spelling).

Database security is a complex topic. The authors mostly focused on discretionary and the mandatory access control policies and their applications of it. The journal delivers the concepts promised and also it directs the reader to further reading on concepts or details that are vaguely covered.

7. Make concrete suggestions for how to improve the paper. List your recommendations. Be constructive and clear. My suggestion is to simplify the journal. It covers so many concepts and techniques that it is very hard to keep track of all of them. The authors refer the reader to read additional 98 resources that were not covered in this journal.

8. Do you have any unanswered questions on the paper? Yes, I do have unanswered question, and I believe I will have to read most of the resources proposed by the authors.