Database Security Assignment: Recommendations to Protect Private & Confidential Information

Question

Task: Database Security Assignment Task:You have been subcontracted as an IT consultant to prepare a study report about the organization’s potential database security issues and concerns. The database in this organization stores extremely private and confidential information that needs to be protected and secured. You need to provide recommendations on how to best protect and safeguard this database from any possible malicious threat or attack.

Answer

Introduction to the theme of database security assignment
In this technologically advanced era, the need to integrate protected and secured platforms for safeguarding private and confidential information is essential for every organisation. IT consultant has to provide appropriate database security for potential security issues and concerns. In this report, the potential database security issues and concerns based on storing extremely private and confidential information have been outlined for the organisation. As the security of the database relies on three significant layers including database level, access level, and perimeter level, the organisation needs to integrate appropriate schemes or solutions to prevent any external or internal threats. Besides, the appropriate recommendations to best protect and safeguard the database from possible malicious threat or attack has been put forward as well.

Discussion
As put forwarded by Tabassumet al. (2019), with regards to database security, security concerns for malicious attacks or internet-based attacks are persistent challenges. Specifically, hackers devise new strategies to intrude databases and steal information critically. Likewise, the organisation has the potential to face such malicious attacks including infiltrating into the databases, loss of potential data, or other harmful threats that could disrupt the entire organisational infrastructure. Hence, it is essential to ensure that the database security measures are strong to protect the database. On the other hand, ransomware and malware have also become common cybersecurity threats. Besides, it is also essential for the organisation to ensure that the contractors, employees, and partners do not abuse their credentials. Therefore, it is also significant for the organisation to ensure that it provides legitimate access to the database systems and applications based on the information required for work. Or else, it can impact and compromise the database security of the organisation. It has been well suggested by Assiri&Almagwashi (2018), the security level for the database incorporates three significant levels which are database level, access level, and perimeter level. For the organisation, it is essential to incorporate database security solutions at each level for safeguarding confidential information. Concerning the database level, the integration of database encryption security solutions is recommended as it can offer security within the database itself. Likewise, in the access level, access control lists security solutions that need to be incorporated as it can control the number of users allowed to access certain data within the database system. Additionally, at the perimeter level, the integration of firewalls is recommended for determining who can and cannot enter into the database system.

About the database level, encryption becomes the last line of defence in the database security for safeguarding sensitive and confidential data. Encryption can assist the organisation in database security in terms of not providing encryption or decryption keys to the service provider. The encryption solution integrates four entities data owner, user, client, and server, (Refer to Fig: 1).

Fig: 1 (Database encryption security solution at the database level)
Source: (Stallings & Brown, 2018)

Based on the encryption scheme highlighted in the above figure, the encrypted database is stored at the server and eliminates the possibility of hacking into the server system as it requires an encryption key for access. Only the user at the client or the organisation can retrieve data by using the primary key and issuing an SQL query to the server. The primary key is encrypted by the query processor at the client and the query is transmitted to the server. Additionally, the server uses the encrypted value of the primary key by processing it and returns the exact records. This, in turn, assists to decrypt the data and return the results accordingly with an enhanced security system.

On the other hand, the support from the extended access control lists can be incorporated at the access level for the database security solution of the organisation. The extended access control lists will enable the administrator to assign a list of user IDs as well as groups to a file, each with three protection bits (read, write and execute). This in turn offers a flexible mechanism for assigning access rights.

Fig: 2 (Access control lists security solution at access level)
Source: (Stallings & Brown, 2018)

To Fig: 2 highlighted above, the mechanism of extended access control lists have been well outlined. The owner class and other class entries will have a 9-bit permission field including reading, write, and execute. The group class entry reflects the permissions for the owner group based on the file by highlighting the maximum permissions that can be assigned to the groups. However, additional named groups and named users can be also linked with the file with regards to the 3-bit permission. Two steps are performed when a process request enters into a file system object. In step 1, the extended access control list entry that matches the requesting process is selected in the following order: owner, named groups or users, and others. In step 2, the sufficient permission matching the entry is checked. Based on the matching group entries, the one that contains requested permissions is selected, or else the access will be denied. Other than that, at the perimeter level, the integration of firewalls is recommended for the organisation to safeguard the database. Additionally, the distributed firewall configuration would offer significant security solutions to the database by integrating both host-based firewalls and stand-alone firewall devices under central administrative control. Administrators of the organisation can configure the host-resident firewalls on a huge number of workstations and servers while configuring personal firewalls on remote and local user systems. The entire security network can be monitored by the network administrator as well as facilities to set policies by using tools. These firewalls safeguard against internal and external attacks as well as offer protection based on specific applications and machines. Also, a stand-alone firewall integrated into the distributed firewall offers global protection including external and internal firewalls, (Refer to Fig: 3 below).

Fig: 3 (Distributed firewall security solution at perimeter level)
Source: (Stallings & Brown, 2018)

With the distributed firewall security solution and the need for safeguarding sensitive and private databases of the organisation, it is essential to establish both an external and internal demilitarized zone (DMZ). Additionally, security monitoring can be easily done through distributed firewall configuration including fine-grained remote monitoring of individual hosts, log aggregation, and analysis as well as firewall statistics. The external firewall also offers a measure of access protection and control for the DMZ systems and is connected to the internet or local areas network. The internal firewall offers two-way protection based on the DMZ by eliminating external attacks and attacks launched due to DMZ systems within the internal protected network. Additionally, it offers a filtering capability to protect servers and workstations from malicious attacks. Hence, integrating the three security solutions at the three levels can assist to eliminate the intrusion of hackers or malicious attackers into the database system offering an enhanced level of security to the confidential and sensitive information.

Conclusion
In conclusion, it can be stated that the need to include an enhanced level of the security system for the organisation to safeguard and protect its confidential and private information is essential. As an IT consultant, it is highly recommended to integrate three significant levels into the database system which are database level, access level, and perimeter level for providing security solutions. The incorporation of encryption extended access control lists and distributed firewall configuration is recommended based on each level to eliminate possible malicious attacks of threats towards the database of the organisation.

References
Assiri, A., &Almagwashi, H. (2018, April).IoT security and privacy issues.In 2018 1st International Conference on Computer Applications & Information Security (ICCAIS) (pp. 1-5).IEEE.

Stallings, W., & Brown, L. (2018). Computer Security: Principles and Practice. Database security assignmentHarlow.

Tabassum, K., Ibrahim, A., & El Rahman, S. A. (2019, April). Security issues and challenges in IoT. In 2019 International Conference on Computer and Information Sciences (ICCIS) (pp. 1-5).IEEE.