From: DB-SECaaS: a cloud-based protection system for document-oriented NoSQL databases
Attack | Status | Entity | Mechanism |
---|---|---|---|
Alteration | Mitigated | KD service, encryption service | Our system uses encryption to protect the data from alteration and forgery. Only authorized users have the privilege to get the keys for decryption. |
Denial of service | Partially mitigated | KD service, FG authorization service | This threat is partially mitigated using access control. Requests cannot directly communicate with the database, rather they need to be validated by authorization service to get data access. However, further study is needed to investigate DoS attack on authorization service. |
Excessive privilege abuse | Mitigated | FG authorization service | Fine-grained policies in our system are defined based on “need-to-know” principle where privileges to resources are assigned from cell level to table level. Principle of least privileges is followed. |
Unauthorized elevation of privileges | Mitigated | FG authorization service | Each request to database is evaluated by fine-grained authorization policies, which keep malicious insiders from escalating their privileges. |
Injection attacks | Partially mitigated | FG authorization service | Injection attacks mostly occur at application layer. Even if malicious user breaches the application security, he still needs to pass the fine-grained authorization service. Injection attacks are also partially mitigated using least privilege access control model. Fine-grained access control model allow user to access data on a need-to-know basis. |
Backup data exposure | Mitigated | Encryption service, KD service | The system protects backup data using encryption service. Data is stored in encrypted form; therefore, if malicious attempts are made, it is still useless. |
Login attacks | Mitigated | SA service, IDM service, fine-grained authorization service, encryption service, KD service | We have combined authentication with authorization where user request is evaluated to access to data. In addition, keys are managed separately at KD service to decrypt the data. Encryption together with the authorization makes overall security more strong. |