Data Security Elisa Bertino and Elena Ferrari Dipartimento di Scienze dell’Informazione Universit` a degli Studi di Milano Via Comelico 39/41 20135 Milano, Italy bertino,ferrarie @dsi.unimi.it Abstract Maintaining data quality is an important requirement in any organization. It requires measures for access control, semantic integrity, fault tolerance, and recovery. Access control regulates the access to the system by users to ensure that all accesses are authorized according to some speci- fied policies. In this paper, we briefly survey the state of the art in access control for database systems, discuss the main research issues, and outline possible directions for future research. 1. Introduction Data protection from unauthorized accesses is becoming more and more crucial as an increasing number of organi- zations entrust their data to database systems [18, 37]. An important functionality that every DBMS must sup- port is the ability to protect data and system resources from intrusions, modifications, theft and unauthorized dis- closures. Since data in a database are related by semantic relationships, a damage in a database environment does not only affect a single user or application, but the entire infor- mation system. Security breaches are typically categorized into the following categories: unauthorized data observa- tion, incorrect data modification, and data unavailability. Unauthorized data observation results into disclosure of information to users not entitled to gain access to such in- formation. All organizations we may think of, ranging from commercial organizations to social or military organiza- tions, may suffer heavy losses from both financial and hu- man point of views upon unauthorized data observation. In- correct modifications of data, either intentional or uninten- tional, result in an inconsistent database state. As a result, the database is not any longer correct. Any use of incorrect data may again result in heavy losses for the organization. When data are unavailable, information that are crucial for the proper functioning of the organization may not be read- ily accessible when needed. Therefore, a complete solution to the data security problem entails addressing three main issues: secrecy or confidentiality, integrity, and availability. Ensuring secrecy means preventing improper disclosure of information. Ensuring integrity means protecting data from unauthorized or improper modifications or deletions. Finally, ensuring availability means ensuring prevention and recovery from hardware and software errors and from malicious data denials making the database system not available. The importance assigned to the above aspects greatly depends on the considered environment. For ex- ample, secrecy is the most relevant aspect of military en- vironments, whereas in commercial environments most at- tention is devoted to integrity. In many environments, such as public institutions, secrecy and integrity are often needed in combination [18]. This is the case, for instance, of hos- pitals, airline companies or credit institutions, in which, be- sides privacy constraints, also data correctness is vital. Data protection is ensured by different components of a DBMS. In particular, the access control mechanism ensures data secrecy. Whenever a user tries to access an object, the access control mechanism checks the right of the user against a set of authorizations, stated usually by some secu- rity administrator. An authorization states which user can perform which action on which object. Authorizations are granted according to the security policies of the organiza- tion. Data integrity is jointly ensured by the access control mechanism and by semantic integrity constraints. When- ever a user tries to modify some data, the access control mechanism verifies that the user has the right to modify the data, whereas the semantic integrity subsystem verifies that the updated data are semantically correct. Finally, the re- covery subsystem and the concurrency control mechanism ensure that data are available and correct despite hardware and software failures and despite data accesses from con- current application programs. In this paper, we focus on access control mechanisms and related authorization models. We refer the reader to [8] for an extensive discussion on transaction models and