A methodology for integrating access control policies within database development

Security in general and database protection from unauthorized access in particular, are crucial for organizations. While functional requirements are defined in the early stages of the development process, non-functional requirements such as security tend to be neglected or dealt with only at the end of the development process. Various efforts have been made to address this problem; however, none of them provide a complete framework to guide, enforce and verify the correct design of security policies, and eventually generate code from that design.We present a novel methodology that assists developers, in particular database designers, to design secure databases that comply with the organizational security policies that are related to access control. The methodology is applied in two main levels: organizational level and application development level. At the organizational level, which takes place before the development of a specific application, organizational policies are defined in the form of security patterns. These patterns encapsulate accumulated knowledge and best practices on security related problems. At the application development level, the data-related security requirements are defined as part of the data model. The security patterns, which have been defined at the organizational level, guide the definition and implementation of the security requirements. The correct implementation of the security patterns is verified during the design stage of the development process, before the automatic generation of the database code. The methodology is supported by a CASE tool that assists its implementation in the various stages.