Entrepreneurial Leadership Paper Assignment Example | Topics and Well Written Essays - 1000 words

Innovative Leadership Paper - Assignment Example Five Guys stresses administration quality more than business benefit, as the administration accepts that this approach is the most ideal approach to meet client desires. Jerry Murrell, one of the prime supporters of Five Guys, says that his marketable strategy was basically to â€Å"sell a great, delicious burger on a new bun. Make immaculate French fries. Don’t cut corners† (as refered to in Contemporary Business, 2012). The organization isn't prepared to bargain its item quality in spite of the impressive measure of cash and time it needs to contribute to support it. The contextual investigation mirrors that the organization imported potatoes from northern Idaho paying little mind to the moderate development issues so as to acquire strong and scrumptious potatoes; and as opposed to this, the firm’s contenders imported less expensive and low quality potatoes from Florida or California (Contemporary Business, 2012). Likewise, when the majority of the inexpensive food chains served dried out solidified fries to take favorable circumstances of size, Five Guys consistently gave its clients new fries. It is seen that the majority of the other natural pecking orders attempted to pool modest crude materials so as to improve riches amplification. This business theory profited the association in accomplishing significant level client reliability. From the contextual analysis, clearly clients persistently sit tight for burger regardless of whether its 17 unique fixings are specially made and it is a tedious assignment (Contemporary Business, 2012). Moreover, Five Guys’ particular way of thinking helped the organization to dispense with promoting costs since the technique itself was an adequate advantage for cause clients to publicize for the organization. Investigate the first estimations of the new business and how it stays solid today Since the start, Five Guys has been fruitful, and it is one of only a handful scarcely any natural ways of life in America that stayed unaffected by ongoing worldwide downturn (QSR Insights, 2012). While looking for the explanation, unmistakably the company’s exacting strategies have helped it to defeat different market challenges since its commencement. At the end of the day, unique qualities for the new business despite everything stay solid notwithstanding some immaterial changes. As the organization the board had chosen at the hour of Five Guys establishment, the firm despite everything keeps on offering quality items and administrations to its clients. Toward the beginning up time, the organization had chosen not to utilize low quality fixings or serve solidified food things to individuals. Limiting promotion costs and in this manner passing reserve funds to clients was another beginning up estimation of the firm. Indeed, even amidst the ongoing worldwide downturn, the organization was not prepared to utilize low quality elements for its food things. What's more, the organiza tion despite everything centers around its client publicizing system along with worker impetus plans to advance its business. In any event, when the organization started diversifying in 2002, it was careful, demanding that franchisees don't utilize low quality items and don't render low quality administrations. So as to guarantee franchisees’ probability, the firm doesn't establishment to anybody except if the possibility works at least five eateries. Since its commencement, the organization got various honors for its proficiency and client administrations. Most remarkably, the firm acquired Washington Magazine’s â€Å"Number 1 Burger† grant for a long time (Contemporary Business, 2012). Be that as it may, as per 2010 yearly report by the Center for Science in the Public Interest, Five Guys’

Pros and Cons of Teacher Websites Research Paper - 1

Upsides and downsides of Teacher Websites - Research Paper Example Study hall sites have been perceived for their basic yet important commitment to the instructive world, however not without a decent amount of negative focuses. In any case, the clients of this instrument ought to assess whether these defects exceed the commitment that it makes to learning. The principle capacity of a homeroom site is to fill in as an extra and advantageous strategy for the educators to impart data to their understudies. From this, spring the numerous favorable circumstances of having a homeroom site. The way that it is an innovation based instrument, nonetheless, has certain drawbacks. One enormous bit of leeway of this is instructors can generally leave notes as updates for the understudy on this site. The notes can be relating to any significant issue talked about in class, which the instructor doesn't need the understudies to overlook. This particularly incorporates things like schoolwork, declarations, and class rules. An understudy who can't remember the schoolwork doled out for a subject can just sign on to the site to see the update that the instructor left for the understudies. This in any case, requires the educator to refresh the site after each and every exercise (Greenspan, 2002). This can be a tedious action, particularly for educators who have numerous classes to oversee. Aside from this, the instructor may likewise utilize this site to make declarations and offer news. This incorporates declarations, for example, educating the class regarding an up and coming fieldtrip or the crossing out of a class. The requirement for such declarations as a rule emerges after class stands excuses. Consequently, if the instructor posts such declarations on the web, this spares the educator the difficulty of advising the understudies through other, lengthier methods, and it likewise guarantees that the news is shown.

Bending Water with Static Electricity

Twisting Water with Static Electricity At the point when two articles are scoured against one another, a portion of the electrons from one item bounce to the next. The item that picks up electrons turns out to be all the more adversely charged; the one that loses electrons turns out to be all the more decidedly charged. The contrary charges pull in one another such that you can really observe. One approach to gather charge is to brush your hair with a nylon brush or rub it with an inflatable. The brush or inflatable will become pulled in to your hair, while the strands of your hair (no different charge) repulse one another. The brush or inflatable will likewise pull in a flood of water, which conveys an electrical charge. Trouble: EasyTime Required: minutes What You Need Beside water, all you requirement for this examination is dry hair and a brush. The stunt is utilizing a brush that gets charge from your hair. Pick nylon, not wood or metal. On the off chance that you dont have a brush, a latex expand works similarly well. Water faucetNylon brush or latex expand Heres How Brush dry hair with a nylon brush or rub it with an expanded latex balloon.Turn on the tap so a restricted stream of water is streaming (1 to 2 mm over, streaming smoothly).Move the inflatable or teeth of the brush near the water (not in it). As you approach the water, the stream will start to twist toward your comb.Experiment!Does the measure of curve rely upon how close the brush is to the water?If you alter the stream, does it influence what amount the stream bends?Do brushes produced using different materials work similarly well?How does a brush contrast and a balloon?Do you get a similar impact from everyones hair or does some hair discharge more charge than others?Can you get your hair sufficiently close to the water to repulse it without getting it wet? Tip This action will work better when the dampness is low. At the point when stickiness is high, water fume gets a portion of the electrons that would bounce between objects. For a similar explanation, your hair should be totally dry when you brush it.

Confermation Bias Within The Gun Control Debate - Free Essay Example

The physiological definition of confirmation bias by the American Psychological Association (APA) is the ability or act of ignoring, finding, manipulating, or modifying evidence and data to support your beliefs, ideas, or ideology. Dr. Raymond Richardson, a professor at Tufts University located in Medford Massachusetts, summarized in 1998 confirmation bias [as] the seeking or interpreting of evidence in ways that are partial to existing beliefs, expectations, or a hypothesis in hand (175). Confirmation bias due to the fact that is can be for good or for evil is dangerous. The impact can be minor or of extreme proportions. With confirmation bias the entire idea is a person could be doing so, with or without intent to do so. The only way to not have confirmation bias is to take the data, facts and sources. Then try to break them down to the weakest points or if the data is against the interest of the source dispersing it. Confirmation bias is ever present in the conversations and laws involving the debate of Gun Control on all sides of the debate. The Educational Fund to Stop Gun Violence (EFSGV) and its sister organization the Coalition to Stop Gun Violence (CSGV), a left-wing anti-gun tax exempt lobbyist group founded in 1974 and headquarter in Washington, DC only seeks and interprets evidence that support the ideology guns themselves are the cause of gun violence. On the other side, the National Rifle Association (NRA) a pro-gun lobbyist group founded on November 16, 1871 in New York, NY and relocated to Fairfax, VA in 1993 refuse to blame anything other than culture and education for the overall violence problem. Both sides of the argument on guns are flawed and show confirmation bias in the evidence they present to support their argument. Anti-gun In February 2018 EFSGV published a report using the Center of Disease Control (CDC) statistic on factors of deaths in the United States (US) to support their opinion that gun control laws like in the Common Wealth of Massachusetts actually works. However, the EFSGV had filtered the information provided by the CDC not separate homicide and murders, from suicides. Plus, even on the site the CDC states that the numbers provided are suppressed values (2018). This means that the data is already not an accurate representation of what is truly happening. After contacting the CDC Public Affairs Officer (PAO) and asking what suppressed values on their website means. They provided a clarification statement of the values being suppressed or labeled as suppressed due to states, towns, or cities not being required to add the question of have you or a member of the household to the yearly census. Plus, as the CDC also stated in the response the data is hard for them to determine who in the family is reporting the death or injury. This is caused by the fact a person who is dead cannot fill out the US census questionnaire. With the additional problem of the volatility of the answers provided in response to the questionnaire is not verified. Even more so the categories overlap or are differently defined by individuals answering the census questions. With this in mind about the accuracy and volatility of the data provided to the CDC in the census questionnaire that also changes year to year it is easy to manipulate at all levels. As of November 20, 2018, the data on the CDC website was relabeled and no longer placed into charts. Unable to get a reason from the CDC Public Affairs Officer for the change in formatting and removal of the breakdowns in percentages. The new setup of the CDC data states it is census data in clear text, in multiple locations and does not attempt to break the data down for you. Leaving you to make the determination of the meaning of the data. The EFSGV confirmation bias to support the gun control agenda lead them to manipulated the data to show what they wanted or need to see, to confirm the beliefs, ideas, and ideology of gun control. They provided false validity to the data by not stating it was data from a census questionnaire. Leaving the reader to believe it had more validity than what it truly does. Using the same data set provided by the CDC prior to the November 20, 2018 update just by removing all the filters on types of Intent of Death and Mechanism of Death the data chart of percentages showed an entirely different picture from what EFSGV was trying to make in the publication. Firearm related deaths in Massachusetts fell down from 65.0% to only 7.2% of deaths. Leaving the highest cause of deaths in Massachusetts being drug poisoning at 32.2% and falls causing 15.9% of deaths. Just by removing the filters on the data provided by the CDC you are two times more likely to die as a result of a motor vehicle than by a firearm. With the post November 20, 2018 update of the CDC website the data in Table 1.1 and 1.2 shows Massachusetts being in the group of safest states with New York, Connecticut, and Rhode Island. However, once you filter it to just homicides involving a firearm in table 2.1 and 2.2 you see that Massachusetts has some counties that falls higher than the majority of the country. Even though they still are within the extreme low rate per 100,000 population leaves little to work with to improve in Massachusetts. It also gives EFSGV little to argue about gun violence. The only difference between tables 1 and tables 2 is the fact table 1 shows homicides, suicides, and legal interventions. With table 2 only showing homicides. The only conclusion from the data is that Massachusetts has suicides and legal interventions resulting in deaths as a result of firearm related injuries. With some filtering and over validation of the data provided it is possible to confirm any belief, expectations, and hypothesis at hand. Being caused by the fact the CDC uses very wide net categories that are not well defined and have no legal definition being left to the person who is answering the question on the census to interpret. The EFSGV took advantage of the census data provided and shaped it to their cause. EFSGV statements of the need for gun control to stop gun-violence is shown to be invalid with their source the CDC. Facts about the data they are using are ignored and not reported in the publication, misleading the reader to believe the data has more validity than it does. Pro-gun With the National Rifle Association (NRA) you have a YouTube publication by Colion Noir a NRATV host who in a story of Chicago starts with news reports and videos of crime and murder in Chicago. Then calling Chicago, Chiraq referring to it being equal to an active war zone. In the video Colion Noir interviews Leonard GLC Harris a Hip-Hop artist who contradicts the statement made earlier in the video. Leonard Harris points out, what gets the ratings and news is murder and mayhem If you are constantly seeing murder and mayhem [explicit] you will become a reflection of that (NRA Noir, 2018). Leonard Harris later on in the video points out the crime problem is a culture problem. The number one way anybody learns is through the social learning theory. You can go to school all day and read whats in the books[] But, when you see your mother and father do and your friends[] on a daily bases thats what you are going to normalize. Leonard Harris ignores the fact and example that goes against the arguments he made. Leonard Harris who grew up in Chicago with the criminal parents, friends, and environment is a perfect example, that it is not only a social learning problem only. He is not a criminal and is a productive member of the community serving as perfect example as a Hip-Hop artist. They talk about African American culture and social learning being the problem, even though they have evidence stating it is not the only problem and cause for gun crime. They made the statements ignoring the examples and evidence that goes against the argument they were trying to make.

Analysis Of Sonic Devices By William Blake And...

Sonic devices can be defined as deliberate alterations made in poems that affect the sound quality of the poem for emphasis or seizing the attention of the readers. Sonic techniques can also be used for vivid description (Golston). For instance, onomatopoeia is a technique that mimics the sound created by another object. This is to help the reader create a mental picture of what the poet is trying to describe. Sonic techniques mark the rhythm in a piece. The combination of alliteration, repetition, consonance, assonance, and meter, cumulatively build the rhythmic tone of a poem. This paper seeks to highlight these techniques, and their applications in the works of two prolific poets of their time; William Blake and Langston Hughes. Analysis Blake and Hughes are significantly different. They came from different eras and wrote about diverse themes. This may be attributed to the fact that they are from dissimilar ethnic backgrounds. Hughes is African American while Blake is British. This ominously sets them apart as they experienced different ways of life. Conversely, these two poets share the use of sonic techniques in their work. Once again art has brought together people from different parts of the world. The first and arguably the most mutual sonic device employed by both poets is alliteration. This is the repetition of initial sounds at short intervals or in adjoining words. Alliteration is employed for emphasis and rhyme. In Langston Hughes Theme for English B, the

Sonnet 18 By William Shakespeare - 898 Words

â€Å"SONNET 18† BY WILLIAM SHAKESPEARE William Shakespeare wrote Sonnet 18 as part of a sequence of 154 sonnets. Also known as â€Å"Shall I Compare Thee?† Sonnet 18 has become one of his most well loved poems. Shakespeare includes symbols of time, decay and eternity within this work. The speaker explicates his unending love for his beloved and how it will live on after death. The first quatrain introduces the personification of summer. The speaker begins the sonnet by asking if he can compare his friend to a warm, summer day. A brief statement stating how lovely and temperate â€Å"thee† is follows this rhetorical question. â€Å"Rough winds do shake the darling buds of May,† Shakespeare’s first example of personification, says that strong winds can hurt the new flower buds and â€Å"summer’s lease hath all too short a date,† explains that the season does not last long. The mention of a lease refers to the fact that summer must end. The personification of nature is even more evident in the second quatrain. This time the sun is named the eye of heaven. The speaker also suggests that the sun is sometimes hidden. Additionally, it is said that everything that has beauty will fade. This may be by chance or by inevitable time. Shakespeare uses the word untrimm d to refer to these fair things as losing their decorations, or trimmings. However, the speaker has changed the overall tone at the beginning of the third quatrain. Moving away from the beautiful description of summer, the speaker explainsShow MoreRelatedSonnet 18 By William Shakespeare862 Words   |  4 PagesSonnet 18 is among the most famous of Shakespeare’s works and is believed by many to be one of the greatest love poems of all time. Like other sonnets, it is written in iambic pentameter form, consisting of four quatrains and a rhyming couplet. Shakespearean sonnets are very good works of literature to assess. They all have a universal theme, uses of figurative language, and other useful tools to make his points all clear. In â€Å"Sonnet 18†, Shakespeare is showing his love and affection towards oneRead MoreWilliam Shakespeare s Sonnet 181231 Words   |  5 PagesShakespearean sonnets are famous for conveying the most famous of love poems; they consist of three quatrains that are written in iambic pentameter. Shakespeare deviates fro m the regular iamb pattern of one unstressed syllable followed by a stressed syllable to represent the effect of time and how it is limited by mortality. William Shakespeare’s Sonnet 18 illustrates the theme of immortalization and how Shakespeare eternally captures his love for poetry. It is in his ability to immortalize hisRead MoreWilliam Shakespeare s Sonnet 182829 Words   |  12 Pagesrespective poems, the poets explore love in various forms. In Sonnet 116 we see love as pure, immeasurable and immortal; William Shakespeare continues this conceit in Sonnet 18 too. Within My Last Duchess, love explores the submissive and possessive side effects of being completely infatuated, which similarly links with La Belle, however instead of patriarchal power, domination is shown through a woman. First Love is comparable to both Sonnets, in which love is portrayed passionately, presenting realRead MoreWilliam Shakespeare s Sonnet 18 And 130900 Words   |  4 Pages(Line 1). Thes e are both two of the famous lines from William Shakespeare’s sonnet 18 and 130. William Shakespeare was an intelligent English playwright, poet, and dramatist during the late sixteenth and early seventeenth centuries. He is known as one of the greatest playwrights of all time. Sonnet 18 and 130 are two of Shakespeare’s most famous poems. Sonnet 18 is a love poem about how he compares the woman’s love to a summer’s day. Sonnet 130 has a different approach. It is still a comparisonRead MoreWilliam Shakespeare s Sonnet 181311 Words   |  6 Pages Shakespeare’s â€Å"Sonnet 18† is, on the surface, another one of Shakespeare’s poems that praises the endless and otherworldly beauty of a nameless woman, lamenting that Death will eventually take it, as he takes everything. However, there is more to this sonnet than it seems. While the aforementioned description is true, the rhyming couplet coupled with Shakespeare’s trademark mastery of language and wordplay create a completely different reading experience. It is its own self-fulfilling prophecyRead MoreWilliam Shakespeare s Sonnet 181692 Words   |  7 Pages â€Å"Sonnet 18† may be the most famous lyric poem in English. Among Shakespeare’s works, only lines such as â€Å"To be or not to be† and â€Å"Romeo, Romeo, wherefore art thou Romeo?† are better-known. On the surface, this poem is a statement of praise about the beauty of the speaker’s love interest, but when you look closely you can see how the speaker is actually praising himself for his skills. This is also Shakespeare’s first poem in the sonnets that doesn’t explicitly encourage having children. The procreationRead MoreAnalysis Of William Shakespeare ´s Sonnet 18 And Percy Shelleys Ozymandias994 Words   |  4 Pagesbeen at the epicenter of many great works. Both William Shakespeare’s Sonnet 18 and Percy Shelley’s Ozymandias discuss love for one’s self. Although both poets utilize figurative language to describe how love can be represented, they do so in very different ways. Shakespeare employs nature to act as a symbol for the love of life. In contrast, Shelley implements metaphor and allusion to demonstrate how love is finite. William Shakespeare’s Sonnet 18 is a love note to a young man. It was common duringRead MoreAnalyzing Sonnet 18 961 Words   |  4 Pagesstill probably know this famous poem. Sonnet 18 by William Shakespeare is one of the most well-known poems of all time. Time and time again this piece of art has influenced contemporary pieces. Some examples of this would be; the song â€Å"Sonnet 18† by Pink Floyd, a novel titled The Darling Buds of May by H E Bates, and a famous essay â€Å"Rough Winds Do Shake† written by Maeve Landman. Now this doesn’t not include the endless, countless list of times when Sonnet 18 has been quoted throughout history, especiallyRead MoreWilliam Shakespeare and Edmund Spenser771 Words   |  4 Pagesworks of William Shakespeare and Edmund Spenser it is clear that some similarities are apparent, however the two poets encompass different writing styles, as well as different topics that relate to each other in their own unique ways. In Shakespeare’s â€Å"Sonnet 18† and Spenser’s â€Å"Sonnet 75†, both poets speak of love in terms of feelings and actions by using different expressive views, allowing the similar topics to contain clear distinctions. Although Edmund Spenser’s â€Å"Sonnet 75† and William Shakespeare’sRead MoreLove in Shakespeares Sonnets 18 and 130 Essay703 Words   |  3 PagesAlmost four hundred years after his death, William Shakespeares work continues to live on through his readers. He provides them with vivid images of what love was like during the 1600s. Shakespeare put virtually indescribable feelings into beautiful words that fit the specific form of the sonnet. He wrote 154 sonnets; all of which discuss some stage or feature of love. Love was the common theme during the time Shakespeare was writing. However, Shakespeare wrote about it in such a way that captivated

I Am Athletic and Feminine Medias Negative View of Women free essay sample

I am Athletic and Feminine! In the early years of my life I participated in any kind of sport my city offered no matter if it dominantly played by male or female. In-between ages 5 to 9 the boys on my team were too young to create a good or bad image of me and Just looked at me as another person on the team because I was equally as good as them. However, as the years progressed and my teammates got older, the negative Judging and discrimination started coming off very strong, especially from my baseball team. Even Hough I was selected as MAP for three years in a row, uniform a girl, youre useless to this team, We dont need girls on this team, and This is a boy sport why are you playing? were common remarks I heard from my own teammates. Because of the continuous negative Judgment I received from people, at age 13, I decided to leave the baseball team and only play with female only teams from then on. We will write a custom essay sample on I Am Athletic and Feminine: Medias Negative View of Women or any similar topic specifically for you Do Not WasteYour Time HIRE WRITER Only 13.90 / page I have no doubt in my mind that I am not the only girl who has gone through this. There are many women around the country of all ages who deal with negative judgment from others because they play sports. The reasoning for this is because however the media portrays its opinion of something, becomes how the nation believes it is to be. Author Maria Nelson wrote an article titled, l Won, Im Sorry discusses the negative view toward female athletes that the media creates. Many forms of sports media such as popular sports magazines support Nelsons general idea of the traditional gender code to the fullest extent. Both the media and people constantly demand beauty from females, so those who take on non-traditional traits re ridiculed, critiqued, and harassed for being strong, shorthanded, or alternatively modified. Women athletes are more likely to be Judged off the court and out of uniform in comparison to men sports media scholar Pat Griffin says in an interview. In sports media, men ultimately get to choose how images are portrayed, how they are used and who will get coverage. Griffin also adds in advertisements, men prefer to see women athletes represented in more feminine ways because it seems more comfortable. Because of this demand, women need to create a stable wholesome mage to obtain sponsorship and positive media attention. As I took a look through Surfer Magazine I noticed a Rosy advertisement for pro surfer Sally Fissions, in the picture she is riding a wave, seductively smiling, and wearing a small bright colored bikini which portrays this attractive and feminine image of her (See Figure 1). If she were wearing a wetsuit, not looking at the camera because she was full focus of riding the wave, but was still clearly representing the brand, would the advertisement be as strong? Probably not, although in the same magazine pro surfer Joel Conceit is advertising a G-Shock while riding a wave, wearing a wetsuit, and not looking at the camera and doing everything opposite to Sally Fissions picture and it is still an appealing advertisement. (See Figure 2) In Nelsons article l Won, Im Sorry she says athletes and advertisers reassure viewers that women who compete are still willing to play the ethnicity game ( In female athlete advertisements their sexuality, femininity, and heterosexuality is emphasized rather than their strength, triumphs, mental courage, and durability. If a male athlete were to take a picture for an advertisement and not touch up her face or put on a girl outfit, it wouldnt appeal to any consumers and people would create the idea that she is very manly and possibly even a lesbian. Women are never Judged on passion or their dedication in sports, their image is based on their sexiness when men are Judged as athletes. This general idea creates a need for women athletes to doll themselves up on and off the playing field to gain media attention and show the public they are heterosexual. What I have noticed through friends pictures who have been pursuing repressions sports is that when they begin to train for their sport, they begin to become more built and muscular instead of develop a body like a model. Those same girls are the ones who I see touch up their face, place a ribbon in their hair, and look at a mirror before game time and fix themselves up again at halftime. I believe that this is because they want to keep their femininity image strong while playing and keep mens attention. When I searched female athletes on Google, the first results are in relation to the hottest female athletes and pictures of females in dresses and mom half naked striking sexy poses. Then I typed in male athletes and the first headlines were about male athlete awards and pictures of males flexing, playing a sport, and holding awards. Most women including myself are very concerned with others opinion, especially when it concerns our femininity because no female wants their womanhood to be questioned or doubted. Dry. Strain Linden of Stilling University says, girls want to be good at their sport, but on the other hand a question around their femininity is raised because they are considered too muscular. Concerns like these doesnt only pressure women athlete into feeling pressured to touch up their uniform and game time appearance there are issues around eating disorders and body image issues that arise because of that Dry. Linden adds. The media is at fault for causing women to go to extreme lengths to defend their femininity, like Nelson says, it is unhealthy (681). In my opinion, we contribute to these high standards of the physical appearance of a female athlete by going along with them and following the unwritten gender code our society seems to have. Even in interviews women play a feminine roll, a description for one of the interviews I found on www. Buzzed. Com said right after she vanquished Canada with a last-second header, [Alex] Morgan was ambushed by TV crews and came off as witty, charming, and totally floored. (See Figure 3) In comparison to an interview with a male athlete, I think it is safe to say you would never find a description like that. Men are more likely to talk more about the team rather then women who much rather describe how they are feeling. In the interviews Vive personally seen of female athletes I have noticed that they always seem to be smiling and giddy and men are always starring at the ground and respond in short answers. See Figure 4) If women didnt carry themselves in a respectful manner and have great showma nship, people of America would instantly loose interest in them because America loves to have their athletic sweethearts. Like nelson says, if you want to be a winner and youre female, youll tell pressured to play by special, tamale rules (68 As time progresses, the impact of social media will continue to grow stronger and he opinions of this informant will always be accountable for choosing the nations opinion toward things. Sadly, social media is a robot that we are ultimately in control. If more individuals started paying more attention to the athletic ability of females instead of the physical features of them, the pressure of being both an athlete and model would be dropped. Women should take pride that they have been blessed with the talent of being athletic and embrace it to the fullest potential. Any women who can beat a man at his own sport should be praised despite how she looks or acts.

Who is Rosa Parks Rosa Parks is someone who grew Essay Example For Students

Who is Rosa Parks? Rosa Parks is someone who grew Essay up believing people should be judged by the respect they have for themselves and others. (Le Blanc, 190) Rosa Parks is mostly known for standing up for herself and for other all other African Americans when she refused to go to the back of the bus to give up her seat for a white man. (Le Blanc, 190) When Rosa took a stand, she didnt do it to make her name go down in history. She did it because she believed in herself and she stood up for an injustice she thought was wrong. Rosa Parks is a courageous and very remarkable person. We will write a custom essay on Who is Rosa Parks? Rosa Parks is someone who grew specifically for you for only $16.38 $13.9/page Order now Rosa Parks was born in Tuskagee, Alabama. When she was a young child her parents separated. After her parents got divorced, she moved to Montgomery with her mom. (Le Blanc, 189) She grew up with an extended family that consisted of her maternal grandparents and Sylvester, her younger brother. (Le Blanc, 189) Rosas mother was a school teacher and she was taught by her until age 11. (Celsi, 1) At age 11 she went to Montgomery Industrial School for Girls. It was an all black school. Everything in Montgomery was either blacks only or whites only. Though she found it humiliating, Parks became used to obeying segregation laws. (Celsi, 1) With her mothers help, Rosa was able to grow up proud of herself and other black people. (Contemporary Black Biography, 190) By the time she reached the midpoint of her life, Rosa was no longer a stranger to white intimidation. (Le Blanc, 190) At the age of 20, Rosa married Raymond Parks, who was a barber. Rosa and Raymond had to keep steady jobs to support themselves. (Le Blanc, 190) Rosa hated the way of life. She had always dreamed of equality and freedom. (Stewart, 1) Although Rosa grew up with segregation, she turned out to be a very well rounded unique person many people can look up to. She was just a normal person with a normal life, but she did something that not many black people back then had the courage to doshe stood up for herself. In Rosas spare time, she became active in the NAACP. She was also active in the Montgomery Voters League. (Le Blanc, 190) The Montgomery Voters League was a group that helped black people pass a special test so they could register to vote. (Le Blanc, 190) Rosa had been silently protesting segregation in her own quiet way over the years. For example, instead of riding up an elevator that said blacks only she would take the stairs. (Le Blanc, 190) The most well known boycott is the Montgomery Bus Boycott. This was a boycott that took place in response to Rosas arrest. Her arrest caused black people throughout Montgomery to refuse to ride buses. (Church, 393) The success of the Montgomery Bus Boycott encouraged a wave of massive demonstrations that swept across the South. (Church, 394) Rosa Parks has succeeded in establishing herself in history by what she did. She is one of the most honored and distinguished African Americans in our history. (Asante, 71) Rosa Parks stood didnt only stand up for herself, she stood up for racism. It must have been hard for her because not only was she an African American, she was also a woman, and back then things were much more difficult for women. Even though Rosa did something very courageous, some might say she isnt the best leader. Many leaders give speeches, lead demonstrations and write petitions. Rosa Parks didnt do any of these things. Other people were motivated to do these things because of her standing up for herself. (Asante, 71) The most important incident that happened in Rosas life occurred on December 1, 1955 Rosa Parks was riding the bus home from work like she did every day. But that day had been especially tiring. .ub345f8c673c4f60179e9ef14e1927aec , .ub345f8c673c4f60179e9ef14e1927aec .postImageUrl , .ub345f8c673c4f60179e9ef14e1927aec .centered-text-area { min-height: 80px; position: relative; } .ub345f8c673c4f60179e9ef14e1927aec , .ub345f8c673c4f60179e9ef14e1927aec:hover , .ub345f8c673c4f60179e9ef14e1927aec:visited , .ub345f8c673c4f60179e9ef14e1927aec:active { border:0!important; } .ub345f8c673c4f60179e9ef14e1927aec .clearfix:after { content: ""; display: table; clear: both; } .ub345f8c673c4f60179e9ef14e1927aec { display: block; transition: background-color 250ms; webkit-transition: background-color 250ms; width: 100%; opacity: 1; transition: opacity 250ms; webkit-transition: opacity 250ms; background-color: #95A5A6; } .ub345f8c673c4f60179e9ef14e1927aec:active , .ub345f8c673c4f60179e9ef14e1927aec:hover { opacity: 1; transition: opacity 250ms; webkit-transition: opacity 250ms; background-color: #2C3E50; } .ub345f8c673c4f60179e9ef14e1927aec .centered-text-area { width: 100%; position: relative ; } .ub345f8c673c4f60179e9ef14e1927aec .ctaText { border-bottom: 0 solid #fff; color: #2980B9; font-size: 16px; font-weight: bold; margin: 0; padding: 0; text-decoration: underline; } .ub345f8c673c4f60179e9ef14e1927aec .postTitle { color: #FFFFFF; font-size: 16px; font-weight: 600; margin: 0; padding: 0; width: 100%; } .ub345f8c673c4f60179e9ef14e1927aec .ctaButton { background-color: #7F8C8D!important; color: #2980B9; border: none; border-radius: 3px; box-shadow: none; font-size: 14px; font-weight: bold; line-height: 26px; moz-border-radius: 3px; text-align: center; text-decoration: none; text-shadow: none; width: 80px; min-height: 80px; background: url(https://artscolumbia.org/wp-content/plugins/intelly-related-posts/assets/images/simple-arrow.png)no-repeat; position: absolute; right: 0; top: 0; } .ub345f8c673c4f60179e9ef14e1927aec:hover .ctaButton { background-color: #34495E!important; } .ub345f8c673c4f60179e9ef14e1927aec .centered-text { display: table; height: 80px; padding-left : 18px; top: 0; } .ub345f8c673c4f60179e9ef14e1927aec .ub345f8c673c4f60179e9ef14e1927aec-content { display: table-cell; margin: 0; padding: 0; padding-right: 108px; position: relative; vertical-align: middle; width: 100%; } .ub345f8c673c4f60179e9ef14e1927aec:after { content: ""; display: block; clear: both; } READ: To what extend are the characters of Chronicles of a Death Foretold by Marquez and Ghosts by Ibsen hypocritical about their religion Essay (Le Blanc, 190) The bus was a constant irritation to black people. The front four rows were reserved for whites (and remained empty even when there were not enough white passengers to fill them). The back section, which was always very crowded, was for black passengers. In between there . Who is Rosa Parks Rosa Parks is someone who grew Essay Example For Students Who is Rosa Parks? Rosa Parks is someone who grew Essay up believing people should be judged by the respect they have for themselves and others. (Le Blanc, 190) Rosa Parks is mostly known for standing up for herself and for other all other African Americans when she refused to go to the back of the bus to give up her seat for a white man. (Le Blanc, 190) When Rosa took a stand, she didnt do it to make her name go down in history. She did it because she believed in herself and she stood up for an injustice she thought was wrong. Rosa Parks is a courageous and very remarkable person. We will write a custom essay on Who is Rosa Parks? Rosa Parks is someone who grew specifically for you for only $16.38 $13.9/page Order now Rosa Parks was born in Tuskagee, Alabama. When she was a young child her parents separated. After her parents got divorced, she moved to Montgomery with her mom. (Le Blanc, 189) She grew up with an extended family that consisted of her maternal grandparents and Sylvester, her younger brother. (Le Blanc, 189) Rosas mother was a school teacher and she was taught by her until age 11. (Celsi, 1) At age 11 she went to Montgomery Industrial School for Girls. It was an all black school. Everything in Montgomery was either blacks only or whites only. Though she found it humiliating, Parks became used to obeying segregation laws. (Celsi, 1) With her mothers help, Rosa was able to grow up proud of herself and other black people. (Contemporary Black Biography, 190) By the time she reached the midpoint of her life, Rosa was no longer a stranger to white intimidation. (Le Blanc, 190) At the age of 20, Rosa married Raymond Parks, who was a barber. Rosa and Raymond had to keep steady jobs to support themselves. (Le Blanc, 190) Rosa hated the way of life. She had always dreamed of equality and freedom. (Stewart, 1) Although Rosa grew up with segregation, she turned out to be a very well rounded unique person many people can look up to. She was just a normal person with a normal life, but she did something that not many black people back then had the courage to doshe stood up for herself. In Rosas spare time, she became active in the NAACP. She was also active in the Montgomery Voters League. (Le Blanc, 190) The Montgomery Voters League was a group that helped black people pass a special test so they could register to vote. (Le Blanc, 190) Rosa had been silently protesting segregation in her own quiet way over the years. For example, instead of riding up an elevator that said blacks only she would take the stairs. (Le Blanc, 190) The most well known boycott is the Montgomery Bus Boycott. This was a boycott that took place in response to Rosas arrest. Her arrest caused black people throughout Montgomery to refuse to ride buses. (Church, 393) The success of the Montgomery Bus Boycott encouraged a wave of massive demonstrations that swept across the South. (Church, 394) Rosa Parks has succeeded in establishing herself in history by what she did. She is one of the most honored and distinguished African Americans in our history. (Asante, 71) Rosa Parks stood didnt only stand up for herself, she stood up for racism. It must have been hard for her because not only was she an African American, she was also a woman, and back then things were much more difficult for women. Even though Rosa did something very courageous, some might say she isnt the best leader. Many leaders give speeches, lead demonstrations and write petitions. Rosa Parks didnt do any of these things. Other people were motivated to do these things because of her standing up for herself. (Asante, 71) The most important incident that happened in Rosas life occurred on December 1, 1955 Rosa Parks was riding the bus home from work like she did every day. But that day had been especially tiring. .u61a629445fa912b54d1350b1ae44b4c2 , .u61a629445fa912b54d1350b1ae44b4c2 .postImageUrl , .u61a629445fa912b54d1350b1ae44b4c2 .centered-text-area { min-height: 80px; position: relative; } .u61a629445fa912b54d1350b1ae44b4c2 , .u61a629445fa912b54d1350b1ae44b4c2:hover , .u61a629445fa912b54d1350b1ae44b4c2:visited , .u61a629445fa912b54d1350b1ae44b4c2:active { border:0!important; } .u61a629445fa912b54d1350b1ae44b4c2 .clearfix:after { content: ""; display: table; clear: both; } .u61a629445fa912b54d1350b1ae44b4c2 { display: block; transition: background-color 250ms; webkit-transition: background-color 250ms; width: 100%; opacity: 1; transition: opacity 250ms; webkit-transition: opacity 250ms; background-color: #95A5A6; } .u61a629445fa912b54d1350b1ae44b4c2:active , .u61a629445fa912b54d1350b1ae44b4c2:hover { opacity: 1; transition: opacity 250ms; webkit-transition: opacity 250ms; background-color: #2C3E50; } .u61a629445fa912b54d1350b1ae44b4c2 .centered-text-area { width: 100%; position: relative ; } .u61a629445fa912b54d1350b1ae44b4c2 .ctaText { border-bottom: 0 solid #fff; color: #2980B9; font-size: 16px; font-weight: bold; margin: 0; padding: 0; text-decoration: underline; } .u61a629445fa912b54d1350b1ae44b4c2 .postTitle { color: #FFFFFF; font-size: 16px; font-weight: 600; margin: 0; padding: 0; width: 100%; } .u61a629445fa912b54d1350b1ae44b4c2 .ctaButton { background-color: #7F8C8D!important; color: #2980B9; border: none; border-radius: 3px; box-shadow: none; font-size: 14px; font-weight: bold; line-height: 26px; moz-border-radius: 3px; text-align: center; text-decoration: none; text-shadow: none; width: 80px; min-height: 80px; background: url(https://artscolumbia.org/wp-content/plugins/intelly-related-posts/assets/images/simple-arrow.png)no-repeat; position: absolute; right: 0; top: 0; } .u61a629445fa912b54d1350b1ae44b4c2:hover .ctaButton { background-color: #34495E!important; } .u61a629445fa912b54d1350b1ae44b4c2 .centered-text { display: table; height: 80px; padding-left : 18px; top: 0; } .u61a629445fa912b54d1350b1ae44b4c2 .u61a629445fa912b54d1350b1ae44b4c2-content { display: table-cell; margin: 0; padding: 0; padding-right: 108px; position: relative; vertical-align: middle; width: 100%; } .u61a629445fa912b54d1350b1ae44b4c2:after { content: ""; display: block; clear: both; } READ: The Truth About Thanksgiving Essay (Le Blanc, 190) The bus was a constant irritation to black people. The front four rows were reserved for whites (and remained empty even when there were not enough white passengers to fill them). The back section, which was always very crowded, was for black passengers. In between there .

Database Security Essay Example

Database Security Essay Example Database Security Essay Database Security Essay 1 Database Security *) GUNTHER PERNUL Institut fur Angewandte Informatik und Informationssysteme Abteilung fur Information Engineering Universitat Wien Vienna, Austria 1. Introduction 1. 1 The Relational Data Model Revisited 1. 2 The Vocabulary of Security and Major DB Security Threats 2. Database Security Models 2. 1 Discretionary Security Models 2. 2 Mandatory Security Models 2. 3 Adapted Mandatory Access Control Model 2. 4 Personal Knowledge Approach 2. 5 Clark and Wilson Model 2. 6 A Final Note on Database Security Models . Multilevel Secure Prototypes and Systems 3. 1 SeaView 3. 2 Lock Data Views 3. 3 ASD_Views 4. Conceptual Data Model for Multilevel Security 4. 1 Concepts of Security Semantics 4. 2 Classification Constraints 4. 3 Consistency and Conflict Management 4. 4 Modeling the Example Application 5. Standardization and Evaluation Efforts 6. Future Directions in Database Security Research 7. Conclusions References 1. Introduction Information stored in databases is often considered as a valuable and important corporate resource. Many organizations have become so dependent on the proper functioning of their systems that a disruption of service or a leakage of stored information may cause outcomes ranging from inconvenience to catastrophe. Corporate data may relate to financial records, others may be essential for the successful operation of an organization, may represent trade *) Advances in Computers, Vol. 38. M. C. Yovits (Ed. ), Academic Press, 1994, pp. 1 74. 2 secrets, or may describe information about persons whose privacy must be protected. Thus, the general concept of database security is very broad and entails such things as moral and ethical issues imposed by public and society, legal issues where control is legislated over the collection and disclosure of stored information, or more technical issues such as how to protect the stored information from loss or unauthorized access, destruction, use, modification, or disclosure. More generally speaking, database security is concerned with ensuring the secrecy, integrity, and availability of data stored in a database. To define the terms, secrecy denotes the protection of information from unauthorized disclosure either by direct retrieval or by indirect logical inference. In addition, secrecy must deal with the possibility that information may also be disclosed by legitimated users acting as an ‘information channel’ by passing secret information to unauthorized users. This may be done intentionally or without knowledge of the authorized user. Integrity requires data to be protected from malicious or accidental modification, including the insertion of false data, the contamination of data, and the destruction of data. Integrity constraints are rules that define the correct states of a database and thus can protect the correctness of the database during operation. Availability is the characteristic that ensures data being available to authorized users when they need them. Availability includes the ‘denial of service’ of a system, i. e. a system is not functioning in accordance with its intended purpose. Availability is closely related to integrity because ‘denial of service’ may be caused by unauthorized destruction, modification, or delay of service as well. Database security cannot be seen as an isolated problem because it is effected by other components of a computerized system as well. The security requirements of a system are specified by means of a security policy which is then enforced by various security mechanisms. For databases, requirements on the security can be classified into the following categories:  · Identification, Authentication Usually before getting access to a database each user has to identify himself to the computer system. Authentication is the way to verify the identity of a user at log-on time. Most common authentication methods are passwords but more advanced techniques like badge readers, biometric recognition techniques, or signature analysis devices are also available.  · Authorization, Access Controls Authorization is the specification of a set of rules that specify who has which type of access to what information. Authorization policies therefore govern the disclosure and modification of information. Access controls are 3 procedures that are designed to control authorizations. They are responsible to limit access to stored data to authorized users only.  · Integrity, Consistency An integrity policy states a set of rules (i. e. semantic integrity constraints) that define the correct states of the database during database operation and therefore can protect against malicious or accidental modification of information. Closely related issues to integrity and consistency are concurrency control and recovery. Concurrency control policies protect the integrity of the database in the presence of concurrent transactions. If these transactions do not terminate normally due to system crashes or security violations recovery techniques are used to reconstruct correct or valid database states.  · Auditing The requirement to keep records of all security relevant actions issued by a user is called auditing. Resulting audit records are the basis for further reviews and examinations in order to test the adequacy of system controls and to recommend any changes in the security policy. In this Chapter such a broad perspective of database security is not taken. Instead, main focus is directed towards aspects related to authorization and access controls. This is legitimate because identification, authentication, and auditing1 normally fall within the scope of the underlying operating system and integrity and consistency policies are subject to the closely related topic of ‘semantic data modeling’ or are dependent on the physical design of the DBMS software (namely, the transaction and recovery manager). Because most of the research in database security has concentrated on the relational data model, the discussion in this Chapter mostly concerns the framework of relational databases. However, the results described may generally be applicable to other database models as well. For an overall discussion on basic database security concepts consult the surveys by Jajodia and Sandhu (1990a), Lunt and Fernandez (1990), or Denning (1988). For references to further readings consult the annotated bibliography by Pernul and Luef (1992). The outline of this Chapter is as follows: In the remainder of the opening Section we shortly review the relational data model, we introduce a simple example that will be used throughout the Chapter, we present the basic terminology used in computer security, and we describe the most successful methods that might be used to penetrate a database. Because of the diversity of application domains for databases different security models and techniques 1. However, audit records are often stored and examined by using the DBMS software. 4 have been proposed so far. In Section 2 we review, evaluate, and compare the most prominent representatives among them. Section 3 contains an investigation of secure (trusted) database management systems (DBMSs). These are special purpose systems that support a level-based security policy and were designed and implemented with main focus on the enforcement of high security requirements. Section 4 focuses on one of the major problems level-based security related database research has to deal with. In this Section we address the problem of how to classify the data stored in the database with security classifications reflecting the security requirements of the application domain properly. What is necessary to counter this problem is to have a clear understanding of all the security semantics of the database application and a resulting clever database design. A semantic data/security model is proposed to arrive at a conceptualization and a clear understanding of the security semantics of the database application. Database security (and computer security in general) is subject to many national and international standardization efforts. The efforts have the goal to develop metrics to evaluate the degree of trust that can be placed in computer products used for the processing of sensitive information. In Section 5 we will briefly review these proposals. In Section 6 we will point out research challenges in database security and we will give our opinion of the direction in which we expect the entire field to move within the next few years. Finally, Section 7 will conclude this Chapter. 1. 1 The Relational Data Model Revisited The relational data model was invented by Codd (1970) and is described in most database textbooks. A relational database supports the relational data model and must have three basic principles: a set of relations, integrity rules, and a set of relational operators. Each relation consists of a state-invariant relation schema RS(A1, ,An), where each Ai is called attribute and defined over a domain dom(Ai). A relation R is a state-dependent instance of RS and consists of a set of distinct tuples of the form (a1, ,an), where each element ai must satisfy dom(Ai) (i. e. aiIdom(Ai)). Integrity constraints restrict the set of theoretically possible tuples (i. e. dom(A1) ? dom(A2) ? ? dom(An)) to the set of practically meaningful. Let X and Y denote sets of one or more of the attributes Ai in a relation schema. We say Y is functional dependent on X, written X ®Y, if and only if it is not possible to have two tuples with the same value for X but different values for Y. Functional dependencies represent the basis for most integrity constraints in the relation model of data. As not all possible relations are meaningful in an application, only those that satisfy certain integrity constraints are considered. 5 From the large set of proposed integrity constraints two are of major relevance for security: the key property and the referential integrity property. The key property states that each tuple must be uniquely identified by a key and a key attribute must not have the null-value. As a consequence each event of reality may be represented in the database only once. Referential integrity states that tuples referenced in one relation must exist in others and is expressed by means of foreign keys. These two rules are application independent and must be valid in each relational database. In addition many application dependent semantic constraints may exist in different databases. Virtual view relations (or shortly views) are distinguished from base relations. While the former are the result of relational operations and exists only virtually, the latter are actually present in the database and hold the stored data. Relational operations consist of the set operations, a select operation for selecting tuples from relations that satisfy a certain predicate, a project operation for projecting a relation on a subset of its attributes and a join operation for combining attributes and tuples from different relations. The relational data model was first implemented as System R by IBM and as INGRES at U. C. Berkeley. These two projects have mainly started and also considerably advanced the field of database security research. Both systems are the basis of most commercially available products. A few words on designing a database are in order. The design of a relational database is a complicated and difficult task and involves several phases and activities. Before the final relation schemas can be determined a careful requirements analysis and a conceptualization of the database is necessary. Usually this is done by using a conceptual data model which must be powerful enough to allow the modeling of all application relevant knowledge. The conceptual model is used as an intermediate representation of the database and finally transferred into corresponding relation schemas. It is very important to use a conceptual data model at this step because only such a high level data model allows to achieve a database that properly represents all of the application dependent data semantics. De facto standard for conceptual design is the Entity Relationship Approach (ER) (Chen, 1976) or one of its variants. In its graphical representation and in its simplest form the ER regards the world as consisting of a set of entity types (boxes), attributes (connected to boxes) and relationship types (diamonds). Relationship types are defined between entity types and are either of degree 1:1, 1:n, or n:m. The degree describes the maximum number of participating entities. Following is a short example of a relational database. This example will be used throughout the Chapter. It is very simple but sufficient to discuss many 6 ecurity relevant questions and to show the complexity of the field. Figure 1 contains the conceptualization of the database in form of an ER diagram and the corresponding relation schemas (key attributes are underlined, foreign keys are in italics). The database represents the fact that projects within an enterprise are carried out by employees. In this simple example we have to deal with the following three security objects: First, Employee represents a set of employees each of which is uniquely described by a characteristic SSN (i. e. the social security number). Of further interest are the Name, the Department the employee is working for, and the Salary of the employee. Second, Project is a set of projects carried out by the enterprise. Each project has an identifying Title, a Subject, and a Client. Finally, security object Assignment contains the assignments of employees to projects. Each assignment is characterized by the Date of the assignment and the Function the employee has to perform during the participation in the project. A single employee can be assigned to more than one project and a project may be carried out by more than one employee. 1. The Vocabulary of Security and Major DB Security Threats Before presenting the details of database security research it is necessary to define the terminology used and the potential threats to database security. As already has been pointed out, security requirements are stated by means of a security policy which consists of a set of laws, rules and practices that regulate how an organization man ages, protects, and distributes sensitive information. In general, a security policy is stated in terms of a set of security objects and a set of security subjects. A security object is a passive entity that contains or receives information. This might be a structured concept like a whole database, Employee Project Assignment N M Date Function SSN Title Title Subject Client SSN Name Dep Salary Employee (SSN, Name, Dep, Salary) Project (Title, Subject, Client) Assignment (Title, SSN, Date, Function) FIG. 1. Representations of the Example DB 7 a relation, a view, a tuple, an attribute, an attribute value, or even a fact of reality which is represented in the database. A security object might also be unstructured like a physical memory segment, a byte, a bit, or even a physical device like a printer or a processor. Please note, the term object is used differently in other computer science disciplines. Within the framework presented here, security objects are the target of protection. A security subject is an active entity, often in the form of a person (user) or process operating on behalf of a user. Security subjects are responsible for a change of a database state and cause information to flow within different objects and subjects. Most sources of threats to database security come from outside the computing system. If most emphasis is given to authorization, the users and processes operating on behalf of the users must be subject to security control. An active database process may be operating on behalf of an authorized user who has legitimate access or may be active on behalf of a person who succeeded in penetrating the system. In addition, an authorized database user may act as an ‘information channel’ by passing restricted information to unauthorized users. This may be intentionally or without knowledge of the authorized user. Some of the most successful database penetration methods are:  · Misuses of authority Improper acquisition of resources, theft of programs or storage media, modification or destruction of data. Logical Inference and Aggregation Both deal with users authorized to use the database. Logical inference arises whenever sensitive information can be inferred from combining less sensitive data. This may also involve certain knowledge from outside the database system. Tightly related to logical inference is the aggregation problem, wherein individual data items are not sensitive but a large enough c ollection of individual values taken together is considered sensitive.  · Masquerade A penatrator may gain unauthorized access by masquerading as a different person.  · Bypassing Controls This might be password attacks and exploitation of system trapdoors that avoid intended access control mechanisms. Trapdoors are security flaws that were built in the source code of a program by the original programmer.  · Browsing A penetrator circumvents the protection and searches directory or 8 dictionary information, trying to locate privileged information. Unless strict need-to-know access controls are implemented the browsing problem is a major flaw of database security.  · Trojan Horses A Trojan horse is hidden software that tricks a legitimate user without his knowledge to perform certain actions he is not aware of. For example, a Trojan Horse may be hidden into a sort routine and be designed to release certain data to unauthorized users. Whenever a user activates the sort routine, for example for sorting the result of a database query, the Trojan horse will act with the users identity and thus will have all privileges of the user.  · Covert Channels Usually information stored in a database is retrieved by means of legitimate information channels. In contrast to legitimate channels covert channels are paths that are not normally intended for information transfer. Such hidden paths may either be storage channels like shared memory or temporary files that could be used for communication purposes or timing channels like a degradation of overall system performance.  · Hardware, Media Attacks Physical attacks on equipment and storage media. The attack scenario described above is not restricted to occur in databases only. For example, the German Chaos Computer Club succeeded in attacking a NASA system masqueraded, by bypassing access controls (by means of an operating system flaw) and Trojan horses to capture passwords. As reported by Stoll (1988) some of these techniques were also used by the Wily Hacker. The Internet worm in 1988 exploited trapdoors in electronic mail handling systems and infected more than 5000 machines connected to the Internet network (Rochlis and Eichin, 1989). Thompson (1984), in his Turing Award Lecture, demonstrated a Trojan horse placed in the executable form of a compiler that permitted the insertion of a trapdoor in each program compiled with the compiler. It is generally agreed that the number of the known cases of computer abuse is significantly smaller than the cases actually happened because in this topic a large number of dark figures exist. 2. Database Security Models 9 Because of the diversity of the application domains for databases different security models and techniques have been proposed to counter the various threats against the security. In this Section we will discuss the most prominent among them. In a nutshell, Discretionary Security specifies the rules under which subjects can, at their discretion, create and delete objects, and grant and revoke authorizations for accessing objects to others. In addition to controlling the access Mandatory Security regulates the flow of information between objects and subjects. Mandatory security controls are very effective but suffer from several drawbacks. One attempt to overcome certain limitations of mandatory protection systems is the Adapted Mandatory Access Control (AMAC) model, a security technique that focuses on the design aspect of secure databases. The Personal Knowledge Approach is concentrating on enforcing the basic law of many countries for the informational selfdetermination of humans and the Clark and Wilson Model tries to represent common commercial business practice in a computerized security model. First attempts to compare some of these techniques have been made by Biskup (1990) and Pernul and Tjoa (1992). Landwehr (1981) is a very good survey of formal policies for computer security in general and Millen (1989) focuses on various aspects of mandatory computer security. 2. 1 Discretionary Security Models Discretionary security models are fundamental to operating systems and DBMSs and have now been studied for a long time. From 1970 through 1975, there was a good deal of interest in the theoretical aspects of these models. Then most of the relational database security research has turned to other security techniques. However, the appearance of more advanced data models has renewed interest in discretionary policies. 2. 1. 1 Discretionary Access Controls Discretionary access controls (DAC) are based on the concepts of a set of security objects O, a set of security subjects S, a set of access privileges T defining what kind of access a subject has to a certain object, and in order to represent content-based access rules a set of predicates P. Applied to relational databases O is a finite set of values {o1, ,on} representing relation schemas, S is a finite set of potential subjects {s1, sm} representing users, groups of them, or transactions operating on behalf of users. Access types (privileges) are the set of database operations such as select, insert, delete, update, execute, grant, or 10 revoke and predicate pIP defines the access window of subject sIS on object oIO. The tuple o,s,t,p is called access rule and a function f is defined to determine if an authorization f(o,s,t,p) is valid or not: : O ? S ? T ? P  ® {True, False}. For any o,s,t,p, if f(o,s,t,p) evaluates into True, subject s has authorization t to access object o within the range defined by predicate p. An important property of discretionary security models is the support of the principle of delegation of rights where a right is the (o,t,p)-portion of the access rule. A subject si who holds the right (o,t,p) may be allowed to delegate that right to ano ther subject sj (i? j). Most systems supporting DAC store access rules in an access control matrix. In its simplest form the rows of the matrix represent subjects, the columns represent the objects and the intersection of a row and a column contains the access type that subject has authorization for with respect to the object. The access matrix model as a basis for discretionary access controls was formulated by Lampson (1971) and subsequently refined by Graham and Denning (1972), and by Harrison et al. (1976). A more detailed discussion on discretionary controls in databases may be found in the book by Fernandez et al. (1981). Discretionary security is enforced in most commercial DBMS products and is based on the concept of database views. Instead of authorizing a user to the base relations of a system the information of the access control matrix is used to restrict the user to a particular subset of the data available. Two main system architectures for view-based protection can be identified: query modification and view relations. Query modification is implemented in Ingres-style DBMSs (Stonebraker and Rubinstein 1976) and consists of appending additional security relevant qualifiers to a user supplied query. View relations are unmaterialized queries which are based on physical base relations. Instead of authorizing the users to base relations they have access to the virtual view relations only. By means of qualifiers in the view definition security restrictions can be implemented. View relations are the underlying protection mechanism of System R-based DBMSs (Griffiths and Wade, 1976). 2. 1. 2 DAC-based Structural Limitations Although very common discretionary models suffer from major drawbacks when pplied to databases with security critical content. In particular we see the following limitations:  · Enforcement of the security policy 11 DAC is based on the concept of ownership of information. In contrast to enterprise models, where the whole enterprise is the ‘owner’ of information and responsible for granting access to stored data, DAC systems assign the ownership of information to the creator of the data items in the database and allow the creator subject to grant acc ess to other users. This has the disadvantage that the burden of enforcing the security requirements of the enterprise is in the responsibility of the users themselves and cannot be controlled by the enterprise without involving high costs.  · Cascading authorization If two or more subjects have the privilege of granting or revoking certain access rules to other subjects this may lead to cascading revocation chains. As an example consider subjects s1, s2, s3, and access rule (s1,o,t,p). Subject s2 receives the privilege (o,t,p) from s1 and grants this access rule to s3. Later, s1 grants (o,t,p) again to s3 but s2 revokes (o,t,p) from s3 because of some reason. The effect of these operations is that s3 still has the authorization (from s1) to access object o by satisfying predicate p and using privilege t even if subject s2 has revoked it. This has the consequence that subject s2 is not aware of the fact that authorization (s3,o,t,p) is still in effect.  · Trojan Horse attacks In systems supporting DAC the identity of the subjects is crucial, and if actions can be performed using another subject’s identity, then DAC can be subverted. A Trojan Horse can be used to grant a certain right (o,t,p) of subject si on to sj (i? j) without the knowledge of subject si. Any program which runs on behalf of a subject acts with the identity of the subject and therefore has all of the DAC access rights of the subject’s processes. If a program contains a Trojan Horse with the functionality of granting access rules on to other users this cannot be restricted by discretionary access control methods.  · Update problems View-based protection results in unmaterialized queries which have no explicit physical representation in the database. This has the advantage of being very flexible to support the subjects with different views and to automatically filter out data a subject is not authorized to access but has the disadvantage that not all data is updateable through certain views. This is due to integrity reasons that might be violated in data not contained in the view by updating data from the view. 2. 2 Mandatory Security Models 12 Mandatory policies address a higher level of threat than discretionary policies because in addition to controlling the access to data they control the flow of data as well. Moreover, mandatory security techniques overcome the structural limitations of DAC-based protection as described above. 2. 2. 1 Mandatory Access Controls While discretionary models are concerned with defining, modeling, and enforcing access to information mandatory security models are in addition concerned with the flow of information within a system. Mandatory security requires that security objects and subjects are assigned to certain security levels represented by a label. The label for an object o is called its classification (class(o)) and a label for a subject s is called its clearance (clear(s)). The classification represents the sensitivity of the labeled data while the clearance of a subject its trustworthiness to not disclose sensitive information to others. A security label consists of two components: a level from a hierarchical list of sensitivity levels or access classes (for example: top_secret secret confidential unclassified) and a member of a non hierarchical set of categories, representing classes of object types of the universe of discourse. Clearance and classification levels are totally ordered resulting security labels are only partially ordered thus, the set of classifications forms a lattice. In this lattice security class c1 is comparable to and dominates (? ) c2 if the sensitivity level of c1 is greater than or equal to that of c2 and the categories in c1 contain those in c2. Mandatory security grew out of the military environment where it is practice to label information. However, this custom is also common in many companies and organizations where labels termed like ‘confidential’ or ‘company confidential’ are used. Mandatory access control (MAC) requirements are often stated based on Bell and LaPadula (1976) and formalized by two rules. The first (simple property) protects the information of the database from unauthorized disclosure, and the second (*-property) protects data from contamination or unauthorized modification by restricting the information flow from high to low. (1) Subject s is allowed to read data item d if clear(s) ? class(d). (2) Subject s is allowed to write data item d if clear(s) ? class(d). Few final sentences on MAC policies are in order. In many discussions confusion has arisen about the fact that in mandatory systems it is not only sufficient to have strong controls over who can read which data. Why is it necessary to include strong controls over who can write which data in systems with high security requirements? The reason is that a system with high security 13 needs must protect itself against attacks from unauthorized as well as from authorized users. There are several ways authorized users may disclose sensitive information to others. This can be done by mistake, as a deliberate illegal action, or the user may be tricked to do so by a Trojan horse attack. The simplest technique to disclose information by an authorized user is to retrieve it from the database, to copy it into an ‘owned’ object, and to make the copy available to others. To prevent from doing so, it is necessary to control the ability of the authorized user to make a copy (which implies the writing of data). In particular, once a transaction has successfully completed a read attempt, the protection system must ensure that there is no write to a lower security level (write-down) that is caused by a user authorized to execute a read transaction. As the read and write checks are both mandatory controls, a MAC system successfully protects against the attempt to copy information and to grant the copy to unauthorized users. By not allowing higher classified subjects to ‘write-down’ on lower classified data information flow among subjects with different clearances can efficiently be controlled. As covert storage channels require writing to objects the *-property also helps to limit leakage of information by these hidden paths. Mandatory integrity policies have also been studied. Biba (1977) has formulated an exact mathematical dual of the Bell-LaPadula model, with integrity labels and two properties: no-write-up in integrity and no-read-down in integrity. That is, low integrity objects (including subjects) are not permitted to contaminate higher integrity objects, or in other words no resource is permitted to depend upon other resources unless the latter are at least as trustworthy as the former. As an interesting optional feature mandatory security and the Bell- LaPadula (BLP) paradigm may lead to multilevel databases. These are databases containing relations which may appear different to users with different clearances. This is due to the following two reasons: Firstly, not all clearances may authorize all subjects to all data and secondly, the support of MAC may lead to polyinstantiation of attributes or tuples. We will discuss polyinstantiation and the mandatory relational data model in more detail in the next Subsection. 2. 2. 2 The Multilevel Secure Relational Data Model In this Subsection we will define the basic components of the multilevel secure (MLS) relational data model. We will consider the most general case in which an individual attribute value is subject to security label assignment. We will start by using the example database scenario from the Introduction. 14 Throughout the text, whenever we refer to the example we assume the existence of four sensitivity levels, denoted by TS, S, Co, U (where TSSCoU) and a single category only. In each relational schema TC is an additional attribute and contains the tuple classification. Consider the three different instances of relation Project as given in Figure 2. Fig. 2(a) corresponds to the view of a subject s with clear(s) = S. Because of the simple property of BLP (read access rule) users cleared at U would see the instances of Project as shown in Fig. 2(b). In this case the simple property of BLP would automatically filter out data that dominate U. Consider further a subject s with clear (s) = U and an insert operation where the user wishes to insert the tuple Alpha, Production, D into the relation shown in Fig. 2(b). Because of the key integrity property a standard relational DBMS would not allow this operation (Although not seen by user s Alpha as a key already exists in relation Project. ). However, from a security point of view the insert must not be rejected because otherwise a covert signalling channel occurs from which s may conclude that sensitive information he is not authorized to access may exist. The outcome of the operation is shown in Fig. 2 (c) and consists of a polyinstantiated tuple in MLS relation Project. A similar situation may occur if a subject cleared for the U-level would update Beta, null, null in Project as shown in Fig. 2(b) by replacing the null-values with certain data items. Again, this would lead to polyinstantiation in relation Project. As another example of FIG. 2. Instances of MLS Relation ‘Project’ (b) Project U Title Subject Client TC Beta, U -, U -, U U Celsius, U Production, U C, U U (a) Project S Title Subject Client TC Alpha, S Development, S A, S S Beta, U Research, S B, S S Celsius, U Production, U C, U U (c) Polyinstantiation at the tuple level Title Subject Client TC Alpha, S Development, S A, S S Beta, U Research, S B, S S Celsius, U Production, U C, U U Alpha, U Production, U D, U U 15 polyinstantiation consider that subject s with clear(s)=S wants to update Celsius, Production, C. In systems supporting MAC such an update is not allowed because of the *-property of BLP. This is necessary because an undesired information flow might occur between subjects cleared at the S-level to subjects cleared at the U-level. Thus, if a S-level subject wishes to update the tuple the update again must result into polyinstantiation. The problem of polyinstantiation arises because of the avoidance of a covert channel. Lampson (1973) has defined a covert channel as a means of downward information flow. As example let us consider the situation described above once more. If an insert operation is rejected to a subject because of the presence of a tuple at a higher level, the subject might be able to infer the existence of that tuple, resulting in a downward information flow. With respect to security much more may happen than just inferring the presence of a tuple. The success or failure of the service request, for example, can be used repeatedly to communicate one bit of information (0: failure, 1: success) to the lower level. Therefore, the problem is not only the inferring of a classified tuple, moreover, any information visible at the higher level can be sent through a covert channel to the lower level. The theory of most data models is built around the concept, that a fact of reality is represented in the database only once. Because of polyinstantiation this fundamental property is no longer true for MLS databases thus making the development of a new theory necessary. The state of development of a MLS relational theory has been considerably advanced by the researchers involved in the SeaView project. For example, see Denning et al. (1988) or Lunt et al. (1990). The following discussion of the theoretical concepts behind the MLS relational data model is mainly based on the model developed by Jajodia and Sandhu (1991a). In the Jajodia-Sandhu model each MLS relation consists of a state-invariant multilevel relation schema RS (A1, C1, , An, Cn, TC), where each Ai is an attribute defined over a domain dom(Ai), each Ci is classification for Ai and TC is the tuple-class. The domain of Ci is defined by [Li, Hi] which is a sublattice of all security labels. The resulting domain of TC is [lub {Li, i=1.. n}, lub {Hi, i=1.. n}], where lub denotes least upper bound operation in the sublattice of security labels. In the Jajodia-Sandhu model TC is included but is an unnecessary attribute. A multilevel relation schema corresponds to a collection of state-dependent relation instances R, one for each access class c. A relation instance is denoted by Rc (A1, C1, An, Cn, TC) and consists of a set of distinct tuples of the form (a1, c1, , an, cn, tc) where each ai I dom (Ai), c ? ci, ci I [Li, Hi], and tc = lub 16 {ci, i=1.. n}. We use the notion t[Ai] to refer to the value of attribute Ai in tuple t while t[Ci] denotes the classification of Ai in tuple t. Because of the simpleproperty of BLP, t[Ai] is visible for subjects with clear(s) ? [Ci]; otherwise t[Ai] is replaced with the null-value. The standard relational model is based on two core integrity properties: the key property and the referential integrity property. In order to meet the requirements for MLS databases both have been adapted and two further properties have been introduced. In the standard relational data model a key is derived by using the concept of functional dependencies. In the MLS relational mode l such a key is called apparent key. Its notion has been defined by Jajodia et al. (1990). For the following we assume RS (A1, C1, An, Cn, TC) being a MLS relation schema and A (AI{A1, , An}) the attribute set forming its apparent key. [MLS Integrity property 1]: Entity Integrity. A MLS relation R satisfies entity integrity if and only if for all instances Rc and t I Rc 1. Ai I A ? t[Ai] ? null 2. Ai, Aj I A ? t[Ci] = t[Cj] 3. Ai I A ? t[Ci] ? t[CA] (CA is classification of key A) Entity integrity states that the apparent key may not have the null value, must be uniformly classified and its classification must be dominated by all classifications of the other attributes. [MLS Integrity property 2]: Null Integrity. R satisfies null integrity if and only if for each Rc of R the following conditions hold: 1. For every tIRc, t[Ai]=null ? t[Ci] = t[CA] 2. Rc is subsumtion free, i. e. does not contain two distinct tuples such that one subsumes the other. A tuple t subsumes a tuple s, if for every attribute Ai, either t[Ai, Ci] = s[Ai, Ci] or t[Ai] ? null and s[Ai] = null. Null integrity states that null values must be classified at the level of the key and that for subjects cleared for the higher security classes, the null values visible for the lower clearances are replaced by the proper values automatically. The next property deals with consistency between the different instances Rc of R. The inter-instance property was first defined by Denning et al. (1988) within the SeaView framework, later corrected by Jajodia and Sandhu (1990b) and later again included in SeaView by Lunt et al. (1990). [MLS Integrity property 3]: Inter-instance Integrity. R satisfies the interinstance integrity if for all instances Rc of R and all c’ c a filter function s produces Rc’. In this case Rc’ = s(Rc, c’) must satisfy the following conditions: 17 1. For every t I Rc such that t[CA] ? c’ there must be a tuple t’ I Rc’ 2. There are no additional tuples in Rc’ other than those derived by the above rule. Rc’ is made subsumtion free. The inter-instance property is concerned with consistency between relation instances of a multilevel relation R. The filter function s maps R to different instances Rc (one for each c’c). By using filtering a user may be restricted to that portion of the multilevel relation for which the user is cleared. If c’ dominates some security levels in a tuple but not others, then during query processing the filter function s replaces all attribute values the user is not cleared to see by null-values. Because of the use of this filter function a shortcoming in the Jajodia-Sandhu model has been pointed out by Smith and Winslett (1992). Smith and Winslett state that s introduces an additional semantics for nulls. In the Jajodia-Sandhu model a null value can now mean ‘information available but hidden’ and this null value cannot be distinguished from a null-value representing the semantics ‘value exists but not known’ or a null-value with the meaning ‘this property will never have a value’. In a database all kinds of nulls may be present nd at a certain security level it may be hard for the subjects to say what should be believed at that level. Let us now draw our attention to polyinstantiation. As we have seen in the example given above polyinstantiation may occur on several different occasions. For example, because of a user with low clearance trying to insert a tuple that already exists with higher classification, because of a user wanting to change values in a lower classified tuple, but it may also occur because of a deliberate action in form of a cover story, where lower cleared users should not be supported with the proper values of a certain fact. Some researchers state that using polyinstantiation for establishing cover stories is a bad idea and should not be permitted. However, if supported it may not occur within the same access class. [MLS integrity property 4]: Polyinstantiation Integrity. R satisfies polyinstantiation integrity if for every Rc and each attribute Ai the functional dependency A Ci  ® Ai (i=1.. n) holds. Property 4 states that the apparent key A and the classification of an attribute correspond to one and only one value of the attribute, i. e. polyinstantiation may not occur within one access class. In many DBMSs supporting a MLS relational data model multilevel relations exist only at the logical level. In such systems multilevel relations are with t’[A, CA] = t[A, CA] and for Ai I A t’[Ai, Ci] ={ t[Ai, Ci], if t[Ci] ? c’ null, t[CA], otherwise. 18 decomposed into a collection of single-level base relations which are then physically stored in the database. Completely transparent multilevel relations are constructed from these base-relations on user demand. The reasons behind this approach are mostly practical. Firstly, fragmentation of data based on its sensitivity is a natural and intuitive solution to security and secondly, available and well-accepted technology may be used for the implementation of MLS systems. In particular, the decomposition approach has the advantage that the underlying trusted computing base (TCB) needs not to be extended to include mandatory controls on multilevel relations and this helps to keep the code of the TCB small. Moreover, it allows the DBMS to run mostly as an untrusted application on top of the TCB. We will come back to this issue in Section 3 when discussing different implementations of Trusted DBMSs. 2. 2. 3 MAC-based Structural Limitations Although being more restrictive than DAC models MAC techniques need some extensions to be applied to databases efficiently. In particular, we see as limitations the following drawbacks in multilevel secure databases and mandatory access controls based on BLP:  · Granularity of security object It is not yet agreed about what should be the granularity of labeled data. Proposals range from protecting whole databases, to protecting files, protecting relations, attributes, or even certain attribute values. In any case, careful labeling is necessary because otherwise it could lead to inconsistent or incomplete label assignments.  · Lack of automated security labeling technique Databases usually contain a large collection of data, serve many users, and labeled data is not available in many civil applications. This is the reason manual security labeling is necessary which may result in an almost endless process for large databases. Therefore, supporting techniques are needed, namely guidelines and design aids for multilevel databases, tools that help in determining the relevant security objects, and tools that suggest clearances and classifications.  · N-persons access rules Because of information flow policies higher cleared users are restricted from writing-down on lower classified data items. However, organizational policies may require that certain tasks need to be carried out by two or more 19 persons (four-eyes-principle) having different clearances. As an example onsider subjects s1, s2 with clear(s1) clear(s2), data item d with class(d) = clear(s2) and the business rule that writing of s2 on d needs the approval of s1. Following Bell-LaPadula’s write-access rule would require the same level of clearance for s1 and s2. This may be inadequate for business applications of MLS database technology. 2. 3 The Adapted Mandatory Access Control Model Adapting mandatory access controls to better fit in to general purpose data processing practice and offering a design framework for databases containing sensitive information are the main goals of the Adapted Mandatory Access Control (AMAC) model. In order to overcome the MAC-based limitations stated above AMAC offers several features that assist a database designer in performing the different activities involved in the design of a database containing sensitive information. For AMAC as a security technique for databases we see the following advantages:  · The technique supports all phases of the design of a database and can be used for the construction of discretionary protected as well as for the construction of mandatory protected databases.  · In the case mandatory protection is required a supporting policy to derive database fragments as the target of protection is provided. This overcomes the discussion about what should be the granularity of the security object in multilevel systems.  · In the case mandatory protection is required automated security labeling for security objects and subjects is supported. Automated labeling leads to candidate security labels that can be refined by a human security administrator if necessary. This overcomes the limitation that labeled data often is not available.  · In AMAC security is enforced by using database triggers and thus can be fine-tuned to meet application dependent security requirements. For example, the n-eyes-principle may be supported in some applications and may not in others where information flow control is a major concern of the security policy. We will first give a general overview of the AMAC technique which is followed by a more formal discussion and an example. 20 2. 3. 1 AMAC General Overview Adapted mandatory security belongs to the class of role-based security models which assume that each potential user of the system performs a certain role in the organization. Based on their role users are authorized to execute specific database operations on a predefined set of data. The AMAC model does not only cover access control issues but includes in addition a database design environment with main emphasis on the security of resulting databases. Resulting databases may be implemented in DBMSs supporting DAC only or supporting DAC and MAC. The technique combines well known and widely accepted concepts from the field of data modeling with concepts from the area of data security research. By using AMAC the following design phases for security critical databases can be identified. (1) Requirements Analysis and Conceptual Design. Based on the role they perform in the organization the potential users of the database can be classified into different groups. For different roles data and security requirements may differ significantly. The Entity-Relationship (ER) model and its variants serve as an almost de facto standard for conceptual database design and have been extended in AMAC to model and describe security requirements. The security and data requirements of each role performed in the organization are described by individual ER-schemas and form the view (perception) of each user group on the enterprise data. Please note, in this setting the notion of a view denotes all the information a user performing a certain role in the organization is aware of. This information includes data, security requirements, and functions. Thus, the notion of views appears different from that in a DAC environment. In order to arrive at a conceptualization of the whole information system as seen from the viewpoint of the enterprise AMAC uses view integration techniques in a further design step. The resulting conceptual database model is described by a single ER-schema extended by security flags indicating ecurity requirements for certain user roles. (2) Logical Design. In order to implement the conceptual schema into a DBMS a transformation from the ER-schema into the data model supported by the DBMS in use is necessary. AMAC contains general rules and guidelines for the translation of ER-schemas into the relational data model. Output of the transformation process is a set of relational schemas, global depende ncies defined between schemas and necessary for database consistency during further design steps, and a set of views, now describing access requirements on relation schemas. If the DBMS that should hold the resulting database is only capable to support DAC the relational schemas are candidates for implementation and the view descriptors are used for discretionary access controls. In the case the DBMS under consideration supports MAC further design activities are 21 necessary. The Requirements Analysis, Conceptual and Logical Design phases in AMAC are described by Pernul and Tjoa (1991). (3) The AMAC security object. In order to enforce mandatory security it is necessary to determine security objects and security subjects which are both subject to security label assignments. In AMAC a security object is a database fragment and a subject is a view. Fragments are derived by using structured database decomposition and views are derived by combining these fragments. A fragment is the largest area of the database to which two or more views have access in common. Additionally, no view exists that has access to a subset of the fragment only. Pernul and Luef (1991) have developed the structured decomposition approach and the automated labeling policy. Their work includes techniques for a lossless decomposition into fragments and algorithms to keep fragmented databases consistent during database update. It should be noted that a database decomposition into disjoint fragments is a natural way to implement security controls in databases. (4) Support of automated security labeling. As in most IT applications labeled data is not available, AMAC offers a supporting policy for the automated security labeling of security objects and security subjects. Automated labeling is based on the following assumption: The larger the number of users cleared to access a particular fragment, the lower is the sensitivity of the contained data and thus, the lower is the level of classification that needs to be provided for the fragment. This assumption seems to be valid because a fragment that is accessed by many users will not contain sensitive information and at the other side, a fragment that is accessible for few users only can be classified as being highly sensitive. Views (respectively the users having the view as their access window to the data) are ordered based on the number of fragments they may access (they are defined over) and additionally based on the assigned classifications for the fragments. In general, a view needs a clearance that allows the corresponding users to access all fragments the view is defined over. The suggested classification class(F) applies to the whole fragmental schema F as well as to all attribute names and type definitions for the schema while the suggested clearance clear(V) to all transactions executing on behalf of a user V. It should be noted that classifications and clearances are only candidates for security labels and may be refined by a human database designer if necessary. (5) Security Enforcement. In AMAC the fragments are physically stored and access to a fragment may be controlled by a reference monitor. Security is enforced by using trigger mechanisms. Triggers are hidden rules that can be fired (activated) if a fragment is effected by certain database operations. In databases security critical operations are the select (read access), the insert, 22 elete, and update (write accesses) commands. In AMAC select In AMAC security constraints are handled during database design as well as during query processing. During database design they are expressed by the database decomposition while during query processing they are enforced by the trigger mechanisms. In the following we will give the technical details of the decomposition process, the decomposition itself, the automated security labeling proc ess, and certain integrity constraints that need to be considered in order to arrive at a satisfactorily fragmentation. In AMAC it is assumed that Requirements Analysis is performed on an individual user group basis and that the view on the database of each user group is represented by an Entity-Relationship (ER) model. The ER model has been extended to cover in addition to data semantics the access restrictions of the user group. The next design activity is view integration. View integration techniques are well established in conceptual database design and consist of integrating the views of the individual user groups into a single conceptual representation of the database. In AMAC the actual integration is based on a traditional approach and consists of two steps: integration of entity types and integration of relationship types (Pernul and Tjoa, 1991). During the integration correspondences between the modeling constructs in different views are established and based on the different possibilities of correspondences the integration is performed. After the integration the universe of discourse is represented by a single ER diagram extended by the access restrictions for each user group. The next step is the transformation of the conceptual model into a target data model. AMAC offers general rules for the translation into the relational data model. The translation is quite simple and results into three different types of modeling constructs: relation schemas (entity type relations or relationship type relations), interrelational dependencies defined between relation schemas, and a set of view descriptors defined on relation schemas and representing security requirements in the form of access restrictions for the different user groups. 23 In the relational data model user views have no conceptual representation. The decomposition and labeling procedure in AMAC is build around the concept of a user view and this makes a simple extension of the relational data model necessary. Let RS(ATTR,LD) be a relation schema with ATTR a set of attributes {A1, ,An}. Each AiIATTR has a domain dom(Ai). LD is a set of functional dependencies (FDs) restricting the set of theoretically possible instances of a relation R with schema RS (i. e. ?i dom(Ai)) to the set of semantically meaningful. A relation R with schema RS is a set of distinct instances (tuples) {t1, ,tm} of the form a1, ,an where ai is a value within dom(Ai). Let RS1(ATTR1,LD1) and RS2(ATTR2,LD2) be two relation schemas with corresponding relations R1 and R2. Let X and Y denote two attribute sets with XIATTR1 and YIATTR2. The interrelational inclusion dependency (ID) RS1[X]IRS2[Y] holds if for each tuple tIR1 exists at least one tuple t’IR2 and t[X]=t’[Y]. If Y is key in RS2 the ID is called key-based and Y is a foreign key in RS1. Let V={V1, ,Vp} be a set of views. A view Vi (ViIV, i=1.. p) consists of a set of descriptors specified in terms of attributes and a set of conditions on these attributes. The set of attributes spanned by the view can belong to one or more relation schemas. View conditions represent the access restrictions of a particular user group on the underlying base relations. For each user group there must be at least one view. The concepts defined above serve as the basis of an AMAC conceptual start schema SS. SS may be defined by a triple SS(A,GD,V), where: A = {RS1(ATTR1,LD1), ,RSn(ATTRn,LDn)} is a set of relation schemas, GD = {ID1, ,IDk} is a set of key-based IDs, and V = {V1, ,Vm} is the set of views. In the case discretionary protection is sufficient, the relational schemas are candidates for implementation in a DBMS, the views may be used to implement content-based access controls and the set GD of global dependencies may be associated with an insert-rule, a delete-rule, and a modification-rule in order to ensure referential integrity during database peration. In the case DAC is not sufficient and MAC should be supported it is necessary to determine the security objects and subjects and to assign appropriate classifications and clearances. In order to express the security requirements defined by means of the views a decomposition of SS into single level fragments is necessary. The decomposition is based on the derived view structure and results in a set of fragmental schemas in a wa y, that no view is defined over a subset of a resulting schema only. A single classification is 24 ssigned to each fragmental schema and the decomposition is performed by using a vertical, horizontal, or derived horizontal fragmentation policy. A vertical fragmentation (vf) results into a set of vertical fragments (F1, ,Fr) and is the projection of a relation schema RS onto a subset of its attributes. In order to make the decomposition lossless the key of RS must be included in each vertical fragment. A vertical fragmentation (vf) R=(F1, ,Fr) of a relation R is correct, if for every tuple tIR, t is the concatenation of (v1, vr) with vi tuple in Fi (i=1.. r). The (vf) is used to express ‘simple’ security constraints that restrict users from accessing certain attributes. The effects of (vf) on an existing set of FDs have been studied by Pernul and Luef (1991) and the authors show that if R is not in 3NF (third normal form) some FDs might get lost during a decomposition. In order to produce a dependency preserving decomposition in AMAC they have suggested to include virtual attributes (not visible for any user) and update clusters in vertical fragments in the case a schema is not in 3NF. A horizontal fragmentation (hf) is a subdivision of a relation R with schema RS(ATTR,LD) into a subset of its tuples based on the evaluation of a predicate defined on RS. The predicate is expressed as a boolean combination of terms, each term being a simple comparison that can be established as true or false. An attribute on which a (hf) is defined is called selection attribute. A (hf) is correct, if every tuple of R is mapped into exactly one resulting fragment. Appending one horizontal fragment to another leads to a further horizontal fragment or to R again. A (hf) is used to express access restrictions based on the content of certain tuples. A derived horizontal fragmentation (dhf) of a relation Ri with schema RSi(ATTRi,LDi) is partitioning RSi by applying a partitioning criterion that is defined on RSj (i? j). A (dhf) is correct if there exists a key-based ID of the form Ri[X]IRj[Y] and each tuple tIRi is mapped into exactly one of the resulting horizontal fragments. A (dhf) may be used to express access restrictions that span several relations. A view Vi (Vi IV) defined on A represents the area of the database to which a corresponding user group has access. Let F (F=ViCVj) be a database fragment then F represents the area of the database to which two groups of users have access in common. If F=Vi Vj, then F is only accessible by users having view Vi as their interface to the database. In this case, F represents data which is not contained in Vj and must therefore not be accessible for the corresponding user set. From the point of view of a mandatory security policy a certain level of assurance must be given that users Vj are restricted from accessing F. In AMAC this is given by separation. For example, fragment (Vi 25 Vj) is separated from fragment (VjVi) and fragment (Vi CVj) even if all fragments belong to the same relation. The construction of the fragments makes a structured database decomposition necessary and in order to support mandatory access controls, the access windows for the users is constructed in a multilevel fashion such that only the necessary fragments are combined to form a particular view. Let Attr(V) be the attrib ute set spanned by view V and let the subdomain SD(V[A]) be the domain of attribute A valid in view V (SD(V[A])IDom(A)). Two particular views Vi and Vj are said to be overlapping, if: $Ao(AIAttr(ViCVj) and SD(Vi[A])CSD(Vj[A]) ? ?, otherwise, Vi and Vj are called isolated. The process of decomposing A (A={RS1(ATTR1,LD1), ,RSn(ATTRn,LDn)}) is performed for any two overlapping views and for each isolated view by using the (vf), (hf), and (dhf) decomposition operations. It results in a fragmentation schema FS={FS1(attr1,ld1), ,FSm(attrm,ldm)} and a corresponding set of fragments F (F={F1, ,Fm}). If Ei ATTRi = Ej attrj (i=1.. n, j=1.. m) the decomposition is called lossless and if Ei LDi I Ej ldj (i=1.. , j=1.. m) it is called dependency preserving. Please note that (hf) or (dhf) may result in additional FDs. A fragmental schema FSjIFS is not valid if for any view V ($Fj’IFj) (V? Fj’, VUFj). Here, V? F denotes that users with view V have access to fragment F while VUF means that F is not included in view V. To illustrate the concepts defined above we will apply the fragmentation policy to the example given in the Introduction of this Chapter. We assume, that the Requirements Analysis has been performed and that the resulted ER model has been translated into the following start schema: SS = ( A= { Employee ({SSN, Name, Dep, Salary}, {SSN  ® Name, Dep, Salary}), Project ({Title, Subject, Client}, {Title  ® Subject, Client}), Assignment ({Title, SSN, Date, Function}, {Title, SSN  ® Date, Function})}, GD ={AssignmentDatabase SecurityIProjectDatabase Security, Assignment[SSN]IEmployee[SSN]}, V = {V1, V2, V3, V4, V5}) The security policy of the organization requires to represent the following conditions on the security:  · View V1 represents the access window for the management of the organization under consideration. Users with view V1 should have access to 26 the whole database. Views V2 and V3 represent users of the pay-office department. Their requirements include access to Employee and Assignment. For V2 access to Employee is not restricted. However, access to attribute Function should only be provided in the case the employees’ Salary ? 100. Users V3 should only have access to employees and their assignments in the case the attribute Salary ? 80.  · View V4 has access to Project. However, access to attribute Client should not be supported in the case the subject of a project is ‘research’.  · View V5 represents the view of the users of the quality-control department. For them to perform their work it is necessary to have access to all information related to projects that have a subject ‘development’, i. e. to the project data, to the assignment data, and to the data concerning assigned employees. For security req