Comments on: Why is Database Security So Hard? http://www.pythian.com/blogs/835/why-is-database-security-so-hard News and views from Pythian DBAs Fri, 9 Jan 2009 22:22:14 +0000 http://wordpress.org/?v=2.6.5 By: AM http://www.pythian.com/blogs/835/why-is-database-security-so-hard#comment-172144 AM Wed, 19 Mar 2008 11:54:09 +0000 http://www.pythian.com/blogs/835/why-is-database-security-so-hard#comment-172144 Bill, you are right, of course: it would be unwise to design a system in which the (same?) database was being both a smart file system and an application framework at the same time. But I didn't say that originally, I said that DBMS are able to play either role. To continue your metaphor - a DBMS is neither a wrench nor a screwdriver nor a hammer, but one of <a href="http://www.swiss-army-knife-wenger.co.uk/wenger_giant_swiss_army_knife.html" rel="nofollow">these</a>. Of course _requirements_ are complicated and hard to get right: in general. So we learn and apply requirements patterns and software architectural plans to get a handle on that complexity, to control it. Your example of user access is an excellent one: and how to deal with it depends on domain design decisions (what is a user? what attributes do they have at various layers of the system?). My point, though, is that a framework architecture (i.e. the DBMS) that potentially cross-cuts so many layers has the potential to get wired-up in all those decisions you try to make, and can therefore easily blur the layers of abstraction. (Imagine a machine whose instruction set depended on the spelling of your name.) And my suggestion is: perhaps there are typical patterns of use (I called them "profiles") which, once recognized, could be hardened in different ways. This discussion was about security, after all. Bill, you are right, of course: it would be unwise to design a system in which the (same?) database was being both a smart file system and an application framework at the same time. But I didn’t say that originally, I said that DBMS are able to play either role. To continue your metaphor - a DBMS is neither a wrench nor a screwdriver nor a hammer, but one of these.

Of course _requirements_ are complicated and hard to get right: in general. So we learn and apply requirements patterns and software architectural plans to get a handle on that complexity, to control it. Your example of user access is an excellent one: and how to deal with it depends on domain design decisions (what is a user? what attributes do they have at various layers of the system?). My point, though, is that a framework architecture (i.e. the DBMS) that potentially cross-cuts so many layers has the potential to get wired-up in all those decisions you try to make, and can therefore easily blur the layers of abstraction. (Imagine a machine whose instruction set depended on the spelling of your name.) And my suggestion is: perhaps there are typical patterns of use (I called them “profiles”) which, once recognized, could be hardened in different ways. This discussion was about security, after all.

]]> By: Bill Karwin http://www.pythian.com/blogs/835/why-is-database-security-so-hard#comment-169181 Bill Karwin Sat, 08 Mar 2008 21:53:19 +0000 http://www.pythian.com/blogs/835/why-is-database-security-so-hard#comment-169181 Hmm. Saying a database is both a smart filesystem and an application framework is like saying that a hammer is both a wrench and a screwdriver. I.e., NOT. :-) The thing about securing databases is that we must prevent illegitimate access, while permitting legitimate access. The complexity is not in the database, it's in the definition of illegitimate vs. legitimate. In real-world scenarios, this distinction is complex and full of fine-grained special cases. For instance, I want to allow users access to their own account details. But I don't want users to access each other's account details. Unless the user is an administrator. Or a merchant, in which case they should be able to access certain information about the user, such as her shipping address. But only if that user has authorized the merchant by ordering something from him. But that authorization is time-limited. Unless that user is a repeat customer of that merchant. Except when either the user or the merchant have blacklisted the other, because they had some bad transaction in the past. The possible exception cases go on and on! Trying to block every case that needs to be blocked, while preserving access in cases that need access is hard. It's not because the technology itself is complex. It's because the real-world processes that we're trying to model are complex. Hmm. Saying a database is both a smart filesystem and an application framework is like saying that a hammer is both a wrench and a screwdriver. I.e., NOT. :-)

The thing about securing databases is that we must prevent illegitimate access, while permitting legitimate access. The complexity is not in the database, it’s in the definition of illegitimate vs. legitimate. In real-world scenarios, this distinction is complex and full of fine-grained special cases.

For instance, I want to allow users access to their own account details. But I don’t want users to access each other’s account details. Unless the user is an administrator. Or a merchant, in which case they should be able to access certain information about the user, such as her shipping address. But only if that user has authorized the merchant by ordering something from him. But that authorization is time-limited. Unless that user is a repeat customer of that merchant. Except when either the user or the merchant have blacklisted the other, because they had some bad transaction in the past.

The possible exception cases go on and on! Trying to block every case that needs to be blocked, while preserving access in cases that need access is hard. It’s not because the technology itself is complex. It’s because the real-world processes that we’re trying to model are complex.

]]>