Skip to product information
1 of 12

PayPal, credit cards. Download editable-PDF and invoice in 1 second!

GB/T 20273-2019 English PDF (GBT20273-2019)

GB/T 20273-2019 English PDF (GBT20273-2019)

Regular price $605.00 USD
Regular price Sale price $605.00 USD
Sale Sold out
Shipping calculated at checkout.
Quotation: In 1-minute, 24-hr self-service. Click here GB/T 20273-2019 to get it for Purchase Approval, Bank TT...

GB/T 20273-2019: Information security technology -- Security technical requirements for database management system

This Standard stipulates the description of database management system evaluation target; the definition, security objectives and requirements of security issues of different evaluation assurance levels of database management system; the fundamental principles between the definition of security issues and security objectives, and between security objectives and security requirements.
GB/T 20273-2019
NATIONAL STANDARD OF THE
PEOPLE REPUBLIC OF CHINA
ICS 35.040
L 80
Replacing GB/T 20273-2006
Information Security Technology - Security Technical
Requirements for Database Management System
ISSUED ON: AUGUST 30, 2019
IMPLEMENTED ON: MARCH 1, 2020
Issued by: State Administration for Market Regulation;
Standardization Administration of the PEOPLE Republic of
China.
Table of Contents
Foreword ... 3
1 Scope ... 5
2 Normative References ... 5
3 Terms, Definitions and Abbreviations ... 6
3.1 Terms and Definitions ... 6
3.2 Abbreviations ... 6
4 Description of Evaluation Target ... 7
4.1 An Overview of Evaluation Target ... 7
4.2 Security Features of Evaluation Target ... 8
4.3 Evaluation Target Deployment Mode ... 9
5 Definition of Security Issues ... 10
5.1 Data Assets ... 10
5.2 Threats ... 10
5.3 Organization Security Policy ... 13
5.4 Hypotheses ... 15
6 Security Objectives ... 18
6.1 TOE Security Objectives ... 18
6.2 Environment Security Objectives ... 22
7 Security Requirements ... 25
7.1 Extension Component Definition ... 25
7.2 Requirements of Security Function ... 27
7.3 Requirements of Security Assurance ... 46
8 Fundamental Principle ... 69
8.1 Fundamental Principle of Security Objectives ... 69
8.2 Fundamental Principle of Security Requirements ... 83
8.3 Component Dependency ... 93
Appendix A (informative) Instruction of Standard Amendment and Application ... 96
Bibliography ... 101
Information Security Technology - Security Technical
Requirements for Database Management System
1 Scope
This Standard stipulates the description of database management system evaluation target; the definition, security objectives and requirements of security issues of different evaluation assurance levels of database management system; the fundamental principles between the definition of security issues and security objectives, and between security objectives and security requirements.
This Standard is applicable to the test, evaluation and procurement of database management system. It may also be applied to the guidance of the research and development of database management system.
NOTE: Level-EAL2, Level-EAL3 and Level-EAL4 security requirements stipulated in this Standard are applicable to not only the security evaluation of database management system based on GB/T 18336.1-2015, GB/T 18336.2-2015 and
GB/T 18336.3-2015, but also GB/T 17859-1999-based database security
evaluation of second-level database system audit protection, third-level security label protection, fourth-level structural protection. Please refer to A.1 in Appendix A for relevant correspondences.
2 Normative References
The following documents are indispensable to the application of this document. In terms of references with a specified date, only versions with a specified date are applicable to this document. In terms of references without a specified date, the latest version (including all the modifications) is applicable to this document. GB/T 18336.1-2015 Information Technology - Security Techniques - Evaluation Criteria for IT Security - Part 1: Introduction and General Model
GB/T 18336.2-2015 Information Technology - Security Techniques - Evaluation Criteria for IT Security - Part 2: Security Functional Components
GB/T 18336.3-2015 Information Technology - Security Techniques - Evaluation Criteria for IT Security - Part 3: Security Assurance Components
GB/T 25069-2010 Information Security Technology - Glossary
GB/T 28821-2012 Technical Requirements of Relational Database Management System
4 Description of Evaluation Target
4.1 An Overview of Evaluation Target
In this Standard, target of evaluation (TOE) refers to management software and database object that it manages included in the database management system (DBMS).
Management software included in DBMS shall provide database language, which defines, operates and manages database object; provide database control language and maintain data integrity of DBMS operation through data model semantic constraints; provide database backup, restore and recovery mechanism, guarantee the availability of database when there are breakdowns in DBMS operation. Relational database management system (RDBMS) shall provide transaction management mechanism, guarantee the atomicity, consistency, isolation and durability (ACID) of transactions in multi-user database concurrent operations.
DBMS mainly includes the following constituent parts:
a) Database: constituted of physical files, such as: data file that stores user data and TOE security functionality (TSF) data; log file that stores database transaction processing process; control file that maintains the integrity of DBMS operations, etc. The database object being stored includes: model
object, non-model object, database dictionary object, etc.
b) Database instance: include components like query engine, transaction manager, data storage manager, etc. Implement basic functions: the definition, management, query, update and control of database object.
c) Database language and its access interface: provide database language and database development interface specifications, such as: structured query language (SQL), open database connectivity (ODBC), JAVA database
connectivity (JDBC), etc.; allow authorized users to define database structure through database development interface, access and modify database object data, demonstrate relevant configuration parameters of DBMS operation, and execute various maintenance operations on user data and relevant data of DBMS operation.
d) DBMS operation maintenance auxiliary means: provide DBMS operation
maintenance auxiliary means or interfaces, such as: initiation and shutdown of database instance; online, offline, opening and closing of database or data file; database checkpoint control; database log archiving; external data import, etc.
user/authorized administrator?€?s functions like parallel sessions.
NOTE: DBMS software and the security of its management data assets are not isolated. Under the production environment, the IT environment of DBMS
operation (operating system, network system and hardware, etc.), together with DBMS, establish a security system of TOE. In the description of TOE, security target (ST) author clearly indicates and identifies the correlation between the architecture of DBMS evaluation, and the various components of IT environment.
4.3 Evaluation Target Deployment Mode
If any internal and external entity of DBMS needs to obtain data assets of TOE management, firstly, it shall satisfy corresponding security policies of TOE and the operating environment. TOE operating environment target might include multiple security control components, which involve multiple security policies, such as: equipment?€?s physical security, environmental physical security, system?€?s physical security and personnel security management, etc. These operating environment security policies prevent DBMS software and the database that it manages from security threats in the operating environment of DBMS.
This Standard may be adopted to evaluate DBMS security of multiple deployment structures, which include, but are not limited to the following architectures: a) Centralized architecture: DBMS software and database application program are installed and operated on a host; user can only send out database access requests or administrative commands through the application terminal, which is transmitted to the host through communication lines; after database?€?s instance response and processing on the host, the processing result is
returned to the user terminal through the communication lines.
b) Client/server system structure: client-side database application and server- side database instance implement communication through network
connections; client-side sends database access requests or administrative commands, demonstrates the returned data by database instance; server-
side securely executes user?€?s database access requests and administrative commands. Front-end application may be implemented on the basis of
browser; through remote Web server or application server, implement
connections with database server; the remote server takes charge of the interaction with the database server.
c) Distributed database architecture: database nodes are respectively stored on multiple site database servers, which are physically mutually independent. The database servers among these sites, which are connected through the network, collaboratively provide distributed database data access service. User may execute certain database access requests or administrative
operation data, which leads to failure of TSF security control mechanism. 5.2.3 Audit mechanism?€?s failure (T.AUDIT_FAILURE)
Malicious user or process might modify security audit strategy, which would lead to disabled or invalidated database audit function, audit record loss or tampered audit record. Or, through the invalidated audit data storage, the storage of the subsequent audit record would be prevented, which would wipe out user?€?s database operation. 5.2.4 Cryptographic attack (T.CRYPTO_COMPROMISE)
Malicious user or process might lead to improper browse, modification or deletion of executable codes of database storage and communication encryption function-related key, data or ciphertext service components, which would undermine the database encryption mechanism and leak the data protected by the encryption mechanism. 5.2.5 Data transmission eavesdropping (T.EAVESDROP)
Malicious user or process might observe or modify user data or TSF data transmitted among TOE physically isolated components (including user requests and responses between the client-side and the server, data transmission among different nodes of distributed database, etc.).
5.2.6 Flawed design (T.FLAWED_DESIGN)
Unintentional logic errors in TOE demand specifications or design might lead to design weaknesses or flaws. Malicious user might take advantage of these flaws to initiate security attack against TOE.
5.2.7 Flawed implementation (T.FLAWED_IMPLEMENTATION)
Unintentional errors during the development of TOE might lead to weaknesses or flaws in TOE implementation. Malicious user might take advantage of these unknown loopholes to attack TOE.
5.2.8 Label data out-of-control (T.LBAC)
Malicious user or process might illegally browse, modify or delete label strategy data, controlled subject classification label data and controlled object bond label data of TOE. Authorized administrator?€?s illegal access to label management-based data assets of controlled subject.
5.2.9 Masqueraded authorized user (T.MASQUERADE)
Malicious user or process might masquerade as authorized administrator or authorized user to access database dictionary, system security configuration parameters or data assets protected by DBMS.
It is assumed that there will be one or multiple authorized administrators with appointed role permissions in TOE, and their roles are divided in accordance with security principles like minimum privileges, separation of duties and in-depth defense (ST author needs to explain the specific meaning of ?€?security role?€? in accordance with the system permissions supported by DBMS and the solutions to specific application that DBMS targets at).
5.4.5 Multi-tier application accountability (A.MIDTIER)
In multi-tier application environment, in order to guarantee the security accountability of TOE, the TOE operating environment component service of any middle tier shall send the original authorized user identification to TSF (ST author shall explain the specific meaning of ?€?multi-tier application accountability?€? in accordance with the solutions to specific application that DBMS targets at).
5.4.6 Administrator hypothesis (A.NO_HARM)
Authorized user and authorized administrator that use the database are equipped with fundamental database security protection knowledge and good habits of using the database. They are well-trained; they could comply with TOE administrator guidance and use the database through secure modes.
5.4.7 Exclusive for server (A.NO_GENERAL_PURPOSE)
On the host where DBMS is operated, other programs or services that obtain universal computation or storage capability (for example, compiler, editor or application program) are not installed.
5.4.8 Physical security (A.PHYSICAL)
DBMS operating environment shall provide physical security that is consistent with the data value under its management. For example, store and manage TOE-related data (such as: configuration parameters and archived logs, etc.) that is stored outside the database through a secure mode.
5.4.9 Communication security (A.SECURE_COMMS)
It is assumed that communication channels among different nodes in the distributed database between data server and application terminal are safe and reliable (for example, satisfied confidentiality and integrity). The implementation mode may be through shared key, public/private key pair, or, the generation of session key through other keys being stored.
management of DBMS products. TOE shall provide authorized user with user operation manual documents related with database object establishment and application (ST author shall base on TOE security mechanism to explain pre- configurated database administrator role, so as to implement authorized management of separated duties).
6.1.5 Administrator role separation (O.ADMIN_ROLE)
TOE shall provide authorized administrator role, which is consistent with different database management operations, so as to provide role management functions, such as: the separation of duties and role constraints, etc. In addition, these management functions may implement security management through local or remote mode (ST author shall base on TOE security mechanism to explain pre-configurated database administrator role, so as to implement authorized management of separated duties). 6.1.6 Audit data generation (O.AUDIT_GENERATION)
TOE shall provide the capability of detecting and establishing user-related security events, such as: database audit policy definition, audit function start-stop management, database management operations and user database object operations, etc. (ST author shall base on the composition and storage mechanism of TOE audit record to explain the mode of audit data storage (inside and outside database), and audit data security management mechanism).
6.1.7 Audit data protection (O.AUDIT_PROTECTION)
TOE shall have the capability of securely storing audit data and protecting audit events being stored.
6.1.8 Available database service (O.AVAIL)
TOE shall provide data recovery mechanism for affairs, database instance and storage medium failures; provide the capability of self-maintenance of database storage structure in DBMS updates; guarantee the restorability of TOE management data assets.
TOE shall provide primary and secondary server TSF control transfer and database instance failover mechanism, so as to support distributed component deployment of distributed database service for the management demand of availability. 6.1.9 Configuration identification (O.CONFIG)
TOE shall identify product component configuration and evaluation configuration items of its documents, so as to provide methods of correcting and tracing them when DBMS is re-distributed and correction errors are corrected.
NOTE: generally speaking, configuration identification refers to issuance baseline that is TOE operating environment shall be equipped with database administrator group or role; provide necessary functions and facilities for the management and configuration of DBMS operation security; prevent these functions and facilities from unauthorized usage.
6.2.5 Directory access control protection (OE.DIR_CONTROL)
DBMS operating environment that supports directory service (for example, LDAP server) shall provide mechanisms like user identification, identity authentication and access control, so as to prevent illegal user from accessing TSF data stored under the directory service. The access control mechanism of directory service shall provide security protection measures of TSF control data import/export.
6.2.6 IT domain separation (OE.DOMAIN_SEPARATION)
TOE operating environment under distributed deployment shall provide TOE operation nodes with one separable security execution domain. Communication among different DBMS nodes shall be conducted through a secure mode.
6.2.7 Administrator Integrity (OE.NO_HARM)
Organization that adopts TOE shall guarantee that authorized administrator is trustworthy, well-trained, and can comply with organization security policy and relevant database administrator guidance.
6.2.8 Exclusive for database server (OE.NO_GENERAL_PURPOSE)
Apart from providing necessary service components for TOE operation, management and support, database server shall not have computation or storage functional components (for example, compiler, editor or application program) that are irrelevant with database instance operation.
6.2.9 Consistency of physical security (OE.PHYSICAL)
TOE operating environment shall provide physical security that is consistent with DBMS and the value of its management data assets.
6.2.10 Communication security environment (OE.SECURE_COMMS)
TOE operating environment shall provide secure communication lines between remote user/program and database server.
6.2.11 IT environment self-protection (OE.SELF_PROTECTION)
TOE operating environment shall maintain one execution domain which prevents DBMS and its operating environment from external interference, damage or unauthorized leakage.
FMT_MSA_EXT.1.2 TSF shall implement [option: label access control-based security policy, [assignment: information flow control policy with appointed mechanism by ST author]]; merely through [option: LBAC authorized user, [assignment: authorized administrator appointed by ST author]], implement [[assignment: security attribute] to [assignment: security label]].
NOTE: this requirement is applicable to EAL-3 evaluation assurance level. 7.1.3.2 Security attribute management [FMT_MSA_EXT.1(2)]
FMT_MSA_EXT.1.1 TSF shall implement [option: user control policy-based, role control policy-based and user group control policy-based, [assignment:
compulsory access control defined by ST author]]; merely through [option: authorized administrator, authorized user] to conduct [option: alteration of default value, query, modification, deletion, [assignment: other operations]] on security attribute [option: database object access permission, security role].
FMT_MSA_EXT.1.2 TSF shall implement [option: label access control-based security policy, [assignment: information flow control policy with appointed mechanism by ST author]]; merely through [option: LBAC authorized user, [assignment: authorized administrator appointed by ST author]], implement [[assignment: security attribute] to [assignment: security label]].
NOTE: this requirement is applicable to EAL-4 evaluation assurance level. 7.1.3.3 Static attribute initialization [FMT_MSA_EXT.3]
FMT_MSA_EXT.3.1 TSF shall implement [option: user control policy-based, role control policy-based and user group control policy-based, [assignment: self- access control defined by ST author]], so as to provide default value to the execution of SFP security attribute [option: select one of them: restri...

View full details