Database Security for Billing System

Abstract

Database security is a growing concern evidenced by an increase in the number of reported incidents of loss of or unauthorized exposure of sensitive data. The major objective of this project is to enhance a security in billing system database of the National Water Supply & Drainage Board (NWS&DB). Payment details, Authorized agents details, Revenue details and some other important details are stored in this Billing Database. Billing servers are installed in every Regional Offices and billing data are stored on the billing server. Revenue-wise this billing data are very important. Revenue to NWS&DB depends on the accuracy of the Billing System. Thus the present billing database does not have any security enforcement. Data can be changed or deleted. There is no security policy at present. Ultimately there is no security at all. OWASP threat modeling is used to analyze the problem thoroughly. By using threat modeling, the threat as well as the risk involved in relation to the database, can be identified. Also countermeasures that could affect to the billing database are identified. According to countermeasures identified in the threat modeling process, solutions to protect billing database from attacks is implemented. Such implemented roles are , to grant privileges to those roles, write password policy function, implement stored procedures to limit database access to specific hours, write VPD policies to view one's scheme data only, implement encryption package to encrypt table data and use Fine Grained Auditing policy to monitor high privilege user activities. Evaluation process is implemented under different criteria. These are cost, time, efficiency and security by considering the previous situation and current situation in the billing database. This project attempts to overcome threats and weaknesses in the billing database in National Water Supply & Drainage Board. Finally this project provides a database security framework for any billing system.