Advanced Analysis of the Integrity of Access Control
Policies: the Specific Case of Databases
Faouzi Jaidi, Faten Ayachi, and Adel
Bouhoula
Digital
Security Research Lab, Higher School of Communication of Tunis, University of
Carthage, Tunisia
Abstract: Databases
are considered as one of the most compromised assets according to 2014-2016
Verizon Data Breach Reports. The reason is that databases are at the heart of Information
Systems (IS) and store confidential business or private records. Ensuring the
integrity of sensitive records is highly required and even vital in critical systems
(e-health, clouds, e-government, big data, e-commerce, etc.,). The access
control is a key mechanism for ensuring the integrity and preserving the
privacy in large scale and critical infrastructures. Nonetheless, excessive, unused
and abused access privileges are identified as most critical threats in the top
ten database security threats according to 2013-2015 Imperva Application
Defense Center reports. To address this issue, we focus in this paper on the
analysis of the integrity of access control policies within relational
databases. We propose a rigorous and complete solution to help security architects
verifying the correspondence between the security planning and its concrete
implementation. We define a formal framework for detecting non-compliance
anomalies in concrete Role Based Access Control (RBAC) policies. We rely on an
example to illustrate the relevance of our contribution.
Keywords: Access Control, Databases Security, Formal Validation,
Integrity Analysis, Conformity Verification.
Received November 11, 2016;
accepted July 7, 2019