Lessons learned from Implementing Multilevel Database Security on a Relational DBMS Andria F. (1), Pangalos G. (1), Pernul G. (2) (1) Informatics Laboratory, Computers Division, Faculty of Technology, General Department, Aristotle University of Thessaloniki, 540 06 Thessaloniki, Greece. (2) Wirtschaftsinformatic, Universitaet Essen, Altendorfer Strasse 97, 45143 Essen, Germany. fanr@egnatia.ee.auth.gr, gip@eng.auth.gr, pernul@wi-inf.uni-essen.de Keywords database systems security, multilevel secure modeling, secure database implementation, relational DBMS, medical database security Abstract Pernul has proposed a powerful semantic data model for the design of multilevel secure (MLS) database applications. This model leads to consistent and secure MLS applications and has therefore been well accepted. However, no detailed description of the implementation phase has been published yet. This paper uses this semantic data model as the basis model for the MLS database design of a sample medical environment, in order to exploit all its advantages. It also attempts for the first time a detailed description of the implementation phase, and points out the drawbacks that might turn up during its application. Moreover, it presents a methodology for the implementation of the sample database on Ingres, a typical commercially available relational DBMS with limited available security features. In that way, an evaluation is obtained of the implementation of a secure sample health care database on a relational type DBMS. 1. Introduction The increasingly widespread use of databases apart from serving well the purpose of business functions, has also posed serious problems of security. Database security is a notion that includes that one of data security; that is, it embraces both the vulnerability of the individuals as well as the vulnerability of the automated databases on which his/her personal data is being stored [Jam96]. Designing a database when the security of the resulting database is of a major concern (as for example in a hospital) is a complex task. Pernul has proposed a semantic data model for multilevel security which refers to both high and low levels of design, offering the designer valuable support [Per94a], [Per94b], [Per94c]. The overall view of a secure DBMS shows that the higher the degree of security desired, the higher the additional cost is. On the other hand, the benefits that can result from security measures include risk reduction and improved control, which in turn implies a more efficient and productive system. These advantages in the long range could offset the cost of security [Cas94]. These differences are for example obvious, when comparing a relational DBMS to a Trusted DBMS. The relational DMBS is less expensive and has a lower performance overhead than a Trusted DBMS, but offers a limited level of security. Nevertheless, it is the relational DBMS