1
/
of
12
www.ChineseStandard.us -- Field Test Asia Pte. Ltd.
GB/T 20273-2019 English PDF (GB/T20273-2019)
GB/T 20273-2019 English PDF (GB/T20273-2019)
Regular price
$610.00
Regular price
Sale price
$610.00
Unit price
/
per
Shipping calculated at checkout.
Couldn't load pickup availability
GB/T 20273-2019: Information Security Technology - Security Technical Requirements for Database Management System
Delivery: 9 seconds. Download (& Email) true-PDF + Invoice.
Get Quotation: Click GB/T 20273-2019 (Self-service in 1-minute)
Historical versions (Master-website): GB/T 20273-2019
Preview True-PDF (Reload/Scroll-down if blank)
GB/T 20273-2019
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
Replacing GB/T 20273-2006
Information Security Technology - Security Technical
Requirements for Database Management System
ISSUED ON: AUGUST 30, 2019
IMPLEMENTED ON: MARCH 1, 2020
Issued by: State Administration for Market Regulation;
Standardization Administration of the People’s Republic of
China.
Table of Contents
Foreword ... 3
1 Scope ... 5
2 Normative References ... 5
3 Terms, Definitions and Abbreviations ... 6
3.1 Terms and Definitions ... 6
3.2 Abbreviations ... 6
4 Description of Evaluation Target ... 7
4.1 An Overview of Evaluation Target ... 7
4.2 Security Features of Evaluation Target ... 8
4.3 Evaluation Target Deployment Mode ... 9
5 Definition of Security Issues ... 10
5.1 Data Assets ... 10
5.2 Threats ... 10
5.3 Organization Security Policy ... 13
5.4 Hypotheses ... 15
6 Security Objectives ... 18
6.1 TOE Security Objectives ... 18
6.2 Environment Security Objectives ... 22
7 Security Requirements ... 25
7.1 Extension Component Definition ... 25
7.2 Requirements of Security Function ... 27
7.3 Requirements of Security Assurance ... 46
8 Fundamental Principle ... 69
8.1 Fundamental Principle of Security Objectives ... 69
8.2 Fundamental Principle of Security Requirements ... 83
8.3 Component Dependency ... 93
Appendix A (informative) Instruction of Standard Amendment and Application
... 96
Bibliography ... 101
Information Security Technology - Security Technical
Requirements for Database Management System
1 Scope
This Standard stipulates the description of database management system evaluation
target; the definition, security objectives and requirements of security issues of different
evaluation assurance levels of database management system; the fundamental
principles between the definition of security issues and security objectives, and
between security objectives and security requirements.
This Standard is applicable to the test, evaluation and procurement of database
management system. It may also be applied to the guidance of the research and
development of database management system.
NOTE: Level-EAL2, Level-EAL3 and Level-EAL4 security requirements stipulated in this
Standard are applicable to not only the security evaluation of database
management system based on GB/T 18336.1-2015, GB/T 18336.2-2015 and
GB/T 18336.3-2015, but also GB/T 17859-1999-based database security
evaluation of second-level database system audit protection, third-level security
label protection, fourth-level structural protection. Please refer to A.1 in Appendix
A for relevant correspondences.
2 Normative References
The following documents are indispensable to the application of this document. In
terms of references with a specified date, only versions with a specified date are
applicable to this document. In terms of references without a specified date, the latest
version (including all the modifications) is applicable to this document.
GB/T 18336.1-2015 Information Technology - Security Techniques - Evaluation Criteria
for IT Security - Part 1: Introduction and General Model
GB/T 18336.2-2015 Information Technology - Security Techniques - Evaluation Criteria
for IT Security - Part 2: Security Functional Components
GB/T 18336.3-2015 Information Technology - Security Techniques - Evaluation Criteria
for IT Security - Part 3: Security Assurance Components
GB/T 25069-2010 Information Security Technology - Glossary
GB/T 28821-2012 Technical Requirements of Relational Database Management
System
4 Description of Evaluation Target
4.1 An Overview of Evaluation Target
In this Standard, target of evaluation (TOE) refers to management software and
database object that it manages included in the database management system
(DBMS).
Management software included in DBMS shall provide database language, which
defines, operates and manages database object; provide database control language
and maintain data integrity of DBMS operation through data model semantic
constraints; provide database backup, restore and recovery mechanism, guarantee
the availability of database when there are breakdowns in DBMS operation. Relational
database management system (RDBMS) shall provide transaction management
mechanism, guarantee the atomicity, consistency, isolation and durability (ACID) of
transactions in multi-user database concurrent operations.
DBMS mainly includes the following constituent parts:
a) Database: constituted of physical files, such as: data file that stores user data
and TOE security functionality (TSF) data; log file that stores database
transaction processing process; control file that maintains the integrity of
DBMS operations, etc. The database object being stored includes: model
object, non-model object, database dictionary object, etc.
b) Database instance: include components like query engine, transaction
manager, data storage manager, etc. Implement basic functions: the definition,
management, query, update and control of database object.
c) Database language and its access interface: provide database language and
database development interface specifications, such as: structured query
language (SQL), open database connectivity (ODBC), JAVA database
connectivity (JDBC), etc.; allow authorized users to define database structure
through database development interface, access and modify database object
data, demonstrate relevant configuration parameters of DBMS operation, and
execute various maintenance operations on user data and relevant data of
DBMS operation.
d) DBMS operation maintenance auxiliary means: provide DBMS operation
maintenance auxiliary means or interfaces, such as: initiation and shutdown
of database instance; online, offline, opening and closing of database or data
file; database checkpoint control; database log archiving; external data import,
etc.
user/authorized administrator’s functions like parallel sessions.
NOTE: DBMS software and the security of its management data assets are not
isolated. Under the production environment, the IT environment of DBMS
operation (operating system, network system and hardware, etc.), together
with DBMS, establish a security system of TOE. In the description of TOE,
security target (ST) author clearly indicates and identifies the correlation
between the architecture of DBMS evaluation, and the various components
of IT environment.
4.3 Evaluation Target Deployment Mode
If any internal and external entity of DBMS needs to obtain data assets of TOE
management, firstly, it shall satisfy corresponding security policies of TOE and the
operating environment. TOE operating environment target might include multiple
security control components, which involve multiple security policies, such as:
equipment’s physical security, environmental physical security, system’s physical
security and personnel security management, etc. These operating environment
security policies prevent DBMS software and the database that it manages from
security threats in the operating environment of DBMS.
This Standard may be adopted to evaluate DBMS security of multiple deployment
structures, which include, but are not limited to the following architectures:
a) Centralized architecture: DBMS software and database application program
are installed and operated on a host; user can only send out database access
requests or administrative commands through the application terminal, which
is transmitted to the host through communication lines; after database’s
instance response and processing on the host, the processing result is
returned to the user terminal through the communication lines.
b) Client/server system structure: client-side database application and server-
side database instance implement communication through network
connections; client-side sends database access requests or administrative
commands, demonstrates the returned data by database instance; server-
side securely executes user’s database access requests and administrative
commands. Front-end application may be implemented on the basis of
browser; through remote Web server or application server, implement
connections with database server; the remote server takes charge of the
interaction with the database server.
c) Distributed database architecture: database nodes are respectively stored on
multiple site database servers, which are physically mutually independent.
The database servers among these sites, which are connected through the
network, collaboratively provide distributed database data access service.
User may execute certain database access requests or administrative
operation data, which leads to failure of TSF security control mechanism.
5.2.3 Audit mechanism’s failure (T.AUDIT_FAILURE)
Malicious user or process might modify security audit strategy, which would lead to
disabled or invalidated database audit function, audit record loss or tampered audit
record. Or, through the invalidated audit data storage, the storage of the subsequent
audit record would be prevented, which would wipe out user’s database operation.
5.2.4 Cryptographic attack (T.CRYPTO_COMPROMISE)
Malicious user or process might lead to improper browse, modification or deletion of
executable codes of database storage and communication encryption function-related
key, data or ciphertext service components, which would undermine the database
encryption mechanism and leak the data protected by the encryption mechanism.
5.2.5 Data transmission eavesdropping (T.EAVESDROP)
Malicious user or process might observe or modify user data or TSF data transmitted
among TOE physically isolated components (including user requests and responses
between the client-side and the server, data transmission among different nodes of
distributed database, etc.).
5.2.6 Flawed design (T.FLAWED_DESIGN)
Unintentional logic errors in TOE demand specifications or design might lead to design
weaknesses or flaws. Malicious user might take advantage of these flaws to initiate
security attack against TOE.
5.2.7 Flawed implementation (T.FLAWED_IMPLEMENTATION)
Unintentional errors during the development of TOE might lead to weaknesses or flaws
in TOE implementation. Malicious user might take advantage of these unknown
loopholes to attack TOE.
5.2.8 Label data out-of-control (T.LBAC)
Malicious user or process might illegally browse, modify or delete label strategy data,
controlled subject classification label data and controlled object bond label data of TOE.
Authorized administrator’s illegal access to label management-based data assets of
controlled subject.
5.2.9 Masqueraded authorized user (T.MASQUERADE)
Malicious user or process might masquerade as authorized administrator or authorized
user to access database dictionary, system security configuration parameters or data
assets protected by DBMS.
It is assumed that there will be one or multiple authorized administrators with appointed
role permissions in TOE, and their roles are divided in accordance with security
principles like minimum privileges, separation of duties and in-depth defense (ST
author needs to explain the specific meaning of “security role” in accordance with the
system permissions supported by DBMS and the solutions to specific application that
DBMS targets at).
5.4.5 Multi-tier application accountability (A.MIDTIER)
In multi-tier application environment, in order to guarantee the security accountability
of TOE, the TOE operating environment component service of any middle tier shall
send the original authorized user identification to TSF (ST author shall explain the
specific meaning of “multi-tier application accountability” in accordance with the
solutions to specific application that DBMS targets at).
5.4.6 Administrator hypothesis (A.NO_HARM)
Authorized user and authorized administrator that use the database are equipped with
fundamental database security protection knowledge and good habits of using the
database. They are well-trained; they could comply with TOE administrator guidance
and use the database through secure modes.
5.4.7 Exclusive for server (A.NO_GENERAL_PURPOSE)
On the host where DBMS is operated, other programs or services that obtain universal
computation or storage capability (for example, compiler, editor or application program)
are not installed.
5.4.8 Physical security (A.PHYSICAL)
DBMS operating environment shall provide physical security that is consistent with the
data value under its management. For example, store and manage TOE-related data
(such as: configuration parameters and archived logs, etc.) that is stored outside the
database through a secure mode.
5.4.9 Communication security (A.SECURE_COMMS)
It is assumed that communication channels among different nodes in the distributed
database between data server and application terminal are safe and reliable (for
example, satisfied confidentiality and integrity). The implementation mode may be
through shared key, public/private key pair, or, the generation of session key through
other keys being stored.
management of DBMS products. TOE shall provide authorized user with user
operation manual documents related with database object establishment and
application (ST author shall base on TOE security mechanism to explain pre-
configurated database administrator role, so as to implement authorized management
of separated duties).
6.1.5 Administrator role separation (O.ADMIN_ROLE)
TOE shall provide authorized administrator role, which is consistent with different
database management operations, so as to provide role management functions, such
as: the separation of duties and role constraints, etc. In addition, these management
functions may implement security management through local or remote mode (ST
author shall base on TOE security mechanism to explain pre-configurated database
administrator role, so as to implement authorized man...
Delivery: 9 seconds. Download (& Email) true-PDF + Invoice.
Get Quotation: Click GB/T 20273-2019 (Self-service in 1-minute)
Historical versions (Master-website): GB/T 20273-2019
Preview True-PDF (Reload/Scroll-down if blank)
GB/T 20273-2019
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
Replacing GB/T 20273-2006
Information Security Technology - Security Technical
Requirements for Database Management System
ISSUED ON: AUGUST 30, 2019
IMPLEMENTED ON: MARCH 1, 2020
Issued by: State Administration for Market Regulation;
Standardization Administration of the People’s Republic of
China.
Table of Contents
Foreword ... 3
1 Scope ... 5
2 Normative References ... 5
3 Terms, Definitions and Abbreviations ... 6
3.1 Terms and Definitions ... 6
3.2 Abbreviations ... 6
4 Description of Evaluation Target ... 7
4.1 An Overview of Evaluation Target ... 7
4.2 Security Features of Evaluation Target ... 8
4.3 Evaluation Target Deployment Mode ... 9
5 Definition of Security Issues ... 10
5.1 Data Assets ... 10
5.2 Threats ... 10
5.3 Organization Security Policy ... 13
5.4 Hypotheses ... 15
6 Security Objectives ... 18
6.1 TOE Security Objectives ... 18
6.2 Environment Security Objectives ... 22
7 Security Requirements ... 25
7.1 Extension Component Definition ... 25
7.2 Requirements of Security Function ... 27
7.3 Requirements of Security Assurance ... 46
8 Fundamental Principle ... 69
8.1 Fundamental Principle of Security Objectives ... 69
8.2 Fundamental Principle of Security Requirements ... 83
8.3 Component Dependency ... 93
Appendix A (informative) Instruction of Standard Amendment and Application
... 96
Bibliography ... 101
Information Security Technology - Security Technical
Requirements for Database Management System
1 Scope
This Standard stipulates the description of database management system evaluation
target; the definition, security objectives and requirements of security issues of different
evaluation assurance levels of database management system; the fundamental
principles between the definition of security issues and security objectives, and
between security objectives and security requirements.
This Standard is applicable to the test, evaluation and procurement of database
management system. It may also be applied to the guidance of the research and
development of database management system.
NOTE: Level-EAL2, Level-EAL3 and Level-EAL4 security requirements stipulated in this
Standard are applicable to not only the security evaluation of database
management system based on GB/T 18336.1-2015, GB/T 18336.2-2015 and
GB/T 18336.3-2015, but also GB/T 17859-1999-based database security
evaluation of second-level database system audit protection, third-level security
label protection, fourth-level structural protection. Please refer to A.1 in Appendix
A for relevant correspondences.
2 Normative References
The following documents are indispensable to the application of this document. In
terms of references with a specified date, only versions with a specified date are
applicable to this document. In terms of references without a specified date, the latest
version (including all the modifications) is applicable to this document.
GB/T 18336.1-2015 Information Technology - Security Techniques - Evaluation Criteria
for IT Security - Part 1: Introduction and General Model
GB/T 18336.2-2015 Information Technology - Security Techniques - Evaluation Criteria
for IT Security - Part 2: Security Functional Components
GB/T 18336.3-2015 Information Technology - Security Techniques - Evaluation Criteria
for IT Security - Part 3: Security Assurance Components
GB/T 25069-2010 Information Security Technology - Glossary
GB/T 28821-2012 Technical Requirements of Relational Database Management
System
4 Description of Evaluation Target
4.1 An Overview of Evaluation Target
In this Standard, target of evaluation (TOE) refers to management software and
database object that it manages included in the database management system
(DBMS).
Management software included in DBMS shall provide database language, which
defines, operates and manages database object; provide database control language
and maintain data integrity of DBMS operation through data model semantic
constraints; provide database backup, restore and recovery mechanism, guarantee
the availability of database when there are breakdowns in DBMS operation. Relational
database management system (RDBMS) shall provide transaction management
mechanism, guarantee the atomicity, consistency, isolation and durability (ACID) of
transactions in multi-user database concurrent operations.
DBMS mainly includes the following constituent parts:
a) Database: constituted of physical files, such as: data file that stores user data
and TOE security functionality (TSF) data; log file that stores database
transaction processing process; control file that maintains the integrity of
DBMS operations, etc. The database object being stored includes: model
object, non-model object, database dictionary object, etc.
b) Database instance: include components like query engine, transaction
manager, data storage manager, etc. Implement basic functions: the definition,
management, query, update and control of database object.
c) Database language and its access interface: provide database language and
database development interface specifications, such as: structured query
language (SQL), open database connectivity (ODBC), JAVA database
connectivity (JDBC), etc.; allow authorized users to define database structure
through database development interface, access and modify database object
data, demonstrate relevant configuration parameters of DBMS operation, and
execute various maintenance operations on user data and relevant data of
DBMS operation.
d) DBMS operation maintenance auxiliary means: provide DBMS operation
maintenance auxiliary means or interfaces, such as: initiation and shutdown
of database instance; online, offline, opening and closing of database or data
file; database checkpoint control; database log archiving; external data import,
etc.
user/authorized administrator’s functions like parallel sessions.
NOTE: DBMS software and the security of its management data assets are not
isolated. Under the production environment, the IT environment of DBMS
operation (operating system, network system and hardware, etc.), together
with DBMS, establish a security system of TOE. In the description of TOE,
security target (ST) author clearly indicates and identifies the correlation
between the architecture of DBMS evaluation, and the various components
of IT environment.
4.3 Evaluation Target Deployment Mode
If any internal and external entity of DBMS needs to obtain data assets of TOE
management, firstly, it shall satisfy corresponding security policies of TOE and the
operating environment. TOE operating environment target might include multiple
security control components, which involve multiple security policies, such as:
equipment’s physical security, environmental physical security, system’s physical
security and personnel security management, etc. These operating environment
security policies prevent DBMS software and the database that it manages from
security threats in the operating environment of DBMS.
This Standard may be adopted to evaluate DBMS security of multiple deployment
structures, which include, but are not limited to the following architectures:
a) Centralized architecture: DBMS software and database application program
are installed and operated on a host; user can only send out database access
requests or administrative commands through the application terminal, which
is transmitted to the host through communication lines; after database’s
instance response and processing on the host, the processing result is
returned to the user terminal through the communication lines.
b) Client/server system structure: client-side database application and server-
side database instance implement communication through network
connections; client-side sends database access requests or administrative
commands, demonstrates the returned data by database instance; server-
side securely executes user’s database access requests and administrative
commands. Front-end application may be implemented on the basis of
browser; through remote Web server or application server, implement
connections with database server; the remote server takes charge of the
interaction with the database server.
c) Distributed database architecture: database nodes are respectively stored on
multiple site database servers, which are physically mutually independent.
The database servers among these sites, which are connected through the
network, collaboratively provide distributed database data access service.
User may execute certain database access requests or administrative
operation data, which leads to failure of TSF security control mechanism.
5.2.3 Audit mechanism’s failure (T.AUDIT_FAILURE)
Malicious user or process might modify security audit strategy, which would lead to
disabled or invalidated database audit function, audit record loss or tampered audit
record. Or, through the invalidated audit data storage, the storage of the subsequent
audit record would be prevented, which would wipe out user’s database operation.
5.2.4 Cryptographic attack (T.CRYPTO_COMPROMISE)
Malicious user or process might lead to improper browse, modification or deletion of
executable codes of database storage and communication encryption function-related
key, data or ciphertext service components, which would undermine the database
encryption mechanism and leak the data protected by the encryption mechanism.
5.2.5 Data transmission eavesdropping (T.EAVESDROP)
Malicious user or process might observe or modify user data or TSF data transmitted
among TOE physically isolated components (including user requests and responses
between the client-side and the server, data transmission among different nodes of
distributed database, etc.).
5.2.6 Flawed design (T.FLAWED_DESIGN)
Unintentional logic errors in TOE demand specifications or design might lead to design
weaknesses or flaws. Malicious user might take advantage of these flaws to initiate
security attack against TOE.
5.2.7 Flawed implementation (T.FLAWED_IMPLEMENTATION)
Unintentional errors during the development of TOE might lead to weaknesses or flaws
in TOE implementation. Malicious user might take advantage of these unknown
loopholes to attack TOE.
5.2.8 Label data out-of-control (T.LBAC)
Malicious user or process might illegally browse, modify or delete label strategy data,
controlled subject classification label data and controlled object bond label data of TOE.
Authorized administrator’s illegal access to label management-based data assets of
controlled subject.
5.2.9 Masqueraded authorized user (T.MASQUERADE)
Malicious user or process might masquerade as authorized administrator or authorized
user to access database dictionary, system security configuration parameters or data
assets protected by DBMS.
It is assumed that there will be one or multiple authorized administrators with appointed
role permissions in TOE, and their roles are divided in accordance with security
principles like minimum privileges, separation of duties and in-depth defense (ST
author needs to explain the specific meaning of “security role” in accordance with the
system permissions supported by DBMS and the solutions to specific application that
DBMS targets at).
5.4.5 Multi-tier application accountability (A.MIDTIER)
In multi-tier application environment, in order to guarantee the security accountability
of TOE, the TOE operating environment component service of any middle tier shall
send the original authorized user identification to TSF (ST author shall explain the
specific meaning of “multi-tier application accountability” in accordance with the
solutions to specific application that DBMS targets at).
5.4.6 Administrator hypothesis (A.NO_HARM)
Authorized user and authorized administrator that use the database are equipped with
fundamental database security protection knowledge and good habits of using the
database. They are well-trained; they could comply with TOE administrator guidance
and use the database through secure modes.
5.4.7 Exclusive for server (A.NO_GENERAL_PURPOSE)
On the host where DBMS is operated, other programs or services that obtain universal
computation or storage capability (for example, compiler, editor or application program)
are not installed.
5.4.8 Physical security (A.PHYSICAL)
DBMS operating environment shall provide physical security that is consistent with the
data value under its management. For example, store and manage TOE-related data
(such as: configuration parameters and archived logs, etc.) that is stored outside the
database through a secure mode.
5.4.9 Communication security (A.SECURE_COMMS)
It is assumed that communication channels among different nodes in the distributed
database between data server and application terminal are safe and reliable (for
example, satisfied confidentiality and integrity). The implementation mode may be
through shared key, public/private key pair, or, the generation of session key through
other keys being stored.
management of DBMS products. TOE shall provide authorized user with user
operation manual documents related with database object establishment and
application (ST author shall base on TOE security mechanism to explain pre-
configurated database administrator role, so as to implement authorized management
of separated duties).
6.1.5 Administrator role separation (O.ADMIN_ROLE)
TOE shall provide authorized administrator role, which is consistent with different
database management operations, so as to provide role management functions, such
as: the separation of duties and role constraints, etc. In addition, these management
functions may implement security management through local or remote mode (ST
author shall base on TOE security mechanism to explain pre-configurated database
administrator role, so as to implement authorized man...
Share
