Content area
With the growth of cybersecurity programs and the computing industry's emphasis on security, traditional courses must continue to evolve. With database courses serving both traditional computer science programs, along with more recent cybersecurity programs, attention must be given specifically to these courses in this new context. This paper describes the current state of the traditional computer science database course specifically from the context of security and administration and recommends some modifications to content related to this growing trend. This qualitative study examined three areas in order to determine topics related to cybersecurity, but related directly to database concepts. First, a textbook review was conducted in order to identify potential database security themes and topics. This textbook review cast a wide umbrella in order to determine what textbook authors considered database security and what were considered traditional database concepts. Sometimes, the determination was not consistent. However, this study considered the following to be related to database security; database administration, including permission maintenance, database vulnerability identification and prevention, database view management, and database triggers. Second, recommendations from curricular guidelines were reviewed to consider the current state of such topics. These guidelines consisted of ACM's curriculum guidelines for post-secondary degree programs in cybersecurity and the ACM/IEEE's curriculum guidelines for undergraduate degree programs in computer science. Third, a review of literature was conducted in order to triangulate which identified topics are being taught and covered in several typical undergraduate settings. Finally, recommendations were made in order to ensure that database courses that service security programs cover material needed for that discipline. These recommendations included the incorporation of more systems administration tasks into the database curriculum. Specifically, tasks such as user setup, permission control and general database security within a multi-user environment is often overlooked in the general database curriculum in favor of more traditional database design concepts. With cybersecurity becoming ever-more important, these tasks should no longer be overlooked within the traditional database course.
Abstract: With the growth of cybersecurity programs and the computing industry's emphasis on security, traditional courses must continue to evolve. With database courses serving both traditional computer science programs, along with more recent cybersecurity programs, attention must be given specifically to these courses in this new context. This paper describes the current state of the traditional computer science database course specifically from the context of security and administration and recommends some modifications to content related to this growing trend. This qualitative study examined three areas in order to determine topics related to cybersecurity, but related directly to database concepts. First, a textbook review was conducted in order to identify potential database security themes and topics. This textbook review cast a wide umbrella in order to determine what textbook authors considered database security and what were considered traditional database concepts. Sometimes, the determination was not consistent. However, this study considered the following to be related to database security; database administration, including permission maintenance, database vulnerability identification and prevention, database view management, and database triggers. Second, recommendations from curricular guidelines were reviewed to consider the current state of such topics. These guidelines consisted of ACM's curriculum guidelines for post-secondary degree programs in cybersecurity and the ACM/IEEE's curriculum guidelines for undergraduate degree programs in computer science. Third, a review of literature was conducted in order to triangulate which identified topics are being taught and covered in several typical undergraduate settings. Finally, recommendations were made in order to ensure that database courses that service security programs cover material needed for that discipline. These recommendations included the incorporation of more systems administration tasks into the database curriculum. Specifically, tasks such as user setup, permission control and general database security within a multi-user environment is often overlooked in the general database curriculum in favor of more traditional database design concepts. With cybersecurity becoming ever-more important, these tasks should no longer be overlooked within the traditional database course.
Keywords: database security, curriculum, cybersecurity, database, teaching, education
1. Introduction
Vigorous growth in the area of cybersecurity and information security (Bureau of Labor Statistics, 2016) has been well-documented. In response to this growth, colleges and universities are quickly developing programs that will prepare students for these demands (Bardas, Bell, Tian, Cain, & Oudshoorn, 2018). At many institutions, these programs in cybersecurity will be offered alongside existing programs in computer science and other related fields. Therefore, existing database courses will have increased demands related to information security and determining what database security topics to include is vital for program and ultimately, student, success.
This paper focuses on research to determine what topics are currently being offered in database security, along with curriculum recommendations for database security from professional organizations. First, a review of popular textbooks was conducted in order to quantify the predominant database security topics covered. Second, curricular recommendations from the Association of Computing Machinery (ACM) and the Institute of Electrical and Electronics Engineers (IEEE) were reviewed in order to determine database security topics covered in both traditional computer science programs, as well as newer cybersecurity programs. Third, a literature review was conducted to outline current database security curricular practices in place at colleges and universities. Additionally, findings were presented and topics were identified from both standalone database security courses, along with introductory database courses which service several technical programs. Finally, recommendations are given as to what database security topics to include in an introductory undergraduate database course. These topics included a) database administration, including access control and permissions; b) database vulnerability identification and prevention; c) database views and row/column level security; and d) database auditing or triggers.
2. Textbook review
In order to identify cybersecurity topics that are potentially taught in traditional database courses, a textbook review was conducted. Fifteen current textbooks were selected due to their widespread use within the typical database curriculum in introductory database courses. Textbooks were excluded if one of the primary authors also had authored another, more popular book, if the book covered a specific topic, or technology, or if the book was considered a reference book or guide. Other academic considerations were given as to the relevance of the book for primary use in an undergraduate, traditional database course.
After textbook selection was completed, each text was examined for general topics that might be considered related to cybersecurity. In some books, these topics might have been included in a "Security", or related chapter, while in others, these same topics were found in other locations. These topics were categorized as database administration, including permission maintenance, database vulnerability identification and prevention, database view management, and database triggers. Each of these categories will be discussed in turn.
General database administration, including user and role setup and permission granting and revocation is an important function for database security. Most reviewed texts that included a chapter on security, included the topic there. However, the range of exposure was wide on this topic. While the text "Database Management Systems" (Ramakrishnan & Gehrke, 2003) included numerous pages, with examples and screenshots, others might have only mentioned the topic in a few sentences in a paragraph as an overview. This approach might be understandable from the context that user setup and maintenance is not technically a database design topic and is often omitted in favor of other topics. However, as cybersecurity becomes more important for all aspects of technology, students should have at least an exposure to how user administration is performed in database environments.
Database vulnerability identification and prevention was also considered while reviewing textbooks for security coverage. Many texts, consider security vulnerabilities from the position of SQL injection, or similar forms of unauthorized database access, while the topic of unauthorized access is a wider, more general approach. While some textbooks considered SQL injection only, some did not cover vulnerability identification and prevention at all. While SQL injection is an important vulnerability to ensure students know how to prevent, consideration should be given to the larger scope of general vulnerability and unauthorized access. Of the textbooks reviewed, the text "Fundamentals of Database Systems" (Elmasri & Navathe, 2016) wove the concept of database administration, user creation, permissions and vulnerabilities, or threats, into a chapter with the greatest specificity and coherence.
Virtual tables, or views, were not usually considered from a security standpoint, but instead from an implementation, how-to, standpoint or one of convenience. However, the text "Hands-On Database" (Conger, 2014) incorporated creation of views as a means to provide appropriate access to users. This mechanism is an important one for allowing users access to data in which they must interact, while limiting the scope of their access beyond simple table restrictions. Students should be aware of this technique while setting up users, granting permissions, and administering proper access.
While triggers were covered in nearly every textbook considered, most often the topic was placed in an advanced SQL chapter and not considered from a security standpoint. However, due to the usefulness of triggers as an auditing tool, triggers were considered an important security topic here.
The creation of an audit database, where access is monitored, is important for database security. Permissions and restrictions alone cannot guarantee that users will not access confidential or sensitive data. Triggers can provide a useful tool in order to determine who, and when sensitive areas of data are being accessed and modified. Few textbooks incorporated this technique into their discussion of triggers.
In summary, the textbooks reviewed were not consistent with regard to security concepts covered. Some included a chapter on security, while others incorporated topics throughout the text. If a security chapter was present, most books either incorporated database administration and access restriction, or included a great deal of general security information, not specific to database security. Additionally, views and triggers were typically not considered security concepts. While a couple books were found to cover the topic robustly, (Elmasri & Navathe, 2016; Silberschatz, Korth, & Sudarshan, 2011), in general, however, security is not consistently covered in all books. In some cases, while views and triggers were included, they were not considered security topics and the concept of database user management was not present at all, leaving security not considered by the book in any real way.
3.Review of recommendations from professional organizations
In addition to the textbook review, ACM curricula guidelines were assessed for database security recommendations. More specifically, two curricular recommendations were reviewed. First, the ACM's curriculum guidelines for post-secondary degree programs in cybersecurity (ACM/IEEE-CS, 2017) was reviewed for topics related specifically to database requirements and recommendations. Second, the ACM/IEEE's curriculum guidelines for undergraduate degree programs in computer science (ACM/IEEE-CS, 2013) was reviewed for topics related specifically to database security requirements and recommendations. Each will be discussed next.
The ACM's curriculum guidelines for post-secondary degree programs in cybersecurity is organized into eight knowledge areas (ACM/IEEE-CS, 2017). Each knowledge area is further divided into multiple knowledge units, which are in turn, divided into topics. Each topic includes a description along with some curricular guidance for inclusion. Review of this document included identification of those topics that were most specifically related to database security for inclusion in a traditional undergraduate database course that would serve as the foundational course in database principles for students in a cybersecurity program.
Of the eight knowledge areas outlined in the document; data security, software security, component security, connection security, system security, human security, organizational security, and societal security, specific database security topics were found in the knowledge areas of data security and organizational security.
The data security knowledge area included the knowledge unit "Information Storage Security". Information storage security included a database security topic which included "access/authentication, auditing and app integration paradigms" (ACM/IEEE-CS, 2017, p. 30).
The organization security knowledge area included the knowledge unit "Systems Administration". Systems administration included a database system administration topic covering the management and maintenance of databases "by utilizing available and applicable management system software" (ACM/IEEE-CS, 2017, p. 64). Additionally the topic includes "configuration of database servers, creation and manipulation of schemas, tables, indexes, views, constraints, stored procedures, functions, user account creation and administration, and tools for database backup and recovery" (ACM/IEEE-CS, 2017, p. 64).
Although other references to "database security" are inferred, or parenthetically made within the document, these two topics were found to be the most direct references to curricular recommendations for inclusion in the database course. For example, on page 64, prerequisite knowledge of database computer systems such as SQL and Oracle is indicated. Databases are also frequently included in lists of systems for which security mechanisms are to be identified and understood.
The computer science curricula 2013, developed by the ACM IEEE Computer Society, outlines the curriculum guidelines for undergraduate degree programs in Computer Science. The curricula were also organized into knowledge areas. These 18 knowledge areas are further divided into topics and recommended core-tier1, coretier2, and elective categories. Topics are similar to those outlined in the cybersecurity curricula outlined above, and included specific items to include within the course curriculum. The core-tier1, core-tier2, and elective categories provide flexibility for coverage of all topics. In general, any computer science program should cover all core-tier1 topics, nearly all the core-tier2 topics and various levels of significant depth in many electives topics.
Upon review of the recommended curricula, the information management knowledge area contains the majority of recommendations related to database design and management. However, the knowledge area contains little direct information related to database security. Indirect inclusion was not considered in this review. For example, within the information management knowledge unit, the learning outcome "identify issues of data persistence for an organization" (ACM/IEEE-CS, 2013, p. 113) is provided. Although issues of data persistence might include security discussions, the outcome was considered too far removed from direct database security principles to be included here.
However, Information Assurance and Security knowledge area, added in 2013, includes a unit covering "Security policy and governance" (ACM/IEEE-CS, 2013, p. 109) but provides no core-tier1 or core-tier2 hours for which to cover material. The unit is given elective status under the current document. The unit is composed of the following topics; privacy policy, inference controls/statistical disclosure limitation, backup policy, password refresh policy, breach disclosure policy, data collection and retention policies, supply chain policy, and cloud security tradeoffs. Although no topic directly identifies database security, the unit includes the learning outcome, "describe how an attacker can infer a secret by interacting with a database" (ACM/IEEE-CS, 2013, p. 110).
In summary, only one direct reference to database security, as an elective in the computer science curricula from 2013 was found. However, the cybersecurity curriculum guidelines published in 2017 included new specific topics. These topics included database access and authentication, database auditing, database application integration and database systems administration.
4. Review of literature
A review of literature was conducted in order to triangulate curriculum practices related to the topics of database administration, database vulnerability identification and prevention, database view management, and database triggers or auditing. Numerous articles related to database security and curricular practices were reviewed. In order to establish historical context, and to bolster the small number of articles found, articles from 2004 to 2018 were included.
While selecting articles for relevance, it quickly became apparent that most articles addressing database security specifically, dealt with an independent course on the topic of database security. While relevant, this paper has a much different purpose. In the context of servicing an introductory cybersecurity or computer science student in a first database course, these topics were much more exhaustive that what research here required. Neither the computer science curricula 2013, developed by the ACM IEEE Computer Society (ACM/IEEE-CS, 2013), or the ACM's curriculum guidelines for post-secondary degree programs in cybersecurity (ACM/IEEE-CS, 2017) suggest that an entire course on database security is needed. Therefore, only the most relevant topics in database security must be selected for inclusion in a traditional database course.
Minimally, the topics of database administration, database vulnerability identification and prevention, database view management, and database triggers and auditing were present in most articles outlining a database security course. In some cases, the topics were addressed as access control, application access, vulnerability inference and auditing (Murray, 2010). However, these topics were considered the same, with overlap found in each area. Additionally, in articles arguing for an entire three credit hour course, other topics were also described. The prevalent database security topics found in a database security course were; a) fundamental concepts and security models; b) access control models; c) laws and societal implications of privacy; d) encryption; e) auditing; f) application security, such as SQL injection; g) Oracle label security; h) statistical databases; i) data mining security; j) intrusion prevention and inference; k) specific database tool vulnerabilities; l) fault tolerance and recovery; m) multi-level database security; n) Hippocratic databases; o) stored procedures; p) views and row level security; q) virtual private databases; r) metadata security; s) database forensics; t) triggers; u) NoSQL and mobile database security; and v) database surroundings such as network security and operating system security.
Of these topics, nearly all independent courses described fundamental concepts in security, access control, database vulnerability and attack anticipation, and auditing. These topics were fundamental and addressed in both a standalone database security course and also recommended for an introductory, or traditional undergraduate database course (Murray, 2010; Guimaraes, et. al., 2007; Blake, 2007)
5. Findings
Considering information from textbook analysis, curricular guidelines from professional organization and the related literature, three distinct, but related findings can be assembled. These findings are timely, as the newly developed ACM's curriculum guidelines for post-secondary degree programs in cybersecurity (ACM/IEEE-CS, 2017) sheds new light on the computer science curricula 2013, developed by the ACM IEEE Computer Society (ACM/IEEE-CS, 2013), as to what to include in a database course that services both computer science and cybersecurity programs.
First, most research was found to be related to standalone database security courses. A great deal of consideration was given to topics to include for an entire semester course. Much less information existed about the most important aspects of security that can be more easily incorporated into an already crowded introductory database curriculum.
Second, there is less information about how an introductory database course can now do double duty; that is, how it can continue to service traditional computer science students and the security needs there, along with the newer cybersecurity students with greater demands on security curriculum. The computer science curricula 2013, developed by the ACM IEEE Computer Society (ACM/IEEE-CS, 2013) does not include much on database security, but the ACM's curriculum guidelines for post-secondary degree programs in cybersecurity (ACM/IEEECS, 2017) includes much more. Therefore the database course, if it serves both populations must adapt and include more or different topics if these courses continue to be valuable for both populations.
Third, the most crucial topics for inclusion into the introductory database course were; a) database administration, including access control and permissions; b) database vulnerability identification and prevention; c) database views and row/column level security; and d) database auditing or triggers. See figure 1.
These findings led directly to several recommendations for educators that are developing and modifying the existing undergraduate database course. While considering the topics relevant to both computer science and cybersecurity students, course modification recommendations based on the findings given earlier are addressed below.
6.Recommendations
The following three recommendations have been developed from the above described textbook analysis, the analysis of curricular recommendations, and a review of related literature.
First, in order to facilitate the incorporation of security topics, database courses should ensure that they leverage multi-user environments not only to discuss concurrency issues, but also to address those of security. Without a multi-user environment, students cannot see the relevance of upcoming security topics. Once a multi-user environment is established, the topic of database administration can be more readily addressed. In traditional database courses, administration topics are not always valued as true database concepts. The computer science curricula 2013, developed by the ACM IEEE Computer Society (ACM/IEEE-CS, 2013) does not include database administration at all. However, students concerned with security will not only need to understand concepts associated with access control, but will need practical information as well.
Second, because the introductory database course will likely serve both computer science, along with cybersecurity programs, the course should include lessons on a) database administration, including access control and permissions; b) database vulnerability identification and prevention; c) database views and row/column level security; and d) database auditing and triggers. Traditional database courses should be redesigned to include these topics.
Third, the following five specific activities are recommended for hands-on practice of database security concepts. These activities should be developed to include
* setting up and managing a multiuser database environment
* user setup and access control
* database view design, creation, and implementing row/column level security
* database auditing through the use of triggers
* application security and SQL injection
7.Conclusions
This paper described a meta-analysis conducted in order to strengthen the introductory database course in the wake of vigorous growth in the area of cybersecurity and information security (Bureau of Labor Statistics, 2016). Introductory, undergraduate database courses serve a wider and wider range of audiences, and are not only for pure computer science majors. These additional students have a different expectation, and additional needs, in the area of cybersecurity and information security.
In order to remain relevant, the database course must adapt and include new topics, and strengthen existing topics in security. This paper focused on research to determine what topics are currently being offered in database security, along with curriculum recommendations for database security from professional organizations. Additionally, findings were presented and topics were identified from both standalone database security courses, along with introductory database courses which service several technical programs. Finally, recommendations were given as to what database security topics to include in an introductory undergraduate database course. These topics included a) database administration, including access control and permissions; b) database vulnerability identification and prevention; c) database views and row/column level security; and d) database auditing or triggers.
References
ACM/IEEE-CS Joint Task Force on Computing Curricula, Association for Computing Machinery (ACM) and IEEE Computer Society. (2013). Computer science curricula 2013: Curriculum guidelines for undergraduate degree programs in computer science. New York, NY: ACM.
ACM/IEEE-CS Joint Task Force on Cybersecurity Education. (2017). Cybersecurity curricula 2017: Curriculum guidelines for post-secondary degree programs in cybersecurity. New York, NY: ACM.
Bardas, A., Bell, S., Tian, G., Cain, J. & Oudshoorn, M. (2018). Growing a cybersecurity program: Comparing and contrasting multiple attempts. Journal of computing sciences in colleges 33(5). 186-186.
Blake, E. (2007). Network and database security: Regulatory compliance, network, and database security - a unified process and goal. Journal of digital forensics, security and law 2(4), 77-106.
Bureau of Labor Statistics. (2016). Information security analysts. In Occupational Outlook Handbook 2016-2017. Retrieved 13 Sep. 2018, from: https://www.bls.gov/ooh/computer-and-information-technology/information-securitvanalysts.htm.
Conger, S. (2014). Hands-On database. Upper Saddle River, NJ: Pearson Education.
Connolly, T. & Begg, C. (2015). Database Systems. Upper Saddle River, NJ: Pearson Education.
Coronel, C., Morris, S., & Rob, P. (2013). Database systems: Design, implementation and management. Boston, MA: Cengage Learning.
Elmasri, R. & Navathe, S. (2016). Fundamentals of database systems. Upper Saddle River, NJ: Pearson Higher Education.
Garcia-Molina, H., Ullman, J. D., & Widom, J. (2009). Database systems: The complete book. Upper Saddle River, NJ: Pearson Prentice Hall.
George, B. & Valeva, A. (2006). A database security course on a shoestring: Proceedings of the 37th SIGCSE technical symposium on computer science education, (pp. 7-11). Houston, TX: ACM.
Guimaraes, M. (2006). New challenges in teaching database security: Proceedings of the 3rd annual conference on information security curriculum development, (pp. 64-67). Kennesaw, GA: ACM.
Guimaraes,M., Austin, R., & Said, H. (2009). Database Forensics: Proceedings of InfoSec Information Security Curriculum Development Conference, (pp. 62-65). Kennesaw, GA: ACM.
Guimaraes,M., Murray, M., & Austin, R. (2007). Incorporating database security courseware into a database security class: Proceedings of the 4th annual conference on information security curriculum development, (p. 5). Kennesaw, GA: ACM.
Guimaraes,M., Mattord, H., & Austin, R. (2004). Incorporating security components into database courses: Proceedings of the 1st annual conference on information security curriculum development, (pp. 49-52). Kennesaw, GA: ACM.
Harrington, J. (2016). Relational database design and implementation. Cambridge, MA: Elsevier.
Hernandez, M. (2013). Database design for mere mortals: A hands-on guide to relational database design. Upper Saddle River, NJ: Addison-Wesley.
Hoffer, J., Ramesh, V., & Topi, H. (2016). Modern Database Management. Upper Saddle River, NJ: Pearson Education.
Jukic, N., Vrbsky, S., & Nestorov, S. (2017). Database systems: Introduction to databases and data warehouses. Burlington, VT: Prospect Press.
Kroenke, D., Auer, D., Vandenberg, S., & Yoder, R. (2018). Database processing: Fundamentals, design, and implementation. Hoboken, NJ: Pearson Education.
Kroenke, D. & Auer, D. (2016). Database processing: Fundamentals, design, and implementation. Hoboken, NJ: Pearson Education.
Li, L., Qian, K., Chen, Q., Hasan, R., & Shao, G. (2016). Labware for database security: Proceedings of the 17th annual conference on information technology education, (pp. 60-64). Boston, MA: ACM.
Mannino, M. (2019). Database design, application development, and administration. Chicago, IL: Chicago Business Press.
Murray, M. (2010). Database security: What students need to know. Journal of information technology education: Innovations in practice, 9, 61-77.
Osbourne, C. (2013). The top ten most common database security vulnerabilities. https://www.zdnet.com/article/the-topten-most-common-database-security-vulnerabilities. Accessed September 8, 2018.
Pratt, P. & Last, M. (2015). Concepts of Database Management. Boston, MA: Cengage Learning.
Ramakrishnan, R. & Gehrke, J. (2003). Database management systems. New York, NY: McGraw-Hill.
Said, H, Guimaraes, M., Maamar, Z., & Jololian, L. (2009). Database and database application security: Proceedings of the 14th annual ACM SIGCSE Conference on Innovation and Technology in Computer Science Education (pp. 90 - 93). Paris, France: ACM.
Silberschatz. A., Korth, H., & Sudarshan, S. (2011). Database system concepts. New York, NY: McGraw-Hill.
Srinivasan, S. & Kumar, A. (2005). Database security curriculum in infosec program: Proceedings of the 2nd annual conference on information security curriculum development. (pp. 79-83). Kennesaw, GA: ACM.
Umanath, N. & Scamell, R. (2015). Data modeling and database design. Boston, MA: Cengage Learning.
Yang, L. (2009). Teaching database security and auditing: Proceedings of the 40th ACM technical symposium on computer science education (pp. 241-245). Chattanooga, TN: ACM.
Copyright Academic Conferences International Limited 2019