Designing secure databases Eduardo Ferna ´ndez-Medina * , Mario Piattini Escuela Superior de Informa ´tica, Alarcos Research Group, University of Castilla-La Mancha, Paseo de la Universidad 4, 13071 Ciudad Real, Spain Received 21 May 2004; revised 28 September 2004; accepted 29 September 2004 Available online 14 November 2004 Abstract Security is an important issue that must be considered as a fundamental requirement in information systems development, and particularly in database design. Therefore security, as a further quality property of software, must be tackled at all stages of the development. The most extended secure database model is the multilevel model, which permits the classification of information according to its confidentiality, and considers mandatory access control. Nevertheless, the problem is that no database design methodologies that consider security (and therefore secure database models) across the entire life cycle, particularly at the earliest stages currently exist. Therefore it is not possible to design secure databases appropriately. Our aim is to solve this problem by proposing a methodology for the design of secure databases. In addition to this methodology, we have defined some models that allow us to include security information in the database model, and a constraint language to define security constraints. As a result, we can specify a fine-grained classification of the information, defining with a high degree of accuracy which properties each user has to own in order to be able to access each piece of information. The methodology consists of four stages: requirements gathering; database analysis; multilevel relational logical design; and specific logical design. The first three stages define activities to analyze and design a secure database, thus producing a general secure database model. The last stage is made up of activities that adapt the general secure data model to one of the most popular secure database management systems: Oracle9i Label Security. This methodology has been used in a genuine case by the Data Processing Center of Provincial Government. In order to support the methodology, we have implemented an extension of Rational Rose, including and managing security information and constraints in the first stages of the methodology. q 2004 Elsevier B.V. All rights reserved. Keywords: Secure databases; Database design; Unified Modeling Language; Object Constraint Language 1. Introduction Modern society forces business to evolve, and to manage information correctly in order to achieve their objectives and survive in the digital era. Organizations increasingly depend on information systems (IS), which rely upon large databases, and these databases therefore need increasingly more quality and security [8]. Indeed, the very survival of organizations depends on the correct management, security and confidentiality of this information [14,15]. Consequently, protecting information that is stored in databases is important for companies, but at times, it is also important for individuals. This is because databases also frequently store information regarding private or personal aspects of individuals, such as identification data, medical data or even religious beliefs, ideologies, or sexual tendencies. As a result, there are laws to protect the individual’s privacy, such as the European Union Directive 95/46/CE of the European Parliament and Council, which deals with the protection of personal data and its free circulation [16]. These laws tend to be very strict, imposing severe penalties for failure to comply with them. This information should then be protected against non-authorized access, thus fulfilling the existing data protection laws. Some authors note that database protection is a serious requirement that must be carefully considered, not as an isolated aspect, but as an element present in all stages of the database life cycle [13,19,21]. Even the Information Systems Audit and Control Foundation affirms that managers have to ensure that security is considered as an integral part of the systems development life cycle process 0950-5849/$ - see front matter q 2004 Elsevier B.V. All rights reserved. doi:10.1016/j.infsof.2004.09.013 Information and Software Technology 47 (2005) 463–477 www.elsevier.com/locate/infsof * Corresponding author. Tel.: C34 926 29 53 00; fax: C34 926 295 354. E-mail addresses: eduardo.fdezmedina@uclm.es (E. Ferna ´ndez- Medina), mario.piattini@uclm.es (M. Piattini). URL: http://alarcos.inf-cr.uclm.es/english/.