Chapter 8 A secure virtual web database environment

Transcription

1 Chapter 8 Information security with special reference to database interconnectivity Page 146

2 8.1 Introduction The previous three chapters investigated current state-of-the-art database security services and mechanisms applied to the web, application and database of a virtual web database environment. It was found that the virtual web database environment is confronted with various additional security problems. To enable each to deal with these security problems, additional services and mechanisms were identified that could provide protection. The aim of a secure virtual web database environment of a company such as ABC Bids would be to provide a highly available system that is managed in a secure way to provide a safe and trustworthy transaction environment. This will attract members to use ABC Bids repeatedly, rather than go to another site, which might be perceived as more trustworthy. It is now important to establish the measure of security that can be provided by the virtual web database environment to determine whether this aim can be met. This chapter will present a complete model of a secure virtual web database environment. Since the same security service is applied at each, the influence of the dissemination of a service needs to be determined. This can then be contrasted to the service provided by database security in the conventional context. In conclusion, all services and mechanisms to be provided by a virtual web database environment will be listed. A high-level model is finally presented of the respective security responsibilities to be taken by each of the virtual web database environment. 8.2 Database security services integrated in the virtual web database environment The integration of each current state database security service, applied to each of the virtual web database environment now needs to be considered. First, each current state database security service is briefly defined. Thereafter, the service as provided by the virtual web database environment is described. A concluding remark, contrasting the service as provided by database security, to that provided by the virtual web database environment is finally made, for each service. Information security with special reference to database interconnectivity Page 147

3 8.2.1 Identification and authentication a) Database security The basis of any security system is the correct identification of subjects. With database security, the DBMS or operating system can identify and authenticate subjects, mostly with a password. This is shown in figure 8.1. Subjects are given a security context, against which all subsequent requests in a session will be evaluated. A trusted path is required to ensure that subjects are not spoofed when communicating with the security system. [PFLE97] Database DBMS authentication Data Secure session OS authentication providing a security context Figure 8.1: Database identification and authentication b) Virtual web database environment A virtual web database environment increases the complexity of user identification and authentication. If identification and authentication are enforced at each of the virtual web database environment of ABC Bids, it might turn members away. Figure 8.2 below shows the complexity of this service. The member at a client requests URLs from various web instances. These instances invoke components on various application instances that will access the database. At each, identification and authentication has to be performed, before access is given to protected resources. Secure session Web 2. Application 3. Database SSL ID SSL ID ID ID ID 8. AS. ID ID 7. ID OS/LDAP Figure 8.2: Virtual web database environment identification and authentication Information security with special reference to database interconnectivity Page 148

4 Identification and authentication are integrated as follows: 1: The web, an untrusted application, is the first point of contact that a member makes with the virtual web database environment. To ensure that a member is not spoofed into communicating with an impostor, the client authenticates the web with a digital certificate. This allows a form of trusted path to be created between the member and web. 2 and 3: The trusted path is extended between the web, application and database to ensure that they do not communicate with impostors. Various administrators must initially configure this path. 4: The web performs the identification and authentication of the member with operating system or LDAP user directories. The password can be protected with SSL encryption. 5: Secure session state needs to be maintained to prevent the member from re-authenticating when accessing web or application resources. This session is maintained between the client, from where the member connects, and one or more web and application instances. This is achieved by storing session details such as unique session IDs in digitally signed cookies at the client, or in an external database. Developers have to create a security subsystem to maintain the secure session state, and its assurance is not always known. The replicated web and application instances can complicate this. As the application makes a connection to the database, with its own credentials, the secure member session is not directly maintained with the database. 6, 7: The validated user ID is passed to the application. If needed, the application can request the identity of a caller, with methods, when a security context exists. 8: Finally, the application connects to the database on behalf of members. The database does not have the real identity of the member, but it can be sent in a parameter string. As the web takes the responsibility of performing the identification and authentication of users, it is extensively enhanced with more sophisticated authentication mechanisms, as shown in table 8.1. Any debate over access control policies will become irrelevant if the web fails to perform this service. [WISE01] The implementation of this service in a virtual web database Information security with special reference to database interconnectivity Page 149

5 environment can be vastly improved with an operating system or directory service such as LDAP. This allows the creation of a security context, against which further requests can be evaluated. c) Conclusion It is clear that this service cannot be implemented to the same level of assurance as in current state database security. As identification is filtered through to the database, the identity of the real user is lost and replaced by that of the application. The secure session state is therefore maintained between the client, web and application, but not with the database. The service is performed by various unreliable applications that have to be integrated with each other. Any small error can defeat a secure session and can allow a malicious user to pose as another Authorization a) Database security Database security provides a complete set of authorization policies in the form of DAC (discretionary access control), MAC (mandatory access control) and RBAC (role -based access control), as shown in figure 8.3. Fine-tuned access control to related database objects is centrally administered by the DBMS. Database Authorization system * DAC * MAC * RBAC Authorization rules DBMS Data Figure 8.3: Database authorization b) Virtual web database environment In the virtual web database environment, authorization policies need to be implemented at each instance to control what users may see and. This is shown in figure 8.4. Information security with special reference to database interconnectivity Page 150

6 Resources to be protected HTML/XML pages Methods Tables Scripts All methods/components Views Log files Applications Stored procedures Log files Log files Web sever 1. Application 2. Database 5. group role 4. role DAC RBAC DAC RBAC DAC OS/LDAP 3. MAC MAC Figure 8.4: Virtual web database environment authorization Authorization is integrated as follows: 1: The web supports DAC. By grouping users into groups such as member and assigning permissions to these groups, the web controls access to web resources such as static HTML/XML files and ASP or CGI scripts, with substantial administration overhead. This can be considered as a form of RBAC, as it does ease the administration burden. 2: From there, RBAC becomes central to access control in the virtual web database environment. Roles are defined such as members and permissions are assigned to these roles. The role - enabled application allows application components to deliver customized content to users through the web interface. 3: This is achieved by the mapping of web groups to application roles at the application, if the web groups exist in the operating system or vendor specific LDAP directories. 4: Finally, the role enabled at the application is filtered through to the database. 5: RBAC, with roles such as customer, can be used to simplify assigning privileges to application s acting on behalf of users. Information security with special reference to database interconnectivity Page 151

7 Achieving secure interoperation in the virtual web database environment is a difficult task because of the inherent dynamisms and the evolving security requirements of the individual s. [JOSH01] DAC and MAC are not suited to this task. It is therefore clear that RBAC plays an important role in ensuring manageable access control to the virtual web database environment, with a very large user population. Both the application and database directly support roles. This highlights the need for RBAC at the web. Table 8.1 shows all mechanisms to be used by a virtual web database environment. c) Conclusion Compared to the centrally administered access control of the DBMS, through a single reference monitor, the access control of the virtual web database environment needs careful integration and maintenance by administrators at each to appear seamless. This process could be errorprone and lead to improper access control. Integration with enterprise directories containing users, groups, permissions and roles will greatly enhance the authorization services Confidentiality a) Database security Database security provides confidentiality as a service to prevent the improper disclosure of information stored in the database. Using encryption of fields, rows, tables or databases as shown in figure 8.5, inference control and employee training enforces this service. Database DBMS Row encrypted with encryption algorithm Data Figure 8.5: Database confidentiality b) Virtual web database environment Sensitive information, such as credit card numbers, can be transmitted over open public lines. If electronic snoops were to eavesdrop on this connection, they would be able to copy every byte of information. In such situations, the message from the client to the web, application Information security with special reference to database interconnectivity Page 152

8 and database needs to be protected against unintended disclosure or modification with SSL. Web sever Application SSL SSL SSL encryption encryption encryption? Database Data Figure 8.6: Virtual web database environment confidentiality Confidentiality of some sensitive fields, records or tables stored in the database can be encrypted to protect it from disclosure. The web interface, which might allow users to run database queries, must not allow sensitive information to be inferred from non-sensitive information. Finally, employees working with each should be sensitized to not disclose sensitive information to unauthorized people. Table 8.1 shows all virtual web database environment confidentiality mechanisms. c) Conclusion The virtual web database environment has many more points that need to be protected from unlawful disclosure. The mechanisms provided by database security can provide a good measure of protection to the virtual web database environment. In addition, the encryption routines employed by database security can successfully be applied to the virtual web database environment to protect sensitive information that is being transmitted Integrity a) Database security The aim of database integrity is to protect the validity of stored data. This is done by ensuring the integrity of database software, through checksums on stored data, semantic integrity constraints and atomic transactions, as shown in figure 8.7. Information security with special reference to database interconnectivity Page 153

9 Database Database scheme - Views - Logical scheme - Internal scheme Data Manager Transaction Manager Data MD5 DBMS Configuration of software, patch vulnerabilities Figure 8.7: Database integrity b) Virtual web database environment The database will carry most of the responsibility of data integrity in the virtual web database environment by implementing mechanisms as stipulated by database security. If the virtual web database environment processes a high volume of transactions that may possibly span across more than one database, the responsibility of ensuring atomic transactions may have to move to the application. Database Web sever Application SSL SSL SSL (MAC) (MAC) (MAC) MD5 MD5 Config. Patch vul. Config. Trans. proc. Patch vul. DBMS constraints Config. MD5 Firewall Firewall Firewall Figure 8.8: Virtual web database environment integrity The combination of the insecure medium on which the virtual web database environment is run and the untrusted software that is used adds another dimension to the integrity of the virtual web database environment, as shown in figure 8.8. Most security breaches occur as a result of the loss of integrity at the web. If the web allows a hacker to gain administrative control through a security vulnerability, no measure of data integrity can protect the information in the database. It is therefore of prime importance to protect the integrity of all web pages Information security with special reference to database interconnectivity Page 154

10 and software by running integrity checks at regular intervals. This can also ensure that no invalid content is delivered to customers. In the same way, the integrity of application software and components can be assured. All software must be actively configured and maintained, so as not to allow virtual web database environment exploits. In addition, the integrity of information moved across the communication lines must be protected with SSL through its message authentication code (MAC). Table 8.1 shows all virtual web database environment integrity mechanisms. c) Conclusion The virtual web database environment is a complex environment and consists of various types of software, providing configurable functionality. Protecting the integrity of the data and software of each and every, all HTML pages and scripts, application components, as well as messages transmitted between severs will not be an easy task. Compared to the centrally managed integrity constraints enforced by the DBMS in database security, the integrity of the virtual web database is difficult to achieve and maintain Accountability a) Database security Database security provides accountability as a service that is implemented with detailed audit logs, recording security-related events at record, field and element level, as shown in figure 8.9. Audit records are maintained and protected, allowing threat detection and accountability. Database DBMS Authentication Authorizat ion Database scheme Log Log files Log files files Data Figure 8.9: Database accountability Information security with special reference to database interconnectivity Page 155

11 b) Virtual web database environment Each in the virtual web database environment has the ability to create its own set of audit logs, as shown in figure Web logs show all successful and unsuccessful accesses, with a high level of redundancy. Custom logging is often performed at the application s, showing how components in a user interaction are invoked. Database s can perform detailed audit as information is accessed, but as this can be a burden to the system, it is often not used, or it is used in such a way as to not be meaningful. Web sever Application Database??? Integrate? Integrate? web logs application logs database logs Figure 8.10: Virtual web database environment accountability Ideally, audit should record all actions of a user as a transaction is processed at each. Security breaches occurring at any should be reported immediately. A complication is replicated web and application instances. Each will be creating its own log that will have to be synchronised to allow integration. As millions of entries could possibly be made in these logs and as they all have different formats, they are very difficult to integrate and analyse. As a result, audit log integration and log analysis tools will become important mechanisms to also implement in the virtual web database environment, as shown in table 8.1. Information security with special reference to database interconnectivity Page 156

12 c) Conclusion Compared to the centrally managed audit tool provided by current state database security, it is complex to create and control the audit of actions of virtual web database environment users. Each creates its own set of log files, with very large volumes of log data, spread across a distributed environment that needs to be integrated and analysed, in a synchronized way Availability a) Database security Database security provides availability as a service to ensure that information is available to authorized users when they need it. Availability is the only service where the withholding of information pertains to both information and resources. [TRYF00] DBMS Database Partitioned DB Backup Partitioned DB Backup Figure 8.11: Database availability b) Virtual web database environment Both web and application availability can be improved with load balancing, where web instances are replicated to process a high volume of requests. This impacts on the security of the virtual web database environment, as all web and application instances will need to have the same security configuration. Authorization, accountability and manageability will be more problematic. In addition, the multiple web and application instances must be able to maintain state for a client session. The complexity of this environment is shown in figure The bottleneck of the virtual web database environment is the database. Its availability cannot be as easily improved by replicating it in real terms, as in the case of the web and application. If various database instances are used to process more requests, Information security with special reference to database interconnectivity Page 157

13 integrity of information can be compromised. Hardware solutions, or partitioning and replication of tables can improve database availability. Backup and recovery procedures at each must be implemented without fail. Table 8.1 shows all virtual web database environment availability mechanisms. Secure session Backup Backup Backup Backup Backup Backup Backup Backup Web Application Database Group Role Role Configuration Patch vulnerabilities Integrity checks OS/LDAP Configuration Patch vulnerabilities Integrity checks Configuration Patch vulnerabilities Integrity checks Security management tool Security management tool Security management tool Log Integrate? Log Integrate? Log Figure 8.12: Virtual web database environment availability c) Conclusion Creating a highly available virtual web database environment has its problems. The infrastructure becomes more complex, and security assurance is impacted negatively Manageability a) Database security Manageability is the ability to easily create and maintain the security mechanisms of the database to aid in its confidence. Information security with special reference to database interconnectivity Page 158

14 Database DBMS Management of: Authentication Authorization Accountability Availability Figure 8.13: Database manageability b) Virtual web database environment Manageability is a security service that can impact the level of assurance of security dramatically. The enforcement of authentication, access control, audit and availability at each will be the responsibility of the administrator. The number of administrators and security policies can quickly become unmanageable in the virtual web database environment. For instance, any change made to access control lists at the web may impact the permissions assigned to roles at the application and database. These changes need to be propagated to s by manually implementing them. This can result in an error-prone process. Web sever Application Database Authentication Authorization Accountability Availability Authentication Authorization Accountability Availability Authentication Authorization Accountability Availability Administrator at each No central management of: Authentication Authorization Accountability Availability? Figure 8.14: Virtual web database environment manageability Information security with special reference to database interconnectivity Page 159

15 Ensuring the security at each of the virtual web database environment is a time-consuming task. Very often, tools are available that assist in managing authorization, performance and availability, but real security issues such as integration of access control or audit logs are not addressed. Table 8.1 shows the virtual web database environment manageability mechanism. c) Conclusion Compared to the central security management tool provided by database security, the security management of the virtual web database environment is found lacking. As poor administration and security management often lead to security breaches and end-user frustration, security management tools become important to ensure a secure virtual web database environment Assurance a) Database security Assurance is the database security service that will determine the degree of confidence to which the security needs of the database are satisfied. Database DBMS ITSEC/TCSEC v Data Figure 8.15: Database assurance b) Virtual web database environment The large number of security breaches occurring at web s is proof that their security is not assured. Creating a secure virtual web database environment implies that security is taken into account from the initial design phase. Thorough testing must be performed at all s, at all times. Independent third parties, as well as vulnerability assessment tools can aid in this process. Finally, integration testing is introduced, which must be performed to ensure that all mechanisms work as expected for the complete virtual web database environment. Information security with special reference to database interconnectivity Page 160

16 Test all: Scripts/code Configurations Unit tests Penetration tests Assessment tools Web sever?? Test all: Scripts/code Configurations Unit tests Penetration tests Assessment tools Application?? Database DBMS ITSEC/TCSEC v Test all: Configurations Assessment tools Integration testing Figure 8.16: Virtual web database environment assurance The database has an additional advantage in that its security can be assured, if used in the right configuration. Ideally, the DBMS software of the virtual web database environment should have been successfully evaluated with ITSEC or TCSEC criteria. Table 8.1 shows all virtual web database environment assurance mechanisms. c) Conclusion When companies decide to use a specific database, they can make an informed choice in terms of assurance, by reading evaluation reports of certifying bodies. This is not true for the application and web. Administrators therefore have to spend a lot of time and effort to ensure a secure virtual web database environment. This service is therefore found lacking in the virtual web database environment Physical security a) Database security Physical security ensures that the database is protected from unauthorized access, damage and interference. Information security with special reference to database interconnectivity Page 161

17 Database DBMS Data Figure 8.17: Database physical security b) Virtual web database environment This is often overlooked, but should be the first step in securing all equipment and resources in the virtual web database environment. Web sever Application Database Figure 8.18: Virtual web database environment physical security c) Conclusion As there are many more s, employees and buildings to control, it may be possible for this service to be under threat. Table 8.1 shows all virtual web database environment physical security mechanisms. Information security with special reference to database interconnectivity Page 162

18 Non-repudiation Non-repudiation is a security requirement that is not included in current state database security. Its requirement stems from the fact that virtual web database environments have to deal with unknown customers, who may be difficult to identify. Customers should not be able to claim at a later stage that they did not process transactions, if they in fact did. The use of digital certificates will ensure non-repudiation. When a request to process a transaction is sent from the client to the web, the digital certificate of the customer will accompany the request. The web will verify the digital certificate and will send it to the application as proof of the customer s identity. This requires the virtual web database environment to manage keys. This can be a very complex and represents a significant barrier to adoption of a non-repudiation solution [WESS00]. Keys must be generated, stored and retrieved, as well as periodically changed. Hardware and software solutions can be employed to facilitate the management of keys, and to protect the secrecy of private keys. Web sever Application Database non-repudiation client certificate Web certificate Application certificate Database certificate Client private key web private key application private key database private key Figure 8.19: Virtual web database environment non-repudiation This concludes the discussion of all security services to be provided by the virtual web database environment. In the next paragraph, a summary of all virtual web database environment services and associated mechanisms will be shown. Information security with special reference to database interconnectivity Page 163

19 Chapter Summary of all the security services and mechanisms to be provided by the virtual web database environment Current state-of-the-art database security that was used as an initial framework for this study, listed 30 mechanisms to be used to protect databases. This is shown on page 62 in table 3.1. Table 8.1 shows a summary of all services and mechanisms that have been identified in the course of this study, that will protect the virtual web database environment. 58 mechanisms are listed that should ideally be include into the security policy of any corporation using a virtual web database environment. A closer inspection of the mechanisms provided per service by the three s, reveals that some s may carry more responsibility than others for performing a specific security service for the virtual web database environment. These services have been marked with circles in table 8.1. For instance, the web has been extensively enhanced with authentication mechanisms, as to allow it to take responsibility for this service. Table 8.1: All services and mechanisms to be provided by the virtual web database environment Database security service Mechanisms Identification and authentication Database authentication Operating system authentication Others (DCE, Kerberos, trusted client, etc.) LDAP directories Digital certificates Smart cards Secure cookies Secure session state Authorization DAC policy MAC policy RBAC policy Confidentiality DB WS AS DS ACLs, RBAC Bell-LaPadula, RBAC RBAC Authorization implementations Encryption Inference control Employee training SSL (encryption) Integrity Database integrity Checksums Virus and Trojan Horse protection Remove vulnerabilities Configuration SSL (integrity) Firewalls Intrusion detection tools Information security with special reference to database interconnectivity Page 164

20 Chapter 8 Operational integrity Transaction processor Semantic integrity Entity integrity Referential integrity Domain integrity User-defined integrity Normalization Accountability Audit Custom logging Integrate the log files Log analysis tools Alert when security breach occurs Identify real user in database logs Availability Hardware redundancy Backup Recovery Replication Contingency plan Load balancing Extended configuration Resource management Application design Fault tolerance Database connection pooling Database result caching Manageability Security management tools SNMP link to management tools Assurance Certification Test security configuration Vulnerability assessment tools Penetration test Unit testing Integration test Good design practices Physical security Secure buildings and equipment Non-repudiation Digital certificates and PKI solution The next paragraph will summarize the responsibilities to be carried by s for security services in a high-level model. Information security with special reference to database interconnectivity Page 165

21 8.4 A high-level model of respective virtual web database environment responsibilities The following table shows how each of the s of the virtual web database environment implements its respective security responsibilities. Blocks shaded darker show the (s) taking most of the responsibility for an information security service. Where all blocks have been shaded, the responsibility for the service is spread across all s. Table 8.2: Security responsibilities taken by the s of the virtual web database environment Security service Web Application Database Identification and authentication Identify users such as members. Authenticate web and administrative users Identify application and administrative database user. Authorization To static HTML files and scripts. RBAC limits users to access only those components and applications for which they have a valid role. To database objects such as tables, views, stored procedures, packages and SQL functions. Confidentiality SSL enables encryption of messages in transit between client and web. SSL enables encryption of messages in transit between web and application. SSL enables encryption of messages in transit between application and database. Protect stored data with encryption. Integrity SSL protects messages in transit with MAC. Configuration. Apply vendor security patches. Keep web virus-free. SSL protects messages in transit with MAC. Configuration. Apply vendor security patches. Keep application virusfree. Ensure integrity of database by applying database integrity, operational integrity of data and semantic integrity of data. Protect data stored with MAC. Non-repudiation N/A Ensure non-repudiation of transactions by using digital certificates. N/A Information security with special reference to database interconnectivity Page 166

22 Accountability Audit requests and administrative changes on web. Audit requests made to and transactions processed on the application. Audit database actions of administrative users and application s. Availability Load balancing and extended configuration. Load balancing, extended configurations, resource management, application design, fault tolerance, database connection pooling and database result caching. Replicate/partition database tables. Manageability Security management tool to manage authentication, authorization, integrity, availability of web. Security management tool to manage authentication, authorization, integrity, availability of application. Security management tool to manage authentication, authorization, integrity, availability of database. Assurance Physical security Web unit test of scripts, penetration tests and vulnerability assessment tools used to detect web vulnerabilities. Secure the buildings and equipment housing the web and its backups. Application unit test of components and applications, penetration tests and vulnerability assessment tools used to detect application vulnerabilities. Secure the buildings and equipment housing the application and its backups. TCSEC/ITSEC, Common Criteria certified DBMS Database tests of stored procedures and configurations, penetration tests and vulnerability assessment tools used to detect database vulnerabilities Secure the buildings and equipment housing the database and its backups. 8.5 Conclusion At the beginning of this chapter it was stated that the aim of a secure virtual web database environment of a company such as ABC Bids would be to provide a highly available system that is managed in a secure way to provide a safe and trustworthy transaction environment. This chapter has shown that this aim is not easily achieved. Each current sta te database security service has its shortcomings, as it is applied to this new environment. Information in a virtual web database environment can be secured, but it takes a concerted effort as each service is applied at each. Consideration should be given to how the integration of services such as authentication and authorization should be made. The next chapter will provide concluding remarks on the security that can be achieved by the virtual web database environment. Information security with special reference to database interconnectivity Page 167