1. Executive SummaryThis paper highlights the securitymodel used in two most popular databases : Oracle and MySQL. Though both offerscomprehensives list of security features Oracle is ahead of MySQL based on itsoffering. 2.
IntroductionRunning through the timelines ofdatabase. In ancient times, elaborate database systems were developed only bythe government offices, libraries, hospitals, and business organizations.The history of databases is a talewhere experts tried to make sense of complexity involved . The key elementbased on the past experiences rely on how to structure a database such thatthese become the foundation on how to manage data. The speed with which thedata is produced is growing multi folds every day and the accessibility of thisdata to Our society has become an essential part of our life.
Surveying thehistory of databases illuminates a lot about how we come to terms with theworld around us, and how organizations have come to terms with us.Edgar Codd, provided the modelrevolutionary relational database model with the following declaration:”Future users of large data banksmust be protected from having to know how the data is organized in the machine(the internal representation).” Security was a major aspect whilestructuring the databases. Think about an instance where you are running amultibillion company and your database has the complete information of yourcustomers that have invested trust in you, a database having security modelbecomes ubiquitous. 2.
a ObjectiveThe objective of this paper surroundsaround the security of the Databases. Database security concerns the useof information security controls to protect the data and the databaseapplications against compromises of their confidentiality, integrity andavailability. Data integrity becomes a key factor in a transactional databasesystem for instance if the database of a Bank is attacked it may result inleaking of confidential information and may cause loss of millions, to make thesystem less vulnerable and more robust security is an important component to asystem.
2.b DBMS CoveredIn this Paper we would discuss theleading Enterprise Database systems, Oracle and MySQL. MySQL is a multithreaded, multi-user SQLdatabase management system (DBMS) providing multi-user access MySQL is a robustdatabase system and is the world’s most used open source RDBMS. MySQL is themost popular choice for use in Web Applications, used by companies includingFacebook, YouTube, Twitter, Yahoo! and many more.
Oracle has become a majorpresence in database world and is a famous choice among large corporations andfinancial institutions. Oracle provides a database system that reliably managesa huge data for a multiple user environment so that users can simultaneouslysee the same data. A database server also provides efficient solutions forfailure recovery and prevents unauthorized access. 2.
c DBMS FunctionThe Major talk point would be theSecurity systems implemented and used by these DBMS.Security risks to databasesystems include, for example:· Unauthorized or unintended activity or misuse byauthorized database users which can hamper the integrity of confidential data.· Unauthorized access which can result indisclosure of proprietary data or personal information, denial of service,deletion of or damage to the data or programs, attacks on other systems and theunanticipated failure of database services.· Design flaws and programming bugs in databasesthat may create make the data vulnerable resulting in data loss or corruption. Data corruption and/or loss causedby the due to manual intervention that may critically damage the data 2.d Limitation ofthe PaperThe purpose of this paper is to classify thesecurity implemented both by MySQL and Oracle database and to word my thoughtsregarding the same. I limit my knowledge on these databases and the securitythey imply merely on the sources I have read, although for better visibility onthe sets of functions they imply I would like to have a complete hands-onexperience on both of the databases to comment which one is better for securitypurposes.The documentation Oracle provides is much moredetailed but it gives a great sales pitch of why only Oracle Database but inactual no system is perfect and to have a real feel of the systems one mightneed to have a working experience with them.
This paper hence does not concludewhich database is better. 3. Overview of DBMS SystemsBelow is a brief history andoverview of the DBMS that are covered in the this.3a. Oracle DatabaseOracle Database was Founded byLarry Ellison, Bob Miner, Ed Oates and Bruce Scott in August 1977. It wasinitially named after “Project Oracle” which was a project for theC.I.
A. The company was named “Systems Development Labs”, or SDL, ad waslater renamed as Relational Software Inc (RSI).Oracle’s database was the firstcommercial RDBMS. the company launched it as “version 2” when it was releasedin 1979, because there were concerns that consumers might view a “version 1” asunready and untested. The version 2 database was so popular and successful thatthe company temporarily named itself after its most successful product.
Version3, released in 1983, was the first to use the C programming language,increasing its utility and adaptability.Below table provides variousversions of Oracle released over the years and the functionality they added. 1979 Oracle 2 Launched First Commercially available RDBMS 1983 Oracle 3 Introduced Portability 1984 Oracle 4 Introduced Transactional Integrity ,Read Consistency 1984 Oracle 5 Client/Server. Clustering Technology, auditing 1988 Oracle 6 PL/SQL, hot backup capability, OLTP high-speed systems, row level locking 1992 Oracle 7 PL/SQL stored procedure and triggers 1997 Oracle 8 Supports Object Storage and multimedia application 1999 Oracle 8i aims to support internet applications with the Java Virtual Machine(VM) embedded.
2001,2002 Oracle9i Supports RAC and XML storage 2003 Oracle 10g enables the database to be grid computing ready and emphasis on easy to install, deploy and manage. 2007,2009 Oracle 11g introduced Exadata machine with Oracle Database 11g built in. Marked the start of the database engineered system. 2013 Oracle 12c supports multi-tenant database architecture to make the database ready for cloud deployments. 2016 Oracle 12cR12 support database sharing for distributed database management. In this release, Oracle chooses “Cloud First” strategy, which leads to providing in cloud release before the on-premises release. The Oracle Database is an industry leaderin its field, and it makes an important contribution to information technologyfor businesses and organizations around the world. The Oracle system continuesto grow and develop to keep pace with the times, and its innovations set thestandards that other companies follow.
As Oracle’s database continues to adaptand change over time, so too do the businesses that rely on this technology tostay abreast of the changing nature of the business world. 3.b MySQL DatabaseMySQL server is one of the most widely usedrelational database management system. It is estimated that over 100 millioncopies of MySQL server have been downloaded worldwide by individuals, corporatecompanies and small scale organizations. It was created by MySQL AB, a companyfounded in 1995 in Sweden. In 2008, MySQL AB announced that it had agreed to beacquired by Sun Microsystems for $1 billion.MySQL is an open source and freewaredatabase server that provides numerous advanced database functionalities.
Byopen source software, it means that the code of the software is available andanyone can tailor it according to his requirement. Companies prefer MySQLbecause they don’t have to pay anything for this excellent product. It is across platform database server, can be run on a variety of platforms includingWindows, OS2, Linux and Solaris. Portability of MySQL server makes it suitablefor applications that target multiple platforms particularly web application.MySQL has APIs for all the major programming languages and can be integrated easily with the languages like PHP, Python C, C++,Perl and ruby. Below table provides variousupdates over the years of MySQL 1995 Founded by Michael Widenius, David Axmark and Allan Larsson 2000 MySQL goes Open Source and releases software under the terms of the GPL 2004 the company decided to focus more on recurring end user revenue instead of one-time licensing fee 2005 launched the MySQL network which was modeled after Redhat network. 2008 for approximately $1 billion ,Sun Microsystems acquired MySQL AB.
2010 Oracle Acquires Sun Microsystems. 4. Security in Database SystemsDatabase security is any form ofsecurity used to protect databases and the information they contain fromcompromise. Database security is more than just important: it is an absolutelyessential part of any company. It prevents the compromise or loss of datacontained in the database, an event which could have serious ramifications forany company.
Some of the functions of database security include:· Blocking attacks from unauthorized users orhackers. This prevents the loss of sensitive information.· stopping viruses stealing data and Preventingmalware infections.· Makin sure that physical damage to the serverdoesn’t result in loss of data.· Prevents data loss through corruption of filesor programming errors.
There are various techniques usedin Database Security. Below is their short overview · AccessControlAccess control makes sure that all communications betweendatabases and other system objects are as per the policies and are controlleddefined. This prevents tampering by any attacker internally or externally andthus protects the databse from potential errors. Restricting the access alsoreduces the risks that may impact functioning and security of database. Forinstance, through access control accidental deletion or update of key tablescan be avoided.Access Control systems include:o File Permissions – Create ,read,edit or deleteone a file serveo Program permissions – right to execute a programon an application server.
o Data Rights – right to retrieve or updateinformation in a database· Inference PolicyInference Policy protects the data at specific level. Itcan be applied when analysis of particular data in the form of facts arerequired to be prevented at a certain higher security level. It helps todetermine how to protect information from being released.
The aim of theinference control is to avoid indirect disclosure of information.Generally, there are three ways to unauthorized datadisclosure:o Correlated Data – When visible data is corelated with invisible Datao Missing Data – result of query contains NULLvalues that mask sensitive datao Statistical Inference – For Databases thatprovde statistical information about entities.· User Authentication & AuthorizationUsers can be authenticated in a number of ways before adatabase session is allowed. In database authentication, you can define userssuch that the database performs both authentication and identification ofusers. In external authentication , wecan define users such that authentication is performed by the operating systemor network service. Alternatively , same can be done by the secure socket layer(SSL). For enterprise users , an enterprise directory can be used to authorizetheir access to the database through roles.
Finally , users can be allowed toconnect through a middle tier server. This server authenticates ad assumes theidentity of the user and is allowed to enable specific roles for the user. Thisis called proxy authentication. While authentication verifies the user’sidentity, authorization verifies that the user in question has the correctpermissions and rights to access the database.This is the very basic requirement to ensure securitysince the identification process defines a set of people that are allowed toaccess data. To ensure security, the identity is authenticated and it keeps thesensitive data secure and from being modified by unauthorized user. Attackercan take different approaches like bypass authentication , default password,priviledge escalation, Password guessing by brute force. · Accountability & AuditingAccountability and audit checks are necessary to ensurephysical integrity of the data which requires defined access to the databasesand that is handled through auditing and for keeping the records.
Auditing isthe monitoring and recording of configured database actions, from both databaseusers and non database users. Accounting is the process of maintaining an audittrail of user actions on the system. If a user has managed to authenticatesuccessfully and tries to access a resource, both successful and unsuccessfulattempts should be monitored by the system, and access attempts, and theirstatus should be logged in the audit trail files.· EncryptionEncryption involves the process of transforming data sothat it is unreadable by anyone who does not have a decryption key. Encodedtext is called as encrypted data. Data that travels across the network isunsafe and anyone who has access to network can spy on it.
So this travellingdata should be encrypted. Also same applies to data at rest i.e stored in adatabse or backend tape. For data at transit techniques such as SSL/ TSL isused.
· BackupBackup is also a very important security feature whichcan save the data in case of attacks. Database backup is the process of backingup the operational state, architecture and stored data of database software. Itenables the creation of duplicate instance or copy of a database.Securing your data will help to prevent:o Accidental or malicious damage/modification todatao Theft of valuable datao Breach of confidentiality agreements and privacylawso Premature release of data, which can voidintellectual property claimso Release before data have been checked foraccuracy and authenticityRegular backups protect against therisk of damage or loss due to hardware failure, software or media faults,viruses or hacking , power failure, or even human errors.
4.a Approach toSecurity : Oracle Database· AuthenticationOracle has multiple ways to authenticate the users. As themost common vulnerabilities are default accounts and passwords, Oracle has beenlocking accounts and setting the passwords associated with most defaultaccounts to be expired upon installations. Oracle also provides profiles tofurther protect the database accounts. There is operating system authenticatedaccounts. Essentially , Oracle trusts that the operating system hasauthenticated the user, all it looks at is the password. It be configures toeither trust remote operating system or only the local operating systems.
When additional controls are required, it canuse strong authentication, such as controls provided by PKI,Kerberos, orRADIUS. Oracle gives you the capability of leveraging multiple authenticationmethods through Oracle advanced Security. In addition , Oracle provides adefault password complexity check with the database. The Script is calledutlwdmg.sql and can be found $ORACLE_HOME/rdbms/admin. · AccessControlBroadly, Oracle supports five features for access controlso Privileges: Every objecthas an owner. Privileges control if a user can modify an object owned byanother user. This can be further classified into§ System Privileges: A system Privileges enables auser the ability to perform system level activities across multiple objects inthe database§ Object Privileges: An object privileges enables auser to perform defined operations on a specific object.
Separate objectprivileges are available for object type.o Views: A view is apresentation of data selected from one or more tables (possibly including otherviews). In addition to showing the seleted data, a view also shows thestructure of the underlying tables.o StoredProcedure: For PL/SQL users, access control affects the ability tocreate, alter, drop or execute PL/SQL procedurs and functions, includingpackages and their member procedures and functions.o Roles: Role- Basedaccess control(RBAC) is a security feature for controllinh user access to tasksthat would normally be restricted to superuser. By applying security attributesto processes and to users, RBAC can divide up super user capabilities amongseveral administrators. Process rights management is implemented throughprivileges.
User rights management is implemented through RBAC.o Virtual PrivateDatabase (VPD): Oracle Private Database enables you to createsecurity/policies to control database access at the row and column level.· EncryptionOracle Advanced Security TDE tablespace encryption wasintroduced with Oracle database 11gR1.
To protect data files, Oracle Databaseprovides Transparent Data Encryption (TDE). TDE encrypts sensitive data storedin data files. To prevent unauthorized decryption, TDE stores the encryptionkeys in a security module external to the database, called a Keystore.· AuditingOracle Database records sudit activites in audit records.Audit records provide information about the operation that was audited, theuser performing the operation , and the date and time of the operation. Twotypes of storage are available, data dictionary table, called the databaseaudit trail, or in operationg system files, called an operating system audittrail. 4.b Approach toSecurity : MySQL· AuthenticationApart from using username and passwordMyssl adds a location parameter when authenticating a user.
The locationparameter is usually the host name, IP address or a wildcard. This allowsdatabase access restriction based on host or IP address. It also allowsdifferent password and access privileges based on the location from which theconnection is made· Authorization and Access ControlWhen Accesscontrol is concerned MySQL uses a Hierarchical privilege system that works withinheritance. There are basically 5 levels of privileges Global Per Host Basis Database Level Table Specific Column SpecificThese are basedon inheritance. The privileges for higher level are passed down to lower level,and they take precedence over privileges granted at higher levels.
There are twotypes of privileges supported by MySQL: Administrative Privileges: Global privileges that have server wide effect and are concerned with the functioning of MySQL. Per-Object Privileges: Can be granted with different scopes. These privileges are concerned with database objects like tables, columns, indexes and stored procedures.
Within MySQLthere is no concept of role, therefore all users with the same permission levelneed to have their permissions assigned separately. · Access control ListMySQL bases itsmain security technique on an Access Controls List (ACL). ACLs work by allowingdifferent users to have varying levels of access to databases and tables, andthe ability to perform operations, as permitted in their individual userprofiles. Some users are allowed full privileges which allow all of thestandard database operations such as select,insert, update and delete.
A user with limited privileges would only beable to use the subset of the possible operation. The level of access is determinedby the DBA and the needs of the user.· EncryptionTo protect sensitive datathroughout its lifecycle, MySQL Enterprise Encryption provides industrystandard functionality for asymmetric encryption . MySQL Enterprise Encryptionprovides encryption, key generation, digital signatures and other cryptographicfeatures to help organizations protect confidential data and comply withregulatory requirements including HIPAA, Sarbanes-Oxley, and the PCI Data SecurityStandard. 4.c Security Comparison: Oracle VsMySQLBelow table gives a high level securityfeatures comparison between the two: Characteristics Oracle MySQL Limited data access based on Privileges Yes Yes Data Access Control at lower level like column tables Yes Yes Role based data access control Yes No Out of box granular auditing Yes No Out of box database data encryption Yes No Encrypted communication for travelling data Yes Yes Though both Oracle and MySQL providescomprehensive security features, Oracle comes out to be the winner. It’s out ofthe box Audit Vault, Role based access control, database data encryption isvery useful specially for big organizations.
6. Conclusion Oracle has ages of experience in building robustdatabases and implementing the best security practices. My opinion bends overusing Oracle as it is the first preference of the companies that have data ofeconomical significance which give sit an extra edge over MySQL. Although MySQLis an open source and in the current world people are adoption more openplatforms to reduce their cost.
At the end it depends from an organization toanother on adopting the which relational database per their operation of business.I would like to conclude both Databaseshave levied the security model and for very large systems and systems requiringhigh level of security such as banking systems Oracle is the go to database,MySQL is free and robust is suitable for medium sized application having saidthat this does not mean MySQL cannot handle large applications. 7. LearningsFrom this paper we can learn the securitymodel of the two very popular databases, various features that they offer andtheir limitations.
8.Listof References:· https://www.club-oracle.com/threads/oracle-security-versus-mysql-security.16056/· http://gleamly.com/article/mysql-vs-oracle-security· https://www.oracle.com/webfolder/s/delivery_production/docs/FY15h1/doc6/security-compliance-wp.pdf· https://dev.mysql.com/doc/refman/5.7/en/security.html· https://docs.oracle.com/cd/B28359_01/network.111/b28531/intro.htm#DBSEG001