T 2.40 Complexity of database access

The users access one or more databases through a database management system (DBMS). This access is obtained directly by the user or through an application. In order to guarantee the integrity of a database, all database accesses must be controlled from a central location. If database access is designed poorly, the following security problems may be encountered, among others:

User authorisations

• If the scope of the authorisations granted to the users is defined too restrictively, the users may not be able to perform certain tasks due to the restrictions.
• However, if the scope of the authorisations granted is too extensive, the users may be able to see data not intended for them or data may be manipulated without authorisation.
• If the users are allowed to access the database directly (in contrast to access from inside an application), there is a potential threat of loss of integrity of the database due to manipulations to data by the users who may not be able to assess the effects of such manipulations.

Note: In addition to the actual data in a database, the properties of the individual database objects such as their structure, indexes, table keys, etc. are also stored in tables that can be accessed using SQL commands.

• If database objects are not protected explicitly by a corresponding authorisation and data access concept, there is a risk that the database objects themselves could be manipulated (manipulation of the fields of a table or of the table indexes, etc.). This can lead to a number of problems, including the destruction of the database.

Note: The use of data warehouses, online analytic processing (OLAP) systems, and query tools to grant users data access rights often creates security conflicts. On the one hand, the decision-makers want to use as many data as possible from heterogeneous sources of data for evaluation purposes, but on the other hand, sensitive data needs to be protected against unauthorised access. The challenge is to design the access rights in such a way that they meet both the requirements in the field of data privacy and the requirements regarding the confidentiality of sensitive data, as well as the analysis requirements.

Remote access

• If access to the database is provided over a network, inadequate security precautions for remote access to the database may lead to manipulated data or the unauthorised reading of data (see also T 5.64 Manipulation of data or software in database systems).

Database queries

• If the access rights of the various user groups are not restricted only to the level necessary to perform the corresponding tasks, the result may be the loss of the confidentiality of data requiring protection due to unauthorised access.
• The queries and calls sent to the database by users or applications must use a jointly agreed syntax or the default scope of the query language functionality provided by the DBMS to be accessed (e.g. ANSI SQL 99 for a relational database). If the entity placing the query does not abide by this syntax, it is possible that the DBMS is not be able to process database queries and rejects any further queries. This threat is particularly high when DBMSs from different providers are used and data is accessed from a single main application.
• The use of imprecisely formulated database queries may lead to the return of incorrect or unexpected results for the database query after changes have been made to the database objects. It is also possible that the entire database system becomes so busy processing unreasonable queries that it cannot even fulfil its actual purpose any more.

Examples:

• The "SELECT * FROM table" query returns all attributes and/or fields of a tuple or a record. The order of the fields returned in this case is determined by the technical structure of the table. Adding or deleting a field from the table, i.e. changing the technical structure of the table, can have potentially fatal effects on an application such a database query is used in.
• Queries returning vast amounts of data are deliberately sent to the database to prevent access to the database (see T 5.65 Denial of services in a database system).