1. Field of the Invention
The present invention relates to database security. More specifically, the present invention relates to a method and apparatus for authorizing a database operation.
2. Related Art
As computer systems store ever-larger amounts of sensitive data, it is becoming increasingly important to protect these systems from malicious users. The global costs incurred from security breaches can run into billions of dollars annually, and the cost to individual companies can be severe, sometimes catastrophic.
To prevent malicious users from accessing private data, database systems often use encryption. Note that, in an encrypted database, even if a malicious user gains access to the encrypted data, the user cannot use the encrypted data unless the user has the appropriate key to decrypt the data.
Unfortunately, although encryption protects private data from malicious users, encryption does not prevent malicious users from executing potentially harmful database operations.
Specifically, in present database systems, database administrators (DBAs) are typically granted privileges to perform any operation. This can create serious security problems, because, if malicious users gain DBA level privileges, they can perform database operations that severely damage or disrupt the system. Furthermore, even during normal operation of the database system, granting all powerful privileges to a DBA makes it very difficult to enforce accountability and separation of duty.
Additionally, note that there are typically a number of DBAs in an organization. This exacerbates the security problem because the database system is compromised even if only one of the DBAs is malicious.
Hence, what is needed is a method and an apparatus for database security without the above-described problems.