This paper highlights the security
model used in two most popular databases : Oracle and MySQL. Though both offers
comprehensives list of security features Oracle is ahead of MySQL based on its
Running through the timelines of
database. In ancient times, elaborate database systems were developed only by
the government offices, libraries, hospitals, and business organizations.
The history of databases is a tale
where experts tried to make sense of complexity involved . The key element
based on the past experiences rely on how to structure a database such that
these become the foundation on how to manage data. The speed with which the
data is produced is growing multi folds every day and the accessibility of this
data to Our society has become an essential part of our life. Surveying the
history of databases illuminates a lot about how we come to terms with the
world around us, and how organizations have come to terms with us.
Edgar Codd, provided the model
revolutionary relational database model with the following declaration:
“Future users of large data banks
must be protected from having to know how the data is organized in the machine
(the internal representation).”
Security was a major aspect while
structuring the databases. Think about an instance where you are running a
multibillion company and your database has the complete information of your
customers that have invested trust in you, a database having security model
The objective of this paper surrounds
around the security of the Databases. Database security concerns the use
of information security controls to protect the data and the database
applications against compromises of their confidentiality, integrity and
availability. Data integrity becomes a key factor in a transactional database
system for instance if the database of a Bank is attacked it may result in
leaking of confidential information and may cause loss of millions, to make the
system less vulnerable and more robust security is an important component to a
2.b DBMS Covered
In this Paper we would discuss the
leading Enterprise Database systems, Oracle and MySQL.
MySQL is a multithreaded, multi-user SQL
database management system (DBMS) providing multi-user access MySQL is a robust
database system and is the world’s most used open source RDBMS. MySQL is the
most popular choice for use in Web Applications, used by companies including
Facebook, YouTube, Twitter, Yahoo! and many more.
Oracle has become a major
presence in database world and is a famous choice among large corporations and
financial institutions. Oracle provides a database system that reliably manages
a huge data for a multiple user environment so that users can simultaneously
see the same data. A database server also provides efficient solutions for
failure recovery and prevents unauthorized access.
2.c DBMS Function
The Major talk point would be the
Security systems implemented and used by these DBMS.
Security risks to database
systems include, for example:
Unauthorized or unintended activity or misuse by
authorized database users which can hamper the integrity of confidential data.
Unauthorized access which can result in
disclosure of proprietary data or personal information, denial of service,
deletion of or damage to the data or programs, attacks on other systems and the
unanticipated failure of database services.
Design flaws and programming bugs in databases
that may create make the data vulnerable resulting in data loss or corruption.
Data corruption and/or loss caused
by the due to manual intervention that may critically damage the data
2.d Limitation of
The purpose of this paper is to classify the
security implemented both by MySQL and Oracle database and to word my thoughts
regarding the same. I limit my knowledge on these databases and the security
they imply merely on the sources I have read, although for better visibility on
the sets of functions they imply I would like to have a complete hands-on
experience on both of the databases to comment which one is better for security
The documentation Oracle provides is much more
detailed but it gives a great sales pitch of why only Oracle Database but in
actual no system is perfect and to have a real feel of the systems one might
need to have a working experience with them. This paper hence does not conclude
which database is better.
Overview of DBMS Systems
Below is a brief history and
overview of the DBMS that are covered in the this.
3a. Oracle Database
Oracle Database was Founded by
Larry Ellison, Bob Miner, Ed Oates and Bruce Scott in August 1977. It was
initially named after “Project Oracle” which was a project for the
C.I.A. The company was named “Systems Development Labs”, or SDL, ad was
later renamed as Relational Software Inc (RSI).
Oracle’s database was the first
commercial RDBMS. the company launched it as “version 2” when it was released
in 1979, because there were concerns that consumers might view a “version 1” as
unready and untested. The version 2 database was so popular and successful that
the company temporarily named itself after its most successful product. Version
3, released in 1983, was the first to use the C programming language,
increasing its utility and adaptability.
Below table provides various
versions of Oracle released over the years and the functionality they added.
Launched First Commercially
Integrity ,Read Consistency
PL/SQL, hot backup capability, OLTP high-speed systems, row level locking
PL/SQL stored procedure and
Supports Object Storage and
aims to support internet
applications with the Java Virtual Machine(VM) embedded.
Supports RAC and XML storage
enables the database to be grid
computing ready and emphasis on easy to install, deploy and manage.
introduced Exadata machine with
Oracle Database 11g built in. Marked the start of the database engineered
supports multi-tenant database
architecture to make the database ready for cloud deployments.
support database sharing for
distributed database management. In this release, Oracle chooses “Cloud
First” strategy, which leads to providing in cloud release before the
The Oracle Database is an industry leader
in its field, and it makes an important contribution to information technology
for businesses and organizations around the world. The Oracle system continues
to grow and develop to keep pace with the times, and its innovations set the
standards that other companies follow. As Oracle’s database continues to adapt
and change over time, so too do the businesses that rely on this technology to
stay abreast of the changing nature of the business world.
3.b MySQL Database
MySQL server is one of the most widely used
relational database management system. It is estimated that over 100 million
copies of MySQL server have been downloaded worldwide by individuals, corporate
companies and small scale organizations. It was created by MySQL AB, a company
founded in 1995 in Sweden. In 2008, MySQL AB announced that it had agreed to be
acquired by Sun Microsystems for $1 billion.
MySQL is an open source and freeware
database server that provides numerous advanced database functionalities. By
open source software, it means that the code of the software is available and
anyone can tailor it according to his requirement. Companies prefer MySQL
because they don’t have to pay anything for this excellent product. It is a
cross platform database server, can be run on a variety of platforms including
Windows, OS2, Linux and Solaris. Portability of MySQL server makes it suitable
for applications that target multiple platforms particularly web application.
MySQL has APIs for all the major programming languages and can be integrated easily with the languages like PHP, Python C, C++,
Perl and ruby.
Below table provides various
updates over the years of MySQL
Founded by Michael Widenius, David Axmark
and Allan Larsson
MySQL goes Open Source and releases
software under the terms of the GPL
the company decided to focus more on
recurring end user revenue instead of one-time licensing fee
launched the MySQL network which was modeled
after Redhat network.
for approximately $1 billion ,Sun
Microsystems acquired MySQL AB.
Oracle Acquires Sun Microsystems.
4. Security in Database Systems
Database security is any form of
security used to protect databases and the information they contain from
compromise. Database security is more than just important: it is an absolutely
essential part of any company. It prevents the compromise or loss of data
contained in the database, an event which could have serious ramifications for
any company. Some of the functions of database security include:
Blocking attacks from unauthorized users or
hackers. This prevents the loss of sensitive information.
stopping viruses stealing data and Preventing
Makin sure that physical damage to the server
doesn’t result in loss of data.
Prevents data loss through corruption of files
or programming errors.
There are various techniques used
in Database Security. Below is their short overview
Access control makes sure that all communications between
databases and other system objects are as per the policies and are controlled
defined. This prevents tampering by any attacker internally or externally and
thus protects the databse from potential errors. Restricting the access also
reduces the risks that may impact functioning and security of database. For
instance, through access control accidental deletion or update of key tables
can be avoided.
Access Control systems include:
File Permissions – Create ,read,edit or delete
one a file serve
Program permissions – right to execute a program
on an application server.
Data Rights – right to retrieve or update
information in a database
· Inference Policy
Inference Policy protects the data at specific level. It
can be applied when analysis of particular data in the form of facts are
required to be prevented at a certain higher security level. It helps to
determine how to protect information from being released. The aim of the
inference control is to avoid indirect disclosure of information.
Generally, there are three ways to unauthorized data
Correlated Data – When visible data is co
related with invisible Data
Missing Data – result of query contains NULL
values that mask sensitive data
Statistical Inference – For Databases that
provde statistical information about entities.
· User Authentication & Authorization
Users can be authenticated in a number of ways before a
database session is allowed. In database authentication, you can define users
such that the database performs both authentication and identification of
users. In external authentication , we
can define users such that authentication is performed by the operating system
or network service. Alternatively , same can be done by the secure socket layer
(SSL). For enterprise users , an enterprise directory can be used to authorize
their access to the database through roles. Finally , users can be allowed to
connect through a middle tier server. This server authenticates ad assumes the
identity of the user and is allowed to enable specific roles for the user. This
is called proxy authentication. While authentication verifies the user’s
identity, authorization verifies that the user in question has the correct
permissions and rights to access the database.
This is the very basic requirement to ensure security
since the identification process defines a set of people that are allowed to
access data. To ensure security, the identity is authenticated and it keeps the
sensitive data secure and from being modified by unauthorized user. Attacker
can take different approaches like bypass authentication , default password,
priviledge escalation, Password guessing by brute force.
· Accountability & Auditing
Accountability and audit checks are necessary to ensure
physical integrity of the data which requires defined access to the databases
and that is handled through auditing and for keeping the records. Auditing is
the monitoring and recording of configured database actions, from both database
users and non database users. Accounting is the process of maintaining an audit
trail of user actions on the system. If a user has managed to authenticate
successfully and tries to access a resource, both successful and unsuccessful
attempts should be monitored by the system, and access attempts, and their
status should be logged in the audit trail files.
Encryption involves the process of transforming data so
that it is unreadable by anyone who does not have a decryption key. Encoded
text is called as encrypted data. Data that travels across the network is
unsafe and anyone who has access to network can spy on it. So this travelling
data should be encrypted. Also same applies to data at rest i.e stored in a
databse or backend tape. For data at transit techniques such as SSL/ TSL is
Backup is also a very important security feature which
can save the data in case of attacks. Database backup is the process of backing
up the operational state, architecture and stored data of database software. It
enables the creation of duplicate instance or copy of a database.
Securing your data will help to prevent:
Accidental or malicious damage/modification to
Theft of valuable data
Breach of confidentiality agreements and privacy
Premature release of data, which can void
intellectual property claims
Release before data have been checked for
accuracy and authenticity
Regular backups protect against the
risk of damage or loss due to hardware failure, software or media faults,
viruses or hacking , power failure, or even human errors.
4.a Approach to
Security : Oracle Database
Oracle has multiple ways to authenticate the users. As the
most common vulnerabilities are default accounts and passwords, Oracle has been
locking accounts and setting the passwords associated with most default
accounts to be expired upon installations. Oracle also provides profiles to
further protect the database accounts. There is operating system authenticated
accounts. Essentially , Oracle trusts that the operating system has
authenticated the user, all it looks at is the password. It be configures to
either trust remote operating system or only the local operating systems. When additional controls are required, it can
use strong authentication, such as controls provided by PKI,Kerberos, or
RADIUS. Oracle gives you the capability of leveraging multiple authentication
methods through Oracle advanced Security. In addition , Oracle provides a
default password complexity check with the database. The Script is called
utlwdmg.sql and can be found $ORACLE_HOME/rdbms/admin.
Broadly, Oracle supports five features for access controls
Privileges: Every object
has an owner. Privileges control if a user can modify an object owned by
another user. This can be further classified into
System Privileges: A system Privileges enables a
user the ability to perform system level activities across multiple objects in
Object Privileges: An object privileges enables a
user to perform defined operations on a specific object. Separate object
privileges are available for object type.
Views: A view is a
presentation of data selected from one or more tables (possibly including other
views). In addition to showing the seleted data, a view also shows the
structure of the underlying tables.
Procedure: For PL/SQL users, access control affects the ability to
create, alter, drop or execute PL/SQL procedurs and functions, including
packages and their member procedures and functions.
Roles: Role- Based
access control(RBAC) is a security feature for controllinh user access to tasks
that would normally be restricted to superuser. By applying security attributes
to processes and to users, RBAC can divide up super user capabilities among
several administrators. Process rights management is implemented through
privileges. User rights management is implemented through RBAC.
Database (VPD): Oracle Private Database enables you to create
security/policies to control database access at the row and column level.
Oracle Advanced Security TDE tablespace encryption was
introduced with Oracle database 11gR1. To protect data files, Oracle Database
provides Transparent Data Encryption (TDE). TDE encrypts sensitive data stored
in data files. To prevent unauthorized decryption, TDE stores the encryption
keys in a security module external to the database, called a Keystore.
Oracle Database records sudit activites in audit records.
Audit records provide information about the operation that was audited, the
user performing the operation , and the date and time of the operation. Two
types of storage are available, data dictionary table, called the database
audit trail, or in operationg system files, called an operating system audit
4.b Approach to
Security : MySQL
Apart from using username and password
Myssl adds a location parameter when authenticating a user. The location
parameter is usually the host name, IP address or a wildcard. This allows
database access restriction based on host or IP address. It also allows
different password and access privileges based on the location from which the
connection is made
· Authorization and Access Control
control is concerned MySQL uses a Hierarchical privilege system that works with
inheritance. There are basically 5 levels of privileges
Per Host Basis
These are based
on inheritance. The privileges for higher level are passed down to lower level,
and they take precedence over privileges granted at higher levels.
There are two
types of privileges supported by MySQL:
Privileges: Global privileges that have server wide effect and are
concerned with the functioning of MySQL.
Can be granted with different scopes. These privileges are concerned with
database objects like tables, columns, indexes and stored procedures.
there is no concept of role, therefore all users with the same permission level
need to have their permissions assigned separately.
Access control List
MySQL bases its
main security technique on an Access Controls List (ACL). ACLs work by allowing
different users to have varying levels of access to databases and tables, and
the ability to perform operations, as permitted in their individual user
profiles. Some users are allowed full privileges which allow all of the
standard database operations such as select,
insert, update and delete. A user with limited privileges would only be
able to use the subset of the possible operation. The level of access is determined
by the DBA and the needs of the user.
To protect sensitive data
throughout its lifecycle, MySQL Enterprise Encryption provides industry
standard functionality for asymmetric encryption . MySQL Enterprise Encryption
provides encryption, key generation, digital signatures and other cryptographic
features to help organizations protect confidential data and comply with
regulatory requirements including HIPAA, Sarbanes-Oxley, and the PCI Data Security
4.c Security Comparison: Oracle Vs
Below table gives a high level security
features comparison between the two:
Limited data access based on Privileges
Data Access Control at lower level like
Role based data access control
Out of box granular auditing
Out of box database data encryption
Encrypted communication for travelling
Though both Oracle and MySQL provides
comprehensive security features, Oracle comes out to be the winner. It’s out of
the box Audit Vault, Role based access control, database data encryption is
very useful specially for big organizations.
Oracle has ages of experience in building robust
databases and implementing the best security practices. My opinion bends over
using Oracle as it is the first preference of the companies that have data of
economical significance which give sit an extra edge over MySQL. Although MySQL
is an open source and in the current world people are adoption more open
platforms to reduce their cost. At the end it depends from an organization to
another on adopting the which relational database per their operation of business.
I would like to conclude both Databases
have levied the security model and for very large systems and systems requiring
high level of security such as banking systems Oracle is the go to database,
MySQL is free and robust is suitable for medium sized application having said
that this does not mean MySQL cannot handle large applications.
From this paper we can learn the security
model of the two very popular databases, various features that they offer and