Title :
Enforcing Access Control to Web Databases
Author :
Bouchahda, Ahlem ; Nhan Le Thanh ; Bouhoula, Adel ; Labbene, Faten
Author_Institution :
I3S Lab., Nice-Sophia Antipolis Univ., Nice, France
fDate :
June 29 2010-July 1 2010
Abstract :
The insider threat against database management systems is a very dangerous and common security problem. Authorized users may compromise database security by abusing legitimate privileges to masquerade as another user or to gather data for malicious purposes. This problem is aggravated for databases made available over the web through web applications since the DBMS recognizes only the database user and ignores end users. It is important for the DBMS to have an idea of who exactly has access to data. Much research on mitigating insider threats focuses on detection. In this paper, we consider the prevention of attacks using access control and we propose (RBAC+), an extension of the NIST RBAC (Role-Based Access Control) standard with the notions of application, application profile and sub-application session. The importance of our solution is that, on the one hand, it enforces access control to the web database, and, on the other hand, it is able to identify malicious activities carried out by legitimate users of the system and prevent insider attacks.
Keywords :
Internet; authorisation; database management systems; DBMS; NIST RBAC; RBAC+; Web databases; authorized users; database management systems; database security; database user; legitimate privileges; role-based access control standard; Access control; Adaptation model; Business; Credit cards; Databases; Servers; Access control; application profile; intrusion prevention;
Conference_Titel :
Computer and Information Technology (CIT), 2010 IEEE 10th International Conference on
Conference_Location :
Bradford
Print_ISBN :
978-1-4244-7547-6
DOI :
10.1109/CIT.2010.125
