Database Server Authentication and Access Control

Abstract

Database systems require strong authentication and access control policies in order to protect the organization who own them, the individuals that use their resources, and the data that they contain. There are multiple ways in which to accomplish this security feat, such as the use of directory services, authentication services, and an implementation of the various types of access control such as biometrics and multi-factor authentication. Technology has rapidly developed in recent years, for both the good and bad users of it. This means that the attack types and strategies have significantly improved and have often been successfully leveraged against database systems. This has been seen on a massive scale with companies and organizations such as Target, Home Depot, and Equifax. The damage caused by these successful attacks have been undetermined even today, and they are often the result of poor management and administration. In addition to the wide attack surface, database systems present a special target with the vast amount of potentially useful information they may contain. Because of these facts, database administrators must take special precautions in ensuring that their systems are properly protected and consistently improved. Authentication and access control can perform the critical function of identifying the individual and exactly what they can or cannot do on these incredibly important systems. With this in mind, it is important to understand the steps, procedures, and contextual information surrounding the protection of database security through these particular strategies.

Keywords: authentication, access control, biometrics, RADIUS, multi-factor authentication, directory services

Introduction

Technology has rapidly evolved in recent years and our intense dependency on its function and integration has evolved and grown with it. This has meant great rewards in both economics and entertainment, both for a nation’s social interaction and for an entire defense industry. Business and education has completely evolved in nearly twenty years, both appearing and functioning entirely opposite of what it once did. This incredible efficiency and widespread use of technology has led to incredible advancements in short amounts of time, but unfortunately, there are those who have leveraged these capabilities for the worse. This is all too true with massive data centers and information processing systems in major companies and organizations all around the world, most recently with corporations we interact with every single day – Target, Uber, Home Depot, and Equifax. Database systems that are used to store and process this massive amount of information has been poorly protected on all fronts, leading to data breaches damaging far more than pocketbooks of corporations. Millions of lives have been put at risk with this irresponsibility, to include their livelihoods, identities, and reputations. The institutions that dropped the security ball have lost face with the public, suffering not only losses of stock value, but also market value in the eyes of consumers. Trust is hard to come by in this technological age and it is much more difficult to regain.

 Due to this harsh reality, security administrators are needed on the smallest level to protect and defend networks, systems, and information. This means that at the heart of the datacenter, the database, must be protected as one of the most important assets that the organizations may own. These systems may contain user information, Personally Identifiable Information (PII), financial information, and much more. In worst cases, this loss of data is punishable by law, some local, national, and even international. The work that these administrators put forth in protecting this data can be the difference between massive loss and business as usual. Integral to this protection is authentication and access control. Protecting systems from unauthorized users and then restricting the rights of legitimate users is an absolute requirement in ensuring that data is secure and retains full integrity. It is with these two security principles the cornerstone of solid security policy is built. In addition, the security triad – confidentiality, integrity, availability (CIA) – is held in full regard with these two massive security principles. With their successful implementation, a database system can be used by millions with the confidence their data is protected.

Authentication

What exactly is authentication? This critical security principle is rather simple to understand, but sometimes difficult to implement correctly. Authentication is simply what associated a user’s identity with the identity stored inside of a system. A great example of this would be say, Keith, the system administrator. There is a corresponding account on the system that serves as his “digital identity”, and that is what Keith will use to authenticate with the system. Only he should know the password to use the account, and what he is authorized to do on that system is associated with this digital identity. The user, in this case Keith, will present his username and password, and depending on the system, this should be sufficient for authentication, and he can now use the desired system. A great example is presenting a key to a door lock, as the username and password serves as this all-important key.

There are several types of authentication methods that can be used on a system. They are something that you may know, something that you may have, and something that you are. Something that you know is a password or Personally Identifiable Number (PIN). This is something that is intended to be known only by the legitimate user and should be highly protected. Something that you have is a token or key, this is an item that is absolutely required in order to access the system. Finally, something that you are is really all about biometrics, a new technology that may use body features such as eyes, hands, fingers, and behavior, to determine the authenticity of the individual presenting his or her credentials. As technology has evolved, there have been newer uses focused on contextual logins, namely with IP address, location, or even time of day. The primary focus for this particular paper however will be with the primary three first mentioned (Smith, pg. 222)

 All of these can be used with database systems, either individually or banded together. This is something that has really taken off for the security world, and it is called multi-factor authentication (MFA). Also known as two-factor, or three-factor authentication, MFA uses multiple modes of authentication together to prove a user’s identity, such as requiring a physical token and a PIN number that is associated to it. This is a method used by the military, fulfilling something you have (the token), with something you know (the corresponding PIN). This drastically improves the security of a database server, as an attacker can no longer authenticate with a stolen password alone. He must either present the token and know the PIN, know a password and present a biometric sample, or perform some other combination of the three. Because this is significantly more effective for security, it has proven to be a popular choice among professionals in the field (Smith, pg. 224).

Some great examples of database incidents that directly apply to this concept would be the 2011 incident involving the Lulzsec group, which targeted the likes of Sony, parts of Atlanta FBI programs, and Congress. Similar incidents occurred in the following two years, proving that poor implementation of authentication, particularly MFA, leads to severe consequences. These databases are not only stolen, but they are accessed and later sold to millions more shady individuals, an act that multiplies that initial damage by an untold amount (Smith, pg. 228).

Access Control

Access control, while it may sound similar to authentication, is an entirely different concept. It is assuming that the user has successfully authenticated with the database system and is now seeking to leverage account privileges to accomplish tasks. The tasks that can be accomplished are directly tied to the privileges assigned to the user’s digital identity and they must be stringently applied to ensure appropriate levels of access. Also known as authorization, access control is essentially the process of determining what a user can and cannot do once they have authenticated with a system and been granted access. There are several types of access control, with each accomplishing this very important task in a slightly different way (Stewart, pg. 5)

The first step to applying access control methods is to really control the access of the devices themselves. This is done through the application of Network Access Control (NAC). This is used to ensure the compliance of a device, whether that be with recent patches, virus definitions, or location on the network. It can be as strong or weak as the administrator makes it, and that indicates the individual should be well-versed in its use. Normally, when a device does not meet network requirements, it is placed on an entirely separate network for either remediation or quarantine. This method ensures that personal devices are not used on the network in addition to verifying that the authorized devices fall within company security policy. It is a positive step in ensuring access control for both users and devices (Stewart, pg. 38).

Another method of access control is discretionary access control (DAC). This method is more focused on file security, something that can be critical when implemented on a database. To ensure the availability and integrity of information on database systems, this type of access control should be enforced. This means that the owner of the information has the ability to delegate control with who can modify or use the file. There can be very strict and specific controls placed on the read, write, and execution of files with this particular access control method (Jang, pg. 29).

Finally, and perhaps most often used, would be role-based access control (RBAC). This is often accomplished using groups instead of applying permissions, or rights, to individual users. This does several things, first, it reduces the administrative overhead required. Permissions can be applied to groups and individuals can be assigned or removed from there, reducing the amount of times permissions must be applied. Second, it reduces the likelihood of either mistakes or unnoticed errors. Groups can be audited for members and permissions, as opposed to potentially thousands of users being audited one by one. Hopefully, there will be fewer groups than users and this fact will remain true. This is perhaps one of the most simplistic forms of access control and it is often seen implemented with major directory services like Microsoft Active Directory. With databases, particularly Microsoft SQL databases, this integration with users and groups in Active Directory can prove invaluable for user access control and overall security (Smith, pg. 138).

Application to Database Systems

 It is clear that authentication and access control have innumerable benefits for the administrator and organization’s security goals. Integration with these concepts have been briefly touched upon as they relate to database security, something that must be made clear. It is both simple and necessary to do this, as failing to do so will ensure that the organization becomes a statistic and not a success.

Authentication is deeply rooted in the access of database systems. The question is not of whether to implement this system, but how. Biometrics is a category of authentication that has been used with databases for some time, both for authentication and storage. An example of this can be seen with Database Management Systems. These servers both process the biometric samples presented to them and store the copies for later use. While they can be extremely expensive to implement, their benefits far outweigh the initial cost. They boast data integrity, security, independence and an interactive system for querying the data they store. These features are invaluable for a system that stores and processes deeply personal information like that of an eye scan or hand print. Because of this, there have been doubters of trusting a system that holds so much information. While understandable, the technology has advanced to a surprising level in recent years. Repository security and management has reached an all-time high, as has the strategies used to secure the data. When implemented with MFA, such as a token or password, this method of authentication is nearly foolproof. Because of this, biometric authentication is quickly becoming one of the most trusted and sought-after methods for critical systems, regardless of cost or learning curve (Newman, pg. 117).

Access control is the second part of this security puzzle. Without this particular implementation, authenticated users would be free to modify or even delete the information located on the database. This can be controlled in several ways, but it can be most effectively done by leveraging roles, as we often see when using Microsoft SQL servers. The individual user accounts, whether native to the server itself or to Active Directory, can be directly modified to control their permissions and rights. This means that the roles they are given can directly impact their abilities. An example would be with the user account “Bob”. Bob is a member of the “administrator” group, which may have full read, write, and execute rights for the machine. They can read data, modify data in any way they choose, or even delete or update the data. Another group could be called “junior administrator”, these individuals may be given only read rights, access to particular updates, and given the ability to restart the machine if needed. Roles can be created and modified as necessary by using the “CREATE SEVER ROLE ‘NAME’” within the command line interface. Adding members to the roles is similarly easy to accomplish with the command “ALTER SERVER ROLE ‘NAME’ ADD MEMBER [‘SERVER NAME’USER NAME]”. This adds a member to the role or conversely, may remove them with the “REMOVE” addition. Creating roles for the database and modifying their memberships is very similar in syntax to server administration as well. By selecting from three permissions options “GRANT, DENY, REVOKE”, and administrator may stringently apply the needed privileges for a given user. This includes individual rights, membership to a role, or the ability to interact with certain objects. While this merely touches the surface of what database access control may look like, it is a great start for a junior systems administrator to begin testing his knowledge and improving his database security skills (Sheldon, 2016).

Conclusion

The inclusion of authentication and access control to a database server environment is an undoubted necessity for today’s computing environments. Without even somewhat advanced implementations of these principles entire datacenters are placed at a massive, unnecessary risk. Because of this, there has been an incredible demand for knowledgeable, skilled professionals in the field to protect and audit these highly valued systems. The ability to restrict access and further delegate privileges on these systems is to protect the information and data of millions of users. The ability for a database administrator to leverage these concepts effectively can mean far more than the money saved and reputation kept – it can mean the difference between a success story and an abject disaster – something that history has not treated all too kindly.

References

• Jang, M. (2017). Security Strategies in Linux Platforms and Applications, 2nd Edition. [VitalSource]. Retrieved from https://bookshelf.vitalsource.com/#/books/9781284110289/
• Newman, R. (2010). Security and Access Control Using Biometric Technologies, 1st Edition. [VitalSource]. Retrieved from https://bookshelf.vitalsource.com/#/books/9781305178533/
• Sheldon, R. (2016, August 2). SQL Server Access Control: The Basics – Simple Talk. Retrieved from https://www.red-gate.com/simple-talk/sql/database-administration/sql-server-access-control-basics/
• Smith, R. E. (2016). Elementary Information Security, 2nd Edition. [VitalSource]. Retrieved from https://bookshelf.vitalsource.com/#/books/9781284093070/
• Stewart, J. M. (2015). Network Security, Firewalls and VPNs, 2nd Edition. [VitalSource]. Retrieved from https://bookshelf.vitalsource.com/#/books/9781284107715/