Computer Science: Implementing Database Security (Essay Sample)

Computer Security
Name of Student
Institution affiliation
ABSTRACT
Security and privacy are an essential concept of building systems. Without assuring these factors, most of the systems lose their values regardless their performance or the value of the data that they have. This project aims to practice data security in two different aspects. First, the project team will build a secure system that is difficult to be attacked. So, Building a web application for a primary care clinic is the first step to achieving that. During this stage, three of the most significant aspects of data security will be covered to secure this system and to assure its privacy. Encrypting the data during its moves is one of these issues besides, the integrity, auditing, SQL injection and access control. The second part of this project is hacking other systems by discovering the weaknesses of these systems and finding ways to leak their data. That will give us insights to learn more about securing databases and the critical issues that we should consider when we design our systems in the future.OVERVIEW
Today, with the growth of data and its resources, managing and securing databases become more challenging. Therefore, researchers and companies turned to find new techniques to protect their data and assure their customers’ privacies. On the other hand, hackers always try to invent new ways to leak or destroy data. So, computer scientists should expand their knowledge and predict the attacks that may harm their data before they occur. Meanwhile, there are many practical techniques that make sure data security and aid databases managers protect their data.
During last decade, researchers addressed some of the security and privacy issues and as a result of their efforts to deal with these issues, there are many rich resources educate database administrators how to harden their databases to secure their data. Ben-Natan published one of these resources, and his book includes many critical topics that give the reader some insight to secure and audit databases. This project aims to give us an opportunity to discover and practice some tasks emphasized by this book’s author. Furthermore, there are other rich resources, which we could use to do our project’s goals such as lectures slides and some research papers provided by this course’s instructor (Ben-Natan 2005).
In order to practice implementing database security and auditing we tried to find a system which, needs to be secure and the users who deal with it need to protect their privacies so our work on this system would be useful and improvable. Therefore, we found that building a primary care clinic system is what we were looking for because there are many needs to develop this system. Furthermore, the existence systems have many issues about securing their data and protecting their patients’ privacies. Due to this many efforts has been made efforts to discover the weaknesses of the current systems to improve them and find solutions to protect patients’ privacies. Indeed, we could use some of these researchers to give us some insight on building our system.
Building a complete system requires an extended time to satisfy all needs of a primary clinic. It also requires considering other aspects, which we do not need to focus on since the purpose of this project is practicing database security and auditing skills. Therefore, we build a simple system that has some of the most significant components of clinic systems. Our system has two different entities, which are patients and physicians, and every one of them is authorized to do different tasks. For instance, a patient can view his/her information and he/she can set an appointment with a physician if the physical is available. A doctor can check his selection and, he can view the patient’s profile if and only if the patient has an appointment with this doctor. Therefore, the system should give its users the permissions that they need to practice their tasks successfully. Furthermore, the system should secure their data and assure their privacies (Ben-Natan 2005).
While our work to develop our system, we considered many critical aspects that every database should satisfy. Data integrity is considered as one of these aspects, so we added many features to our system to assure that. Furthermore, we were concern about the performance of our database, and we used some techniques to improve that. The majority of our work was on increasing the level of our system security. Therefore, SQL injection, assess control, data cryptography, and other issues were considered while building our system. Meanwhile, we spent some efforts to audit our database so all the queries that issued on tables will be recorded in a log file and this file will not be saved on the system, so the users will not be able to use that. These are the aspects that we focused on to secure our system, and they will be described with more details in Section 4.DESIGN OVERVIEW
In order to build our system, we had to design and create web pages to connect the system's users with the database that, is used to save their data. We found that PHP is one of the dominant languages which, used for or developing dynamic web pages. So, we decided to use this language to create our system pages. According to the policy purposes, we built fourteen pages, and every one of them is used for a particular purpose. For example, the login page allows users to get access to their information and update them. It is also used to add a new patient to his or her information to the tables of the clinic patients. Furthermore, there are other pages for the physicians so they can use their information or their patient’s records.
Our system’s database was built using MySQL Workbench since it is considered as one of the most popular open source database system. The database consists of five tables, which include the data that we need to deal with in our system. For example, there is a table for the patients and it has their information, which the system needs to give them the service that they need. There is also a table for physician’s information since they have different attributes and their roles in the system are different than the patients’ roles. In order to manage the access of the system’s users, we have created a table has their usernames and passwords. Furthermore, the system has a table for the appointments and a table for the patients’ records. Meanwhile, these tables have relationships to ease extracting and retrieving the needed information.ARCHITECTURE
The system that we built is a web application. So, we created a login page to allow users to use the system and practice the tasks that they allowed to do. This page is also used to create a record for the new patients and allow him or her to set up his or her username and password that he or she needs to get access to the system in the future. When a user entered his or her username and password correctly, the system will recognize him or her and guide him or her to the pages contain his or her information. That means if the user is a patient, the system will open the patients page and from there he or she can do what he or she want to do. That is determined according to the username that he or she entered in the login page because the system will compare it with the associated record that has the type of this user. Then, if the user is a patient the patient page will allow him/her to view his or her information by retrieving the information from the patient table. Moreover, he can update some if his or her information using this page too. Furthermore, he can schedule a new appointment with the physician that he need to visit if the doctor is available in the specified time. So, the patients’ page is connected with other pages according to the service the patient needs. On the other hand, if the user is a physician, the system will give him or her with the page that guide him or her to the service that he or she needs. For example, the physician can view his or her information and update some of them if needed. He or she is also allowed to see the appointments scheduled with him for the same day that he accesses the system and from that page he or she can get access to the patients’ records if they have appointments with him or her in that day. Moreover, the physician can add a file that describes the patient’s status to the system so this record will be available to the patient and his physicians in the future (Ben-Natan 2005).IMPLEMENTATION
As we built our database using SQL and connected it with the web pages that we created using PHP language, we had to add some features and functions to that so the system can satisfy the purpose that we built it for. We can classify these elements according to the aspects that we considered and the goals that planned to.
Security and Privacy:
During our work on this project, we concerned about securing the data that the system has and assuring its users’ privacies. Therefore, we addressed some of the security and privacy issues that may affect our system, and we could find techniques to deal with that.
SQL injection:
In order to protect our system against SQL Injection, we applied some techniques so attackers cannot enter illegal content, which could give to harm our system or leak its private information. To do that, we used a function named by “mysql_real_escape_string” to make sure that the content is safe and can be used as a query to be processed by the database system. Furthermore, when we create a view ...