Abstract
Some Database Management Systems (DBMS) allow to implement multilevel databases, but there are no methodologies for designing these databases. Security must be considered as a fundamental requirement in Information Systems (IS) development, and has to be taken into account at all stages of the development. We propose a methodology for designing secure databases, which allows to design and implement secure databases considering constraints regarding sensitive information from the requirements phase. The models and languages included in the methodology provide tools to specify constraints and to classify the information into different security levels and to specify which roles users need to play to access information. The methodology prescribes rules to specify the database and the security information with the Oracle9i Label Security (OLS) DBMS. It also has been applied in an actual case by the Data Processing Center of the Ciudad Real Provincial Government.
This research is part of the DOLMEN project (TIC2000-1673-C06-06) and RETISSI project (TIC2001-5023-E) supported by the Research Projects Subdirection of the Ministry of Science and Technology.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Dhillon, G., Backhouse, J.: Information system security management in the new millennium. Communications of the ACM 43(7), 125–128 (2000)
Brinkley, D., Schell, R.: What is there to worry about? An introduction to the computer security problem. In: Abrams, M., Jajodia, S. (eds.) Information security, an integrated collection of essays, California, ch. 1, IEEE Computer Society, Los Alamitos (1995)
Spanish Constitutional Law (15/1999). December 13th, on personal data protection. BOE no. 298, 14/12/1999 (in Spanish)
Directive (95/46/CE). Directive 95/46/CE of the European Parliament and Council, dated October 24th, about People protection regarding the personal data management and the free circulation of these data. DOCE no. L281, 23/11/1995, P.0031–0050
Devanbu, P., Stubblebine, S.: Software engineering for security: a roadmap. The future of software engineering. In: Finkelstein, A. (ed.) Proceedings of the 22nd International Conference on Software Engineering, pp. 227–239 (2000)
Ferrari, E., Thuraisingham, B.: Secure Database Systems. In: Piattini, M., Díaz, O. (eds.) Advanced Databases: Technology Design. Artech House, London (2000)
Hall, A., Chapman, R.: Correctness by construction developing a commercial secure system. IEEE Software 19(1), 18–25 (2002)
Chung, L., Nixon, B., Yu, E., Mylopoulos, J.: Non-functional requirements in software engineering. Kluwer Academic Publishers, Boston (2000)
Smith, G.W.: Modeling security-relevant data semantics. Proceedings of the IEEE Trans. On Software Engineering 17(11), 1195–1203 (1991)
Marks, D., Sell, P., Thuraisingham, B.: MOMT: A multilevel object modeling technique for designing secure database applications. Journal of Object-Oriented Programming 9(4), 22–29 (1996)
Jürjens, J.: UMLsec: Extending UML for secure systems development. In: Jézéquel, J., Hussmann, H., Cook, S. (eds.) UML 2002 – The Unified Modeling Language, Model engineering, concepts and tools, pp. 412–425. Springer, Germany (2002)
Castano, S., Fugini, M., Martella, G., Samarati, P.: Database Security. Addison-Wesley, Reading (1994)
Batini, C., Ceri, S., Navathe, S.: Conceptual database design. In: An entity relationship approach. Addison-Wesley, New York (1991)
Connolly, T., Begg, C.: Database systems. In: A practical approach to design, implementation and management. Addison Wesley, Reading (2002)
Levinger, J. Oracle label security. Administrator’s guide. Release 2 (9.2). Retrieved July 1 (2002), from http://www.csis.gvsu.edu/GeneralInfo/Oracle/network.920/a96578.pdf
Avison, D., Lau, F., Myers, M., Nielsen, A.: Action research. Communications of the ACM 42(1), 94–97 (1999)
Fernández-Medina, E., Martínez, A., Medina, C., Piattini, M.: Integrating Multilevel Security in the Database Design Process. In: Proceedings of the 6th International Conference on Integrated Design and Process Technology (IDPT 2002), Pasadena, California (June 2002)
Piattini, M., Fernández-Medina, E.: Specification of security constraints in UML. In: Proceedings of the 35th Annual 2001 IEEE International Carnahan Conference on Security Technology (ICCST 2001), London (UK), pp. 163–171 (October 2001)
Leavitt, N.: Whatever happened to Object-Oriented Databases? In: Industry Trends. IEEE Computer Society, Los Alamitos (2000)
Conrad, C., Turowski, K.: Temporal OCL: Meeting specification demands for business components. In: Siau, K., Halpin, T. (eds.) Unified modeling language: Systems analysis, design and development issues, ch.10. Idea Group Publishing, Hersey (2001)
Toval, A., Olmos, A., Piattini, M.: Legal Requirements Reuse: A Critical Success Factor for Requirements Quality and Personal Data Protection. In: IEEE Joint International Requirements Engineering Conference (RE 2002), pp. 95–103. IEEE Computer Society, Los Alamitos (2002)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2003 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Fernández-Medina, E., Piattini, M. (2003). Designing Secure Databases for OLS. In: Mařík, V., Retschitzegger, W., Štěpánková, O. (eds) Database and Expert Systems Applications. DEXA 2003. Lecture Notes in Computer Science, vol 2736. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-45227-0_86
Download citation
DOI: https://doi.org/10.1007/978-3-540-45227-0_86
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-40806-2
Online ISBN: 978-3-540-45227-0
eBook Packages: Springer Book Archive