Login| Sign Up| Help| Contact|

Patent Searching and Data


Title:
SECURITY MODEL SWITCHING FOR DATABASE MANAGEMENT SYSTEM
Document Type and Number:
WIPO Patent Application WO/2015/005765
Kind Code:
A2
Abstract:
The present invention provides a modular method and system for performing database queries that substantially eliminates or reduces disadvantages and problems associated with previous systems and methods. In particular, the method and system employs an intelligent dataset and switcher that dynamically selects and orders modular data drivers to perform database operations required for requested queries.

Inventors:
SEA CHONG SEAK (MY)
GALOH RASHIDAH HARON (MY)
Application Number:
PCT/MY2014/000152
Publication Date:
January 15, 2015
Filing Date:
May 28, 2014
Export Citation:
Click for automatic bibliography generation   Help
Assignee:
MIMOS BERHAD (MY)
International Classes:
G06F21/62
Foreign References:
US7483889B22009-01-27
US6345271B12002-02-05
Attorney, Agent or Firm:
YAP, Kah Hong (Suite 8-02 8th Floor,Plaza First Nationwide,161, Jalan Tun H. S. Lee, Kuala Lumpur, MY)
Download PDF:
Claims:
Claims

1. A method of controlling access to database records stored in a data repository, the method comprising:

receiving (101) from a user/client an unique identifier and password for validating the identity of the user/client;

receiving (102) from the user/client a query including functions that are available in the application;

constructing (103) a transformed query based on functions performed including an Unique Identifier and Data Classification value, is to be sent together with query; deciding (105) by the database administrator for the security model switcher based on the organization security policy and thereby applying the same on the said query; returning (108) the results sets based on the query from the database by the database manager application to the said security model switcher; and

outputting (109) the result set from the switcher and displaying (109) them to the user/client wherein only user/client with equal or greater level of privilege can modify the record or alternatively facilitating data confidentiality enabling all database records to be writeable to all users, and wherein only users with equal or greater level of privilege can read the record. 2. A method of claim 1 , further comprising determining for confidentiality or integrity security model used through the security model switcher based on organization security policy implemented for the relational database management system.

3. A method of claim 2, wherein when the integrity security model is chosen, reconstructing (106) the query sent from application based on the integrity model before sending over to database for processing.

4. A method of claim 2, wherein when the confidentiality security model is chosen, reconstructing (107) the query sent from application based on the confidentiality model before sending it over to database for processing.

5. A method of claim 1 , wherein the access of database records is executed by a switcher that facilitates database access on the selected security model.

6. A method of claim 1 , wherein the queries are put together with client's unique identifier and data classification level, with the format of [Unique Identifier, Data

Classification value] Query or [Unique Identifier] SQL Query.

7. A method of claim 1 , wherein the security model switcher exists between the client application and the database, to enable the switching of the security model based on organization goals and objectives.

8. A method of claim 1 , wherein all the queries access statements from application is configure to go through the security model switcher before it reaches the database for execution.

9. A system for controlling access to data stored in a data repository, comprising:

a processor; and

a memory containing an application module, which when executed on the processor, performs an operation for controlling access to data stored in a data repository in accordance with the claim 1.

10. A computer-readable storage medium containing an application module, which, when executed on a processor, performs an operation for controlling access to data stored in a data repository in accordance with the claim 1 .

Description:
Security Model Switching for Database Management System

Field of the Invention

[0001] The present invention relates to database management system and method for providing security model. More particularly, the present invention relates to database management system that allows switching of either confidentiality or integrity security model with regards to an organization security policy and the method thereof.

Background

[0002] Databases are computerized information storage and retrieval systems. A relational database management system is a computer database management system (DBMS) that uses relational techniques for storing and retrieving data. The most prevalent type of database is the relational database, a tabular database in which data is defined so that it can be reorganized and accessed in a number of different ways. Relational databases are organized into tables, which consist of rows and columns of data. The tables are typically stored on random access storage devices such as magnetic or optical disk drives for semi-permanent storage.

[0003] Regardless of the particular architecture, in a DBMS, a requesting entity demands access to a specified database by issuing a database access request. Such requests include, for instance, simple catalog lookup requests or transactions and combinations of transactions that operate to read, change and add specified records in the database. These requests are made using high-level query languages such as the Structured Query Language (SQL). The term "query" herein denominates a set of commands for retrieving data from a stored database. Queries may take the form of a command language that lets programmers and programs select, insert, update, find out the location of data, and so on.

[0004] For the purposes of security in regard with accessing of the database, many organizations use Access Control Lists (ACLs) to control an entity's access to particular objects within database systems. An ACL typically comprises a list of Access Control Entries (ACEs) that specify the privileges granted and/or denied to a given entity. ACLs may be stored in various formats, such as in extensible Markup Language (XML) files, or within database tables. Each format has advantages and disadvantages related to speed, resource consumption, and security. When implementing a database system with ACLs, database administrators typically determine which ACL-based security model he or she will use. There are multiple ways to evaluate the ACLs involved in a given security model. However, in this situation, it can be problematic to determine which evaluation method should be used for a given request.

[0005] Furthermore, when user accesses the database directly via CLI

(command-line interface), there is no restriction on records displayed. User is able to view all the records in the database purely based on user privileges granted.

[0006] Additional difficulties arise when exists of service provider in the form of database manager for multiple, sometimes competing, accounts/users. The service provider may provide services to entities that are themselves competitors. As agents of the service provider work with one entity they may be exposed to confidential data belonging to others account. Agents of the service provider may intentionally compromise information belonging to one account at the expense of another. In other words, data theft may occur. Having access to information from multiple accounts may create conflicts of interest. That is, agents of the service provider should not be allowed to consult with one client while having insider knowledge of the plans, status or standing of a competing account.

[0007] Accordingly, there is a need for improved and more flexible methods for accessing data that are not limited to the particular manner in which the underlying physical data is represented. Further, such methods should provide for the security of confidential data and prevent access to confidential data by individuals that would lead to conflicts of interest or other inappropriate disclosures. Therefore there is a need particularly to database security for controlling database access and updates. [0008] Conventional database systems utilize a plurality of tables to store information such as users, relationship of users, and access privileges of users. Database systems often utilize three-tiers software architecture that includes a user interface, database, and an application server located between the user interface and database. In a network environment the application server provides resources to multiple clients. The application server may provide process management where business logic is executed and provides functions such as queuing, application execution, and database access, for example. Business logic may include application modules that perform functions such as retrieving data from files, ensuring security and integrity, and undertaking table manipulations (e.g., updates, deletions, calculations, and the like). The business logic and management of these systems is typically implemented using compiled code. Since the business logic and database management cannot be reconfigured without revising the code and recompiling the application module, making changes to the application server is often time consuming and can only be performed by someone with in depth knowledge of the system. [0009] Furthermore, changes to database security may also be difficult for users of the system to implement. Security is typically provided through access control lists which specify the privileges of particular users with respect to data to identify which users are allowed access to data or are permitted to edit the data. Another drawback with access control lists is that they do not depend upon the state of the data. There is, therefore, a need for a database management system that provides an easily configurable business logic that allows for security policies that can be created to apply to different situations and applied automatically.

[0010] In a prior art, Wang, in U.S. Patent 7,483,889 describes instance-based authorization utilizing query augmentation. The specification discloses a method for persistent data authorization includes receiving a query at a management device and identifying authorization constraints at the management device utilizing an

authorization model. The authorization model includes at least one group hierarchy defining authorization based on a relationship between levels in the hierarchy. The query has to go through a middle device and being reconstructed before it is sent to database for processing. The query is modified based on the authorization constraints and the modified query is sent to the database. The method does not allow any security model switching for database. The benefits in regard with switching are disclosed in the forthcoming description. [0011] In another prior art, Richard, in U.S. Patent 6,345,271 describes method and apparatus for transforming queries. The specification discloses a method, apparatus, article of manufacture, and a memory structure for transforming a query to reduce the need for merging the results from a number of result lists. The method comprises the steps of forming at least one subquery from the query, executing the formed subquery to generate a result list comprising a plurality of first result elements, and replacing the executed subquery with a logical combination of the first result elements to form a transformed query. Although the said method includes transformation of queries vide different application, but the present disclosure includes transformation of queries by further including unique identifier and/or data classification level for providing condition filtering and record updating and better access controls involving a confidentiality or integrity security model.

[0012] Therefore the security model on database- access right needs to be redesigned into an application. Option to instantaneously switch from one security model to another security model for a database requires redesigning of the application's architecture. No database-access right is implemented in accessing database via command-line interface as user is able to view all the records in the database.

Summary

[0013] In one aspect of the present invention, there is provided a modular method and system for performing database queries that substantially eliminates or reduces disadvantages and problems associated with previous systems and methods. In particular, the method and system employs an intelligent dataset and switcher that dynamically selects and orders modular data drivers to perform database operations required for requested queries. [0014] The embodiments of the present invention allows organizations to implement either confidentiality or integrity security model for access control in their application without having to put extra time and resources in design and development phase. User has to provide unique identifier when access the database via CLI; therefore only limited view of records are being displayed, based on the user security clearance level.

[0015] A switcher may be introduced and implemented to enable the switching of the security model based on organization goals and objectives. Besides that, the switcher is introduced so that no special setting is needed in the database configuration and it can be used by any relational database management system available in the market.

[0016] In yet another aspect, the database security management system comprises of a processor and a memory containing an application module, which when executed on the processor, performs an operation for controlling access to data stored in a database which is operable to interface between a user and the said database. The system is configured to process requests from the user to perform an action with respect to data stored in the database restricted to the particular user rights. The users can only view records based on their security clearance level. The system includes a security model switcher program as a user interface operable to receive a request from the user to obtain data within the electronic database, form a query based on the request, and pass the query to the database. The user request includes a user unique identifier. The system includes a switcher component, which is configured to facilitate database access based on the security model selected. [0017] In another aspect, there is provided a method for processing requests from a user / client to perform an action with respect to data stored in an electronic database. The plurality of rules including data classification level value are applied to the request to determine if the request passes the security constraints and the request is modified if required to meet the security constraints. The method includes accessing the data to perform the request if the request meets the security constraints. The method further includes method of accessing a database record using the disclosed security model facilitating data integrity enabling all database records to be readable to all users, but wherein only users with equal or greater level of privilege can modify the record; or alternatively facilitating data confidentiality enabling all database records to be writeable to all users, but wherein only users with equal or greater level of privilege can read the record.

[0018] The predefined query model includes Unique Identifier and value of Data Classification Level, forms the basis for all queries created by users. In this way, the predefined query model controls the elements to be displayed in any database to which any particular set of users will have access. In addition, the predefined query models establish mechanisms that restrict the type of queries that can be made by any group of users. In particular, the mechanisms define the maximum computer resources, or governors, that can be used to execute the queries, and allowable joins between tables to prevent run-away or malicious queries that could impact the integrity of the business intelligence of an organization.

[0019] In another embodiment of the present invention the method for processing requests for accessing a database includes receiving a query for data from the database at a user interface and transferring the query to security model switcher. The queries are put together with a particular format including unique identifier, data classification value and the SQL query. [0020] The database security management system of another aspect of the present invention is operable to interface between a user and a database and configured to process requests from the user to perform an action with respect to data stored in the database. The system includes a user interface operable to receive a request from the user to obtain data within the electronic database, form a query based on the request, and pass the query to a security model switcher system together with a user identifier. The system further includes a data manager operable to submit the request to the database and return requested data to the said switcher.

[0021] In another embodiment of the invention, a database security

management system is operable to interface between a user and an electronic database and configured to process requests from the user to perform an action with respect to data stored in the database. The system includes a switcher component which facilitates database access on the security model selected for access of the database records. The switcher component is configured for reconstructing the query sent from application based on the selected security model before sending over to database for processing.

[0022] In yet another aspect of the present invention, there is provided a method and system that allow switching of either confidentiality or integrity security model for database management system. The confidentiality model ensures authorized users with certain clearance level are unable to read data with higher classification level and write data to lower classification level and integrity model, prevents information with lower classification level flow to higher classification level.

[0023] In yet another embodiment of the present invention, herein disclosed a security model switcher resides between the client application and the database. The switcher enables the database administrator to decide whether to implement confidentiality or integrity model. All queries / database access statements from application is passed through the security model switcher before it reaches the database for execution. [0024] One embodiment of the present invention provides a system that facilitates performing an user / client identity and classification level based optimization of authorization checks in the database system. During operation, the system receives a SQL query at the database system to perform database operations via security model switcher program. Next, the said Security Model Switcher Program determines the confidential or integrity security model used by the particular client application. The

Relational Database Management System receives the query from switcher program and return the result based on the security model choose to the switcher program. The switcher program estimates security clearance level for executing the query, which involves received evaluating data classification value, sent along with the query for evaluating authorization checks, which involve functional evaluations of access rights for data accessed by the query.

[0025] In an exemplary embodiment, there is provided a computer-readable storage medium containing a program, which, when executed on a processor, performs an operation for controlling access to data stored in a data repository, the operation comprising of receiving, from a user / client, an unique identifier and password for validating the identity of the user/client; receiving from the user / client a query including the functions that are available in the application; constructing a transformed query based on functions performed including an Unique Identifier and Data

Classification value, is to be sent together with query; deciding by the database administrator for the security model switcher based on the organization security policy and thereby applying the same on the said query; retrieving the results sets based on the query from the database by the database manager application to the said security model switcher; and outputting the result set from the switcher and displaying them to the user/client; wherein only user/client with equal or greater level of privilege can modify the record or alternatively facilitating data confidentiality enabling all database records to be writeable to all users, and wherein only users with equal or greater level of privilege can read the record.

[0026] The above is a brief description of some deficiencies in the prior art and advantages of the present invention. Other features, advantages, and embodiments of the invention will be apparent to those skilled in the art from the following description, drawings, and claims

Brief Description of the Drawings

[0027] Preferred embodiments according to the present invention will now be described with reference to the figures accompanied herein, in which like reference numerals denote like elements;

[0028] FIG. 1 illustrates flowchart for switching of integrity or confidentiality security model for database management system with regards to an organization security policy in accordance with an embodiment of the present invention; [0029] FIG. 2 exemplifies a table that consists of clients' unique identifier and their security clearance level respectively in accordance with an embodiment of the present invention; [0030] FIG. 3 exemplifies a table that consist of data classification level column except table for every application-related table as mentioned in first rule in accordance with a further embodiment the present invention;

[0031] FIG. 4 exemplifies a table showing detailed access right between Security Clearance Level and Data Classification Level in accordance with yet another embodiment of the present invention; and

[0032] FIG. 5 exemplifies different Data Classification Level as "Low", users able to view back their updated or inserted data in accordance with yet a further embodiment of the present invention. Detailed Description

[0033] Embodiments of the present invention shall now be described in detail, with reference to the attached drawings. It is to be understood that no limitation of the scope of the invention is thereby intended, such alterations and further modifications in the illustrated device, and such further applications of the principles of the invention as illustrated therein being contemplated as would normally occur to one skilled in the art to which the invention relates.

[0034] In one embodiment of the present invention, a security model for a database as disclosed herein is used to control the access right of system as such it is chosen based on the type of organization, its goal and its objectives. Government controlled and inter-governmental organizations may be more concerned on not disclosing their confidential information as for private-sector organizations since they are more concerned in the integrity of the data. Access Control Lists are used to control an entity's / users access to particular objects within database systems. The access right of an application to a database management system is normally controlled by the application itself and the database is a repository for the data of that system.

[0035] As an example, when an organization intends to uphold either confidentiality security model (Bell-Lapadula) or integrity security model (Biba) for their access right, it can only be achieved by designing it in the application. Extra time and efforts is needed as system architect needs to come out with a satisfied application design and the programmer needs to write the application based on the design.

[0036] In a typical multi-tiered software system, managed entities are stored as model objects. Operational requests are typically implemented as a query to the database. Database queries are statements used for directing database management systems to access data stored in a database. To enforce security policies, a security system or authorization component is integrated with a database access component.

This is done by allowing switching of either confidentiality or integrity security model for database management system with regards to an organization security policy. The security model on database enforces the access right of the user and is controlled by an application module.

[0037] Accordingly, the method and system is adapted to allow switching of either confidentiality or integrity security model for database management system. The confidentiality model ensures authorized users with certain clearance level are unable to read data with higher classification level and write data to lower classification level as to make sure users cannot accidentally or intentionally share confidential information by writing to lower security level. Further the integrity model, prevents information with lower classification level flow to higher classification level. Integrity model disallows users from reading data at lower classification level as to protect them from being corrupted by data at a lower integrity level.

[0038] With this embodiment, a security model switcher is sitting between the client application and the database, to enable the switching of the security model based on organization goals and objectives. It is this switcher that enable database administrator to decide whether to implement confidentiality or integrity model. All queries/database access statements from application is configure to go through the security model switcher before it reaches the database for execution. No special setting is needed in the database configuration and it can be used by any relational database management system available in the market.

[0039] FIG. 1 shows a flowchart illustrating a process for receiving and processing a request to view data in accordance with one embodiment of the present invention. In this illustrative embodiment, a user may access the system via a web browser over the internet. At step 101, a request is first entered by the user by providing a unique identifier and password. The system is configured to check for the validity of the unique identifier and password at step 102. Only valid unique identifier and password can proceed to next step. Only valid user is authorized to perform the available functions on the system at step 103. A query is derived from the page of the browser at step 104. Access control rules are applied by an access manager of the system to produce a modified query. The application constructs the query based on functions performed. The Unique Identifier and Data Classification value are sent together with query which is preferably optimized accordingly. In one example, the format of the query may be modified as [Unique Identifier, Data Classification value] Query. At step 105, the database administrator is configured to decide on the security model (confidentiality or integrity) to be used based on organization security policy. If integrity security model is chosen then the switcher reconstructs the query sent from application based on the integrity model before sending over to database for processing at step 106. If confidentiality security model is chosen then the switcher will reconstruct the query sent from application based on the confidentiality model before sending it over to database for processing at step 107. Accordingly a corresponding SQL query is generated by the data manager and sent to the database to retrieve only the data required by the request and permitted after application of the access control rules. The query results are returned from the database to the switcher and shaped to correct format by the data manager application to the security model switcher at step 108. Application receives result sets from switcher and outputs a page formatted using visible data from the database displays them to client at step 109.

[0040] It is to be understood that the access and update processes may be different than described above without departing from the scope of the invention. For example, both confidentiality level and Integrity level security may be applied to the query before it is sent to the database, or both may be applied to the data after it is returned from the database.

[0041] The database administrator as discussed herein may include a data manager. The data manager includes the schema (i.e., the organization of the data structures within the database) and default values. The data manager is configured to receive a query from the administrator, submit the query to the database, and receive the data issued from the database in response to the query. The query may be changed to SQL (Structured Query Language) format by the data manager or any other suitable database language. The data manager also receives updates from the database administrator and submits the updates to the database.

[0042] The method of accessing a database record using a security model facilitating data integrity enabling all database records to be readable to all users, but wherein only users with equal or greater level of privilege, can modify the record; or alternatively facilitating data confidentiality enabling all database records to be writeable to all users, but wherein only users with equal or greater level of privilege can read the record.

[0043] The illustrated embodiment allows switching of integrity or

confidentiality security model for database management system with regards to an organization security policy. The switching is done through Security Model Switcher where the database administrator will do the necessary setting on a configuration file. Switcher reads the configuration file and decides which security model to load before it establishes connection with the database server. The purpose of using security model is to allow application to display or update data base on user's security clearance level against data classification level in database. In other words, user is only allowed to view, update or delete data that he/she has authorization on. As for insertion of new record in a table, the data classification level is the same as user's security clearance level. [0044] As discussed above, in order to implement the embodiments of the present invention it requires a table that includes clients' unique identifier and their security clearance level respectively, and application-related tables defining a data classification level column. [0045] FIG. 2 exemplifies a table of clients' unique identifier and their security clearance level in accordance with one embodiment of the present invention. The Unique Identifier is an auto-generated value when an user account is created and it is a unique value. For example: as for Security Clearance Level, it comprises of number value from 1 to 5 where 5 being the highest authorization level and 1 being the lowest authorization level. The User Account column may include information concerning the users, such as the user name, department, role and etc.

[0046] FIG. 3 exemplifies an application-related table having a data classification level column in accordance with another embodiment of the present invention. This table may include the database name, database records' info, and the associated data classification level assigned to the database records. The Data

Classification Level may also include number value from 1 to 5 with level 5 being the highest. A user with an authorization level of 5 is able to access any data that has data classification level 5 and below. For example, the database name can be employee database, and the records may be the respective employees' name, ID and etc.

[0047] FIG. 4 exemplifies a table showing the relationship and mapping between the security clearance level and the data classification level in accordance with a further embodiment of the present invention. As provided on the table, a security clearance level 5, being the highest authorization level is given a full access right to assess data with data classification levels of all levels 1-5. In another example, a security clearance level 1, being the lowest authorization level is given only the access right to assess data with a data classification level 1 only. [0048] Operationally, all queries generated by application may be given in the format given below: [Unique Identifier, Data Classification value] Query

[0049] Unique Identifier is compulsory on all queries, when being sent over to database server for processing. Its responsibility is to get user's security clearance level from the database by matching it to Unique Identifier records stored in the table shown in the FIG. 2.

[0050] As for the Data Classification Level, it depends on type of queries being generated; only insert and update queries need to provide the value. Purpose of having this value is to determine whether user who initiates the insert or update functions able to view back the inserted or updated data. If the Data Classification Level is "Low", users able to view back their updated or inserted data. FIG. 5 exemplifies a table with possible values between the user security clearance level, data classification value sent, and the data classification level in the database.

[0051] All the queries are re-constructed based on chosen security model. The chosen model is either integrity or confidentiality model. Both Unique Identifier and Data Classification Level value that are sent together with the query are extracted out and used for query reconstruction, and then only the reconstructed query will be sent over to database server for processing. The restructuring is done to restrict user from viewing or amending records that he/she does not have the authorization on. Database server processes the re-constructed queries received and generates the result set, which subsequently is sent back to Security Model Switcher. It is switcher job to pass the result set to application for display or notify users on the status of the query. [0052] The illustrated embodiments allow organizations to implement either confidentiality or integrity security model for access control in their application without having to put extra time and resources in design and development phase.

[0053] Based on the embodiments, they provide secure access to the database through CLI (command-line interface) and wherein the user has to provide unique identifier when access the database via CLI. Further, only limited view of records is being displayed, based on the user clearance level.

[0054] While specific embodiments have been described and illustrated, it is understood that many changes, modifications, variations, and combinations thereof could be made to the present invention without departing from the scope of the invention.