High-Integrity Databases

Integrity is a fundamental requirement for security of computer systems, and for DBMS, integrity of data (or data integrity) is especially crucial. Without the assurance of data integrity, any information extracted from databases is not useful as it cannot be trusted with sufficient confidence. It is also important to observe that data integrity can be undermined not only by errors introduced by users and applications, but also by malicious subjects who may inject inaccurate data into a database with the goal of deceiving other subjects.

Despite the significance of the issue and ongoing research efforts theoret- ical/technical solutions available today for data integrity are still limited. A key difficulty comes from the fact that, unlike confidentiality and availability, the concept of integrity is difficult to grasp with a precise definition. In fact, integrity often means different things to different people [30]. The most widely accepted definition of integrity is perhaps the prevention of unauthorized and

improper data modification [31, 32]. This definition also seems to coincide

with the primary goal of Clark and Wilson’s approach, “preventing fraud and error” in the commercial environment [33]. Another well-known interpreta- tion of integrity concerns with the quality or trustworthiness of data [34], on which Biba’s integrity model is based [35]. Inspection of mechanisms pro- vided by database management systems (DBMS) suggests yet another view of integrity. Many commercial DBMSs today enable system administrator to express a variety of conditions, often referred to as integrity constraints, that data must satisfy [36]. Such constraints are used mainly for data consistency

and correctness.

This multifaceted concept of integrity makes it challenging to adequately address integrity, as different definitions require different approaches. For in- stance, Clark and Wilson addressed the issue of improper data modification by enforcing “well-formed transaction” and “separation of duty” [33], whereas Biba’s integrity model prevents possible data corruption by limiting informa- tion flow among data objects [35]. On the other hand, many current DBMSs

98 E. Bertino, J.W. Byun, A. Kamra

ensure data consistency by enforcing various constraints, such as key, referen- tial, domain, and entity constraints [36].

In order to provide a comprehensive approach to the problem of data in- tegrity, we thus need a multi-faceted solution. Such a solution must mirror the generally accepted security approach according to which we need to provide tools and mechanisms for: preventing and controlling security breaches; moni- toring and validating systems for detecting possible security incidents; and for recovering from security incidents, as no security mechanisms, or combination of them, can offer complete protection. We believe that we need to specialize such an approach to integrity. Also, viable solutions to integrity must take into account the fact that integrity requirements may vary depending on the organizations and on a large number of factors. Therefore, we do not need integrity systems with built-in policies; we need flexible systems supporting the specifications and enforcement of application-dependent integrity policies. A comprehensive solution to integrity must thus support:

• The specification and enforcement of data acceptance policies, stating

which data can be entered in the database by which subjects (users or applications) under which circumstances. Acceptance policies represent an important form of prevention of integrity violations and attacks. Current access control mechanisms provide some support for enforcing such poli- cies; however, they need to be provided with an extensive set of metadata

information concerning both subjects and data objects.

• The specification and enforcement of validation policies, stating how often

the data have to be controlled once they have been entered in the database. Although acceptance policies may do a good job in avoiding the introduc- tion of low integrity data, one still has to deal with the possibility that integrity be degraded or compromised later on. Validation policies can be considered a form of auditing, according to which data can be periodically controlled with respect to integrity.

• The development of mechanism for recovering from integrity violations and

attacks. Such a mechanism should enable the system to react, possibly in real-time, to integrity violations. For instance, it may stop the user or application program introducing the erroneous data, assess and repair the damage, and, perhaps most importantly, prevent the spread of errors. We note that data integrity cannot be assured by access control alone, although it must play a primary role. Many other mechanisms, such as trans- action manager and user authentication system, are also required. Moreover, a solution for integrity management must be supplemented with data valida- tion process as data integrity is often dependant upon various external factors such as time or changes on external data. The management of integrity thus requires continuous control and monitor of data in their whole life cycle, from the moment they are introduced to the system to the moment they are deleted from the system. As such, a design for integrity management systems requires

7 Database Security 99

one to identify and combine necessary components so that they can together provide a comprehensive solution to integrity control and management.