The XACML and Fine-Grained Authorization Leader
Database Security
The Challenge
Databases store some of the organization’s most mission-critical data—corporate financial records, customer information, employee details, etc. Inadequately securing this data can result in higher security and compliance risks. Clearly, database security is a top priority and organizations need to ensure that only the right people have access to the appropriate data.
However, implementing database access control at a granular level for all users is not easy and can be extremely costly. It requires column level and row level security in order to restrict access to data for certain users. For example, managers in an organization may need payroll information for all of their direct reports, but their direct reports do not need payroll information on their peers. Column and row level security would filter the columns and rows of data that a user can view.
In order to accomplish this, organizations have typically custom coded access control mechanisms in their applications or modified the database structures, including the creation of separate tables with different views for each type of application or user. This labor-intensive approach is expensive to develop, cumbersome to maintain, and difficult to implement in a controlled and consistent manner across all users.
BiTKOO Approach
BiTKOO has developed exclusive technology that enables column level and row level security for SQL Server without requiring developers and database administrators to write custom code. It also provides centralized control and audit of all user access to SQL Server data for unmatched security and transparency. The solution utilizes a combination of BiTKOO’s Keystone and DB-Wall™ products.
Keystone is the industry’s fastest 100% XACML standards-based engine that externalizes and centralizes the management of fine grained access control for all applications enterprise-wide. By extending the Keystone model to SQL Server, BiTKOO enables administrators to create, assign, modify and remove specific column and row level permissions for SQL Server users and groups.
DB-Wall is a Policy Enforcement Point (PEP) for SQL Server that dynamically applies the column and row level permissions to user requests at runtime. It functions as a SQL Server proxy that clients communicate with, rather than communicating with the database server directly. DB-Wall uses Keystone metadata and a sophisticated query engine to intercept SQL calls from clients such as ODBC, JDBC, or native SQL Client, and to modify inbound requests in such a way that only authorized data is returned to the caller.
Key Benefits
- Save Time and Reduce Costs
- Eliminates the time and costs associated with developing and maintaining custom code.
- Reduces the time for training database application developers on managing security permissions.
- Keeps the end user experience unchanged.
- Strengthen Security and Assure Compliance
- All SQL artifacts—-tables, views, functions, stored procedures—-are secured with consistent, fine-grained authorization based on established and approved permissions.
- Every transaction is logged in detail, including query details, user name, IP address, etc.
- User login accounts for SQL Server are eliminated for increased security.
- The database structure is not modified, thereby protecting the integrity of the data.
- Enhance Business Agility
- Permissions can be easily created, modified and removed without having to make any custom code changes. This allows security administrators to react quickly to changes in business requirements.
- Features like connection pooling help deliver exceptional performance with minimal processing overhead. The average latency time per request is approximately 2ms.
- The BiTKOO architecture has been designed to ensure high availability, high performance, and no single point of failure.
