INTRODUCTION: Taxonomy and the Security of Databases

INTRODUCTION

Electronic, relational databases are becoming increasingly important, and as their importance grows, there is a concomitant concern about database security. As specialists in every science turn increasingly to the use of databases in their research, each field makes unique demands on the technology that underlies database development. In turn, databases provide special opportunities for every field. Systematics and, for our purposes here, systematic or taxonomic paleontology are characterized by a focus on the historical development of ideas that is unprecedented in other fields. Thus, whereas papers in high-energy physics older than ten or fifteen years are likely to be permanently shelved, and papers on Internet and intranet security have a half-life measured in weeks, paleontologists may need to refer to taxonomic literature, irrespective of its quality, back to the times of Clerck (1758) and Linnaeus (1758).

Systematic paleontologists rely on the history of taxonomic ideas, and, because of the rules of priority, the information of taxonomic paleontology must also be made widely available to enhance communication among systematists. Nothing is gained by excessive secrecy on the taxonomic front; indeed, with secrecy all is lost, including the priority of names and the ideas they represent. It is essential, therefore, that any database prepared in support of taxonomic paleontology be available for a long period of time and be readily accessible to a wide range of potential users, many of whom are likely to be unknown to the owner of the database.

Both requirements spell trouble for the security of databases. Yet security is an aspect of the preparation of databases that has received little attention from the paleontological community. Our purposes here are to present reasons for securing the information in databases and to suggest means of wending one’s way through the jargon-laden jumble of security-related matters.

Paying Attention to Security

Three points form the basis of our concerns regarding security (Figure 1). First, data have value, and this is so even for paleontological data. Of late, our profession has experienced some difficulty convincing others of the truth of this notion. Nevertheless, it is true, as several examples will make clear. (1) Petroleum companies often share geophysical data, but they tend to play their biostratigraphical cards rather close to the chest and typically regard such information as proprietary. (2) Paleontologists seeking grants from funding agencies in many instances find data from their previous studies to be of vital importance in establishing their qualifications. (3) The business of publishing about fossils is booming—and here we mean not only publishing books about dinosaurs—with the result that databases with illustrations of fossils are likely to be especially popular.

Second, anything of value is subject to theft, misuse, and, perhaps worst of all, vandalism. The threat to paleontological data is, of course, nowhere nearly so ominous as the threat to industrial, military, and financial investment data. By the same token, the impecunious paleontological community is ill-prepared fiscally to install security systems that are reliable and that provide effective security. Hackers have managed to break into the secret files of the U. S. Department of Defense, which are protected by an appreciable portion of a $200 billion annual budget. Given this fact, how vulnerable do you suppose the data of paleontology are to similar invasion?

Paleontologists develop databases either through their personal research, from the cooperative work of close colleagues, or by extensive library work and Treatise grazing. Whatever the data source, the paleontologist who develops a database has the right to the first use of those data before broadcasting them to the general public. One often hears the plea to just put it all out on the web. Such pleas too often ignore the fact that data have value and that their supporting infrastructure are sometimes quite costly as well.

Third, in spite of all these concerns, paleontologists need to share information. Data may be shared among close colleagues in the early phases of a research project or at a later stage be made generally available through the Internet. Concomitant with the need to share information is the risk to those data. At the end of the day, sharing is incompatible with security. The issue of security—both Internet security and intranet security—is emphasized extensively by computer insiders, and a hefty literature on the subject is available. In industry, the principal concern is the access to data by unauthorized persons, especially the theft of economically or militarily valuable information. A secondary concern is vulnerability to vandalism, which can be an equally costly problem.

What is the situation in academia? Things are certainly different in paleontology from what they are in, say, the pharmaceutical or defense industry. If a colleague were to abscond with your data, whether electronically or otherwise, he would soon be found out and would no doubt suffer professional ostracism. Thus, the outright theft of data in paleontology, partly because of its low likelihood, is probably not as troubling as other aspects of the complete security picture.

Herein we compare the issues of database security in industry, finance, and the military with the issues facing paleontologists (Figure 2). We identify ten problems of security that affect databases of every sort, and we propose some kinds of solutions that paleontologists can apply to help them address those problems.

Viewed in toto, the essence of the problem with security for databases is to weigh concerns about security against requirements for performance, productivity, and accessibility (Figure 3; Hartley, 1998). Adopting a thorough approach to security will help defray the costs of inadequate security: lost time, lost money, and unnecessary wear and tear on members of the staff, thereby curtailing their productivity (Figure 4).

Security of Databases: Meanings, Advantages, and Disadvantages

What do we mean when we speak of the security of a database (Figure 5)? Establishing a definition at the outset is important because the definition of security that one adopts will determine in large part the approach one takes to emplacing appropriate measures of security.TechEncyclopedia has defined security as, "The protection of data against unauthorized access." This is quite a narrow definition, but we understand the reason for the emphasis on unauthorized users. The definition is geared to the kinds of security problems that are encountered by industry, wherein the primary concern is access by unwelcome users. It recognizes that persistent systems programmers and other technically competent individuals are likely to be able to gain access to the identification codes and passwords that protect nearly any system, enabling ingress to an otherwise secure database.

The special needs facing paleontologists and their data cause us to favor a much broader definition of security. The dictionary definition (Mish 1995, p. 1056), always a good starting place, refers to security as "freedom from danger" or "freedom from fear or anxiety." An appealing working definition is that "a computer is secure if you can depend on it and its software to behave as you expect" (Garfinkel and Spafford 1996, p. 6). This definition ignores the problems that can result from the access by unauthorized individuals who use, but do not destroy, your database. Let us say that a database is secure if it can be accessed only by authorized users and you can depend on it and its software to behave as you expect. Dealing with this broader definition of security has led us to identify the ten areas of concern (Table 1).

The Downside of Security. Paranoia is stressful. It consumes energy and, where security of data systems is the issue, can devolve into a dreadful time sink. Of greater importance for our profession, excessive attention to matters of security will necessarily diminish communication to the detriment of paleontology as a whole. For this reason, although we must pay careful attention to matters of security, we must do so with an eye to our other goal, fulfilling the obligation of taxonomic paleontologists to communicate freely with each other.

The Upside of Security. The obvious advantage to having in place an effective system of security is that you and your data will be free from danger, fear, and anxiety. In addition, a very thin silver lining is that something good sometimes comes from examining and reexamining computer systems. Given the threats to databases, prudence requires a well-formulated, comprehensive, and appropriate security policy and the performance of all necessary security protocols on a daily or weekly basis. In the long run, systems designed with security in mind are more cost-effective than those that are not, especially if a major breach of security can be avoided.