|
The
three main objectives of information
security are integrity, confidentiality, and
availability. Multilevel secure databases,
i.e., databases that contain data classified
at different security levels, have been
studied extensively during the last 20
years. The first defense line of security is
proper access control. The three main access
control models are mandatory, discretionary
and role-based access control.
Mandatory
(or label-based) Access Control (MAC)
requires that data items are classified at
different security levels and that users of
the database have security clearances
assigned to them.
When a data access is requested, the
security clearance of the requesting user is
compared to the security classification of
the requested data item. If the access control rules are satisfied the data access is
permitted, otherwise it is rejected.
Discretionary
(or user-based) Access Control (DAC) defines
access permissions for each user of the
database.
It is assumed that the owners of data
should be able to protect their data and
grant access rights to other users. This
type of access control is typically
supported by operating systems at the file
level (for example, the Unix file system).
Recently
a new type of access control, Role-Based
Access Control (RBAC), is attracting
increased attention in both military and
commercial systems. RBAC is based on modeling organizational-specific access
control policies. The main components of
RBAC are users, roles, permissions,
user-role assignments, and role-permission
assignments. Access control is enforced in
terms of roles. Intuitively, when initiating
a session, a user may activate any roles
that he or she has been assigned to and use
the union of corresponding permissions.
Roles have been used in computer systems for
years and several research papers focused on
incorporating roles in access control
models. Furthermore, it has been shown that
RBAC can be implemented using the controls
available in MAC, providing high security
assurance and simplifying implementation.
Based
on the limitations of current GIS to provide
sophisticated access control to data sources
used by GIS, we propose the architecture in
the following figure.
The model is based on exploiting the ability of ArcSDETM
to support interoperability between ArcGISTM
software and relational database systems and
the use of security tools available for
these databases.
System
Components
ArcGISTM
ArcGISTM
8.1 is an integrated GIS software package
consisting of ArcMap, ArcCatalog and
ArcToolbox in its desktop version and
traditional ArcInfoTM in its
workstation version. We have used the
desktop version of this software.
ArcSDETM
ArcSDETM
is a middleware software package for
communication between a relational database
system and ArcGISTM
Geodatabase
Geodatabase
is a relational database where both spatial
and non-spatial data can be put together
along with any relationships among them. In
this work we have used Microsoft SQL ServerTM
as the relational database management
system.
ArcGISTM
– ArcSDETM Interface
The
interface between ArcGISTM and
ArcSDETM is internal to the
ArcGISTM system.
ArcSDETM – Geodatabase
Interface
Security
Considerations
The
use of ArcSDETM as mediator
between a GIS application and a relational
database system not only allows improved
interoperation of spatial and non-spatial
databases, but it also supports enhanced
security administrations. In this work we
focus on the security features provided by
Microsoft (MS) SQL ServerTM. In
addition to the security features, such as
authentication, domains, and user accounts,
provided by the MS operating system, SQL
ServerTM provides additional
security features, such as client-server
encryption, SQL trace and auditing, and
role-based access control. The proposed
security architecture is shown in the
following figure.
The stars show where authentication
of the user is required.
First, users are authenticated by the
operating system under which the GIS
software runs. Then, all data accesses to
the SQL ServerTM databases must
be authenticated. The reason for two layers
of authentication lies in the need to have
different levels of security granularity in
these systems. Note that a future extension
of the model could be to eliminate the need
of multiple authentications, for example by
using digital certificates. However, this
problem is outside the scope of our current
paper.
|
