Keywords: database security ecommerce, database security layers
To be able to manage a huge amount of data effectively and fast, a well organized system is needed to build. It will also need to store and retrieve data easily. Generally, a database system is designed to be used by many users simultaneously for the specific collections of data. Databases are classified based on their types of collections, such as images, numeric, bibliographic or full-text. Digitized databases are created by using management system to make, store, maintain or search the data. Oracle, MS SQL and Sybase servers are mostly used in companies, agencies and institutions for their different purposes of the assets.
On the one hand, internetworking technology provides the assets efficiently and effectively among cooperation but it also gives opportunities to hackers or lawbreakers to make profits. So, database security becomes the most important issue and all related agencies have to focus on the availability of their data to the authorized users only. The protection of data from unauthorized disclosure, alteration or destruction is the main purpose of the database security process.
Database security is the system, processes, and procedures that protect database from unintended activity that can be categorized as authenticated misuse, malicious attacks made by authorized individuals or processes. Databases have been protected from external connections by firewalls or routers on the network perimeter with the database environment. Database security can begin with the process of creation and publishing of appropriate security standards for the database environment.
Particularly database systems in E-commerce, can access the database for exchange and retrieval of information from web applications. As many layers consisted for web application access, it is needed to make sure the security of each layer.
In this paper, we are making an attempt to present how to make secure database in each layer of database system of ecommerce in details.
Importance of Database Security
In this information technology age, it is compulsory for all types of institutions or companies to make avail their information assets online always through databases. However, they must have a policy to divide the levels of users with to which extent they can asset the information. It is vital not to give opportunities to mischievous intruders. Databases are used to provide personnel information, customer information, credit card numbers, financial data and business transactions, etc. The information is very sensitive and highly confidential and must be prevented from disclosure by other competitors and unauthorized persons.
The security of data is crucial not only in business but also in even home computers as personal files, details of bank accounts are difficult to replace and potentially unsafe if they will be in wrong hands. Data destroyed by hazards like floods or fire is just lost but handing it in unethical person will have severe consequences. Other threats will be included human errors and espionage. Therefore, the data security starts with strategies of identifying the area of exposure which will be affected. It is important to define who can access what data, who is allowed and who is restricted, whether passwords are used and how to maintain it, what sort of firewalls and anti-malware solutions to use, how to train the staff and to enforce data security. Furthermore, the backup continuity plan should be laid out so that even though the systems fail, the business can be carried out without delay.
While constructing the infrastructure security of a company, database security should be well considered. Database is very crucial to most enterprises at present days; the damage of database will have tragic impact on it. Unsecured systems will make hurt both the company itself and its clients.
Based on the research done by American National Infrastructure Protection Center (NIPC) in 2000, the continuous attacks on U.S. e-commerce system are increasing. The most interrupted system is Microsoft Windows NT systems, but UNIX based operating systems have also been maltreated. The hackers are utilizing at least three identified system weaknesses to be able to achieve illegal access and download information. Even though these vulnerabilities are not freshly innovated and the mischievous activities of hackers had been in progress for quite long before the sufferer became noticed of the intrusion.
The insecurity of the database can affect not only the database itself, but also the other running systems which have the relationship with that database. The process of an intruder can be first to get access to the poorly safe database, then use strong built-in database characters to get admission to the local operating system. In this way, other trusted systems connecting with that database will be easily attacked by the intruder.
Database Security in E-commerce database
Database system cannot stand alone and it needs to depend on many other systems. Hence, database security is a combination of many other associated and correlated systems are included as well. The following figure is a normal schema of E-commerce Company. In figure 1, the four basic layers are existed in order to defend a database system. These systems are the functioning system on which the database system runs. Firewall is a commonly applied mechanism to obstruct the interruption from the external network. Web server and web application offer numerous services to the end user by accessing the database. Network layer is the medium in which the data is transmitted.
Operating system layer
Operating system security is a very important characteristic in database administration. Some dominant features of database systems will possibly be a crack for the underlying operating system. Thus, the responsible person should very thoroughly scan the relations between a feature of database and it is operating system.
According to Gollmann, there are five layers in Information Technology system. These layers are application, services, operating system, os kernel and hardware. Each layer is constructed on top of other fundamental ones. As the database system is at the service and application layer, it is existed in above the operating system layer. If the weaknesses of the operating system platforms are identified, then those weaknesses may lead to illegal database access or manipulation. Database configuration files and scripts are at server level resources and they should be sheltered severely to ensure the reliability of the database environment. In many database environments, membership in Operating system group is authorized full power of controlling over the database. To keep away from mistreatment and exploitation of the membership, those users’ membership and access to the database should be warranted frequently.
One of the responsibilities of Administrator is to organize the settings of the operating system or to adjust the size of the buffer and the timeout period, so as to avoid the rejection of service attack stated previously. Most operating system vendors supply system patches generously and fast if any vulnerability has been detected on the system. Another weakness which is often ignored by the administrator is to bring up to date the operating system with the latest patches to abolish the newest revealed holes of the system.
Data has to be transmitted through the network including local LAN and Internet when web applications communicate with database or other distributed components. The two major network transmissions are from user to web server, and from the web application to web database server. All these communications must be completely protected. Although the administrator can secured the network in local domain, the global internet is unmanageable.
Encryption is another influential technology. It is set aside not only the invader cannot interrupt but also the encrypted data is unreadable and tremendously hard to presume or decrypt. The matching key can only be to decrypt the cipher text. The two means to apply encryption in database system are of the one way to use the encryption options provided by database products and another way to obtain encryption products form trusted vendors. In addition, one more approach for a safety connection is practicing the secured protocols above TCP/IP, for example, the technology of Ipsec and VPN (Virtual Private Network).
The personal traffic in the course of the public internet by means of encryption technology can be provided by VPN. In generally, SSL (secure sockets layer) can be used as another way for cryptography on top of TCP/IP. Safe and sound web sessions can be obtained by Netscape. SSL has newly developed into Transport Layer Security (TLS) that make certain no other invasion may snoop or interfere with any communication. Utilization of SSL can help to validate and protect web sessions, but the computer itself cannot be safe.
There are dissimilarities in functions of Web programs and common programs in area of safety. The major reason is safety for Web application program as the flaw is not easy to perceive. Web server that keeps the external disturbances is located in the middle of the application server and firewall. It can be applied as intermediary to get the data that we approved to be available.
For the time being, the software commonly used in web applications is CGI (Common Gateway Interface). The web server can do a different function in easier way as it is uncomplicated. It is user-friendly as a web page counter. Moreover, for example as reading the input from the remote user, it can be used as multifarious to access the input as uncertainty to a local database. CGI proceeds the outcome to the user after retrieving the database. On the other hand, it is also risky since CGI scripts permit software applications to be carried out inside the web server. The well-known language for CGI scripts is Perl since it is simple to build applications and parse the input from the user. Nevertheless, Perl can be exploited by wicked users as it grants some forceful system commands.
The invader can simply demolish the system if CGI was weakly executed by web server. This may be a huge hazard to the system as someone can easily eliminate the classified files from Web server as effortless to contact. To get rid of the intimidations, there are several ways to prevent these. The CGI scripts should be prohibited by abuser to write, and the arrangement should be done to CGI program that can be performed as a single way of directory. It should also be cautious in writing the CGI script. No more longer usage of CGI applications such as sample applications should be disposed as these are approachable to Web server and major intentions for invaders since older CGI samples have safety gaps.
Without comprehensive handlings, default settings of Web application server can be a huge imperfection of the system if the database system networks with CGI. There need to make sure the system for which extent of operation is unapproved to the clients when a use logs into the database. Web serve with verification methods built in CGI is the most valuable way which means to prepare a CGI script with login name and password to prevent the files. By doing this, the files are protected to the web server apart from readable only. The safety gaps should be checked firmly and regularly to all the scripts even though these are obtained by self-developed, downloaded or bought from vendors.
The major significant layer to slab the external interruption of the system is Firewalls. Packet filter and proxy server are the two types of firewall mechanism. The connected data between the application and database are divided into packets which consist of much information in its headers, for examples, sources, destination address and protocol being used. A number of them are cleaned as with which source addresses are unbelievable to access to the databases.
The arrangement of firewall should be done to access only one or few protocols which is helpful for application queries such as TCP whereas the other packets are choked-up firmly. Accordingly, the smallest amount of risks is maintained for the vulnerable system. Moreover, the ping of fatal loss will be kept systematically if the firewall is constructed to abandon the approached ICMP demand.
The potential invaders should be marked out by reserving log files at the firewall. There are two connections in Proxy server. The first one is the connection between cooperation’s database and proxy server. Another one is the connection between proxy servers also provided the log and audit files. On the other hand, there are very hard to build up strong firewalls, and also too huge and tough to investigate the audit tracks.
Database servers are the fundamentals and essentials of greatest values in each and every sector of Education, Health, Military, Manpower, Economics, Modern Arts and Sciences, Information Technology, Electronic Businesses, Financial Institutions, Enterprise Resource Planning (ERP) System, and even universally comprised of sensitive information for business firms, customers, marketers and all stakeholders.
The functions and purposes of Database servers are highly depended on the users of their particular intentions for applying the services provided by the operating systems. Some good safety practices for Database servers are to:
use multiple passwords to access multi-functions of a server such as using one password to access the single system for administration;
apply a different password for another operation;
be audited for each and every transaction of the database;
utilize application specific user name and password and should never use a default user name or password;
back up the system thoroughly for late recovery in case of accidentally break down
Allowing to know the end-user for the name and location of database is very worthless. In addition, exposing physical location and name of every database can also be a huge danger to the system. To cover up these issues, we should better practice the service names and pseudonyms. The several copies should be done for the important files which control the accessibility to the database services. Each and every copy should be also connected to a meticulous user group. Moreover, the members of each group should be allowed to access only the relevant documents concerning them.
The institutions, organizations and business firms mainly stored their important information and valuable assets as digital formats in online related excellent databases. The safety and security issues of Databases become strongly an essential role in the modern world for enterprises. To save from harm of database is to prevent the companiesâˆ™ untouchable information resources and digital belongings. Database is the multifarious system and very complicated to handle and difficult to prevent from invaders.
Last, but not the least, database protection is also to be taken significantly to the confidentiality, availability and integrity of the organizations like other measures of the safety systems. It can be guarded as diverse natures to cover up. Although auditing is critical, but analysis is also very tough while potential analytical tools will be an enormous contribution to protect the online rationality of database system. There should be reinforced to the corporate safety and security issues. Means of verification and encryption will play the essential role in modern database precaution and safety system.