DDBMS - Security in Distributed Databases
Additional security measures are required for a distributed system than for a centralized system, as many users, diversified data, multiple sites and distributed control occur. We will look into the different facets of distributed database protection in this chapter.
There are two types of intruders in distributed communication systems-
- Passive eavesdroppers - They monitor the messages and access private information.
- Active attackers - by inserting new data or changing existing data, they not only monitor the messages but also corrupt data.
Security measures include communication security, data security and auditing of data.
In a distributed database, due to the diversified location of data, users and transactions, a lot of data communication takes place. Therefore, it involves secure interaction between the user and databases and between the various database environments.
Communication security includes the following –
- During transfer, data should not be corrupt.
- The medium of communication should be protected against passive eavesdroppers as well as active attackers.
- Well-defined security algorithms and protocols should be adopted in order to achieve the specifications mentioned above.
Two popular, consistent technologies for achieving end-to-end secure communications are −
- Secure Socket Layer Protocol or Transport Layer Security Protocol.
- Virtual Private Networks (VPN).
In distributed systems, apart from communications, it is imperative to follow measures to secure data. The measures for data security are −
- Authentication and authorization - These are the access control measures that have been implemented to ensure that the database can be accessed by only authentic users. Digital certificates are used to provide authentication. In fact, the username/password combination restricts login.
- Data encryption − The two approaches to data encryption in distributed systems are data encryption—
- Internal approach to distributed databases: User applications encrypt the information and store the encrypted details in the database after. The applications fetch the encrypted data from the database for the use of the stored data and then decrypt it.
- External to the distributed database: It has its own encryption features for the distributed database system. User applications store and retrieve data without understanding that the information in the database is stored in an encrypted form.
- Validated input − The user application reviews each input for this security measure before it can be used to update the database. A wide range of exploits, such as buffer overflow, command injection, cross-site scripting and data manipulation, can be caused by an un-validated input.
In order to assess the security measures it can follow, a database security system needs to identify and monitor security problems. It is also very difficult to detect security breaches at the time of incidents. Analysing audit logs is one way to identify compliance violations. Audit logs include data such as −
- Date, time and site of failed attempts at access.
- Details of successful attempts at access.
- Vital changes to the database system.
- Access to tremendous number of information, especially from multiple-site databases.
An insight into the activities in the database offers all of the above information. A periodic review of the log helps to recognize any unnatural behaviour along with its site and moment of occurrence. Ideally, this log is kept in a separate server to make it inaccessible to attackers.