Skip to main content

Table 3 Attacks mitigated by the DB-SECaaS system, as a whole

From: DB-SECaaS: a cloud-based protection system for document-oriented NoSQL databases

Attack

Status

Entity

Mechanism

Alteration

Mitigated

KD service, encryption service

Our system uses encryption to protect the data from alteration and forgery. Only authorized users have the privilege to get the keys for decryption.

Denial of service

Partially mitigated

KD service, FG authorization service

This threat is partially mitigated using access control. Requests cannot directly communicate with the database, rather they need to be validated by authorization service to get data access. However, further study is needed to investigate DoS attack on authorization service.

Excessive privilege abuse

Mitigated

FG authorization service

Fine-grained policies in our system are defined based on “need-to-know” principle where privileges to resources are assigned from cell level to table level. Principle of least privileges is followed.

Unauthorized elevation of privileges

Mitigated

FG authorization service

Each request to database is evaluated by fine-grained authorization policies, which keep malicious insiders from escalating their privileges.

Injection attacks

Partially mitigated

FG authorization service

Injection attacks mostly occur at application layer. Even if malicious user breaches the application security, he still needs to pass the fine-grained authorization service. Injection attacks are also partially mitigated using least privilege access control model. Fine-grained access control model allow user to access data on a need-to-know basis.

Backup data exposure

Mitigated

Encryption service, KD service

The system protects backup data using encryption service. Data is stored in encrypted form; therefore, if malicious attempts are made, it is still useless.

Login attacks

Mitigated

SA service, IDM service, fine-grained authorization service, encryption service, KD service

We have combined authentication with authorization where user request is evaluated to access to data. In addition, keys are managed separately at KD service to decrypt the data. Encryption together with the authorization makes overall security more strong.