DATABASE SECURITY

(KEAMANAN BASIS
DATA)
Mukhlis, S.Kom., MT.

Agenda Kuliah
Sesi Materi

Tujuan

Overview Kuliah

Mengetahui ruang lingkup

materi, manfaat, dan tujuan
yang harus dicapai.

II

Konsep Keamanan
Basis Data

Mengetahui dan memahami

konsep dasar keamanan basis
data (what, why).

III

Pengelolaan
Keamanan Basis
Data

Mengetahui dan memahami

bagaimana pengelolaan
keamanan basis data (how).

Deskripsi Umum Kuliah

Mempelajari dan mengkaji berbagai
issue keamanan basis data dan
implementasinya pada sistem yang
menggunakan DBMS komersial /
non-komersial.

Tujuan Kuliah
Memahami

konsep, prinsip, dan konteks

keamanan basis data.

Mampu

melakukan analisis kebutuhan dan

perancangan keamanan basis data.

Mampu

menerapkan hasil perancangan

keamanan basis data pada sistem tertentu.

Mengetahui

berbagai model keamanan basis

data pada sistem yang menggunakan DBMS
komersial / non-komersial.
4

Materi Kuliah
Konsep,

prinsip, dan konteks keamanan basis

Analisis

& perancangan keamanan basis data:

data.

Analisis

kebutuhan keamanan basis data

Perancangan

keamanan basis data

Implementasi
Model-model
Mekanisme
Statistik

keamanan basis data:

keamanan basis data

umum keamanan basis data

keamanan basis data

5

Skenario Penyampaian Materi

Teoritis

Studi Kasus

Kajian Pustaka

Konsep, Prinsip
dan Konteks
Keamanan BD

Analisis Kebutuhan
dan Perancangan
Keamanan BD

Implementasi
Keamanan BD

Bagian I:

Bagian II:

Ruang Lingkup Pembahasan

Cakupan Keamanan Informasi

jaringan
OS
aplikasi

Bagaimana menjaga
data yang disimpan
dalam basis data
terjamin keamanannya

basis
data

Setting Situasi
Sistem

informasi yang menggunakan basis

data sebagai tempat penyimpanan datanya.

Basis

data mungkin disimpan secara

terpusat atau tersebar dengan duplikasi
(replikasi, fragmentasi).

Ada

banyak pemakai yang dapat mengakses

basis data melalui jaringan komputer (LAN,
intranet, internet).
8

Referensi
Fugini,

M.G. et al, Database Security, Addison

Wesley, 2004.

Caelli,

W. et al., Information Security Handbook,

Macmillan, 2004.

DBMS

Reference Manual:

MySQL

5.0
Oracle Oracle 10g atau yang lebih baru
MS-SQL

Server 2000 atau yang lebih baru

Referensi

lain dari internet.

DATABASE SECURITY
(KEAMANAN BASIS
DATA)
Konsep Keamanan Basis Data

Keamanan Basis Data

Tindakan

untuk melindungi sumber daya

basis data dari pengaksesan yang tidak
berhak, modifikasi, atau bentuk intervensi
lainnya.

Sekumpulan

perangkat yang dirancang

untuk melindungi record-record data dan
sumber daya basis data lainnya dari orangorang yang tidak berhak.

11

Tujuan Keamanan Basis Data

Secrecy/Confidentiality:

Information should not

be disclosed to unauthorized users. For example,
student should not be allowed to examine other
students grades.

Integrity:

Only authorized users should be allowed

to modify data. For example, student may be
allowed to see their grades, yet not allowed
(obviously) to modify them.

Availability:

Authorized users should not be

denied access. For example, an instructor who
wishes to change a grade should be allowed to do so.
12

Ancaman Keamanan Terhadap

Basis Data
Interuption:

Sumber daya basis data dirusak atau

menjadi tidak dapat dipakai (ancaman terhadap
availability).

Interception:

Pemakai atau bagian yang tidak berhak

mengakses sumber daya basis data (ancaman secrecy).

Modification:

Pemakai atau bagian yang tidak berhak

tidak hanya mengakses tapi juga merusak sumber daya
sistem komputer (ancaman integrity).

Fabrication:

Pemakai atau bagian yang tidak berhak

menyisipkan objek palsu kedalam sistem (ancaman
integrity).
13

Bentuk Ancaman vs CIA

14

Tahap Ancaman dan Penangkalan

Tahap Ancaman

Penangkalan

Pengamatan

Pencegahan

Penyusupan

Deteksi

Pelaksanaan

Pemberantasan,
Pemulihan

Penghilangan Jejak

Log System

15

Contoh Keamanan Basis Data

16

Why is Database Security

Important?
Databases

in nature.

often store data which is sensitive

Incorrect

data or loss of data could negatively

affect business operations.

Databases

can be used as bases to attack

other systems from.

17

Evolving DB Threat
Environment

A decade ago, databases were:

Physically secure
Housed in central data centers not distributed
External access mediated through customer service reps,
purchasing managers, etc.
Security issues rarely reported

Now increasingly DBs externally accessible:

Data is most valuable resource in application stack

Suppliers directly connected

Customers directly connected
Customers & partners directly sharing data

Value increases with greater integration & aggregation

Opportunities for data theft, modification, or destruction

DB security a growing problem

18

Beberapa Strategi Keamanan

Basis Data
Principle

of least privilege
Password security
Firewalling / access control
Remove / disable unneeded default accounts
Disable unneeded components
Running database processes under dedicated
non-privileged account.

19

Beberapa Bentuk Penerapanan

untuk Keamanan Basis Data
Kerberos

protocol)

Port

security (network authentication

access security

Virtual

private databases

Role-based

security

Grant-execute

security

20

DATABASE SECURITY
(KEAMANAN BASIS
DATA)
Database Security
Management

Database Security Management

Database

Security Management can defined

as a set activities that covers:
Database

Security Plan
Database Security Requirements Analysis
Database Security Design
Database Security Implementation
Database Security Audit

22

Database Security Management

(continued)
Database Security Management vs Database Design

23

Database Security Plan

Describes

how an organization will

address its database security needs.
and organizing the database
security activities for a computing
system.

Identifying

The

objective of a database security plan

is to enable staff to act effectively to
prevent and mitigate the effects of
database security problems.
24

Database Security Plan

( continued )
Database

Security Plan must address six

issues below:
Policy

Current

Security Status
Recommendation
Accountability
Timetable
Continuing Attention

25

Database Security Policy

Database

security policy indicate the goals of

a database security effort and the willingness
to work to achieve.

Security

System

policies for database operation:

Security Policy
Data Security Policy
User Security Policy
Password Management Policy
Auditing Policy
A Security Checklist

26

Database Security Policy

( continued )
System

Security Policy

Database

User Management
User Authentication
Operating System Security

Data

Security Policy
Includes the mechanisms that control the
access to and use of the database at the
object level.

27

Database Security Policy

( continued )

User Security Policy

General User Security

End-User Security
Administrator Security
Application Developer Security
Application Administrator Security

Password Management Policy

Account Locking
Password Aging and Expiration
Password History
Password Complexity Verification

28

Database Security Policy

( continued )
Auditing

Monitor

Policy

suspicious database activity

Gather historical information about particular
database activities

Security Checklist
Provides guidance on configuring DBMS in a
secure manner for operational database
deployments.

29

Current Database Security

Status
Describing

the status of a database security

at the time of the plan.

Status
A

includes:

listing of the database resources

The security threats to the resources
The controls in place to protect the resources

30

Database Security
Recommendation
Recommendations

and requirements which

lead to meeting the database security goals.
Ownership

and Responsibility
Resources and Their Vulnerabilities
Threats
Solutions
Security Measures
Guidelines to Personnel

31

Database Security
Accountability
A

plan of accountability so that responsible

people can later be judged on the results they
have achieved.

It

should describe who is responsible for each

database security activity.

32

Database Security Timetable

Identifying

when different security functions

are to be done.

Also

gives a milestones by which the progress

can be judged.

33

Database Security Continuing

Attention
Specifying

a structure to update the database

security plan periodically.

Periodically

the inventory of objects and the

list of controls should be updated, the risk
analysis should be reviewed.

The

security plan should be set a time for

this periodic review.

34

Database Security Requirement

Analysis
Making

a determination of what must be

done, when it must be done, what is needed
to do it, and who should be doing it.

Also

includes an examination of the physical

access point to data.

35

Database Security Requirement

Analysis ( continued )
Database

steps:

security requirements analysis

Identification

and evaluation of securable

resources (subjects and objects).
Examination of each of these resources to
determine if they need to be secured.
Risk analysis / risk evaluation.
Determine how to achieve the desired level
security.

36

Titik Akses ke Basis Data

Akses basis data
melalui perangkat
lunak aplikasi

User
Programmer
Pihak luar

DBMS
Aplikasi

Database
Administrat
or

Basis
Data

2
Akses basis data
melalui DBMS
37

Beberapa Contoh Jenis

Ancaman
User

/ Pihak Luar

Mengakses

haknya.

dan mengupdate data yang bukan menjadi

Menggunakan
Melihat

hak akses orang lain

dan mengupdate data yang tidak diotorisasi

Programmer
Membuat

program yang tidak aman

Membuat

account sendiri

Menyimpan

Database

virus atau program lainnya yang merusak

administrator

Menyalahgunakan

kewenangan yang dimiliki

38

DATABASE SECURITY REQUIREMENT

ANALYSIS ( CONTINUED )
Contoh hasil Database Security Requirements Analysis:
Resources

Threats

Security Needs

User

User menyalahgunakan
otoritas yang dimilikinya

Pemberian password
Pembatasan otoritas

Basis data

Sumber daya basis data

(tabel, view, query, index,
dll.) diubah atau dihapus
oleh user yang tidak berhak

Pengaturan peran (role)

bagi user
Access grant

Data diubah, dihapus, atau

dilihat oleh user yang tidak
berhak.

Access grant

Tabel Basis Data

39

Database Security Design

Identification

of the subjects and objects

relevant from a security viewpoint.

Identification

of access modes granted to

different subjects on different objects;
constraints on access.

Translate

the analysis model to a specific

DBMS view-based and query-based security
technique.

40

DATABASE SECURITY DESIGN

(CONTINUED)

Contoh hasil Database Security Design:

Resources

Security Types

Tabel Rekening

Access grant untuk user:

CREATE dan DROP oleh DBA atau user
yang ditunjuk.
SELECT dan INSERT oleh Customer
Service saat pembukaan rekening.
SELECT dan UPDATE oleh Teller saat
pencatatan transaksi ambil atau setor.
SELECT dan UPDATE oleh Bagian
Keuangan saat pengenaan biaya
administrasi dan perhitungan bunga.
SELECT dan DELETE oleh Bagian
Keuangan saat penutupan rekening.

PIC
Database
Administrator
(DBA)

41

Database Security Implementation

Transform database security design model to specific

DBMS using its features or SQL statements.
Issues in database security implementation usually
to be concerned, respectively:

User Authorization
Userid
Password

Discretionary Security
GRANT statements
REVOKE statements

Mandetory Security

Security level

42

DATABASE SECURITY IMPLEMENTATION

( CONTINUED )

Creating a User
CREATE USER cs IDENTIFIED BY sohib;
CREATE USER teller IDENTIFIED BY kobam;
CREATE USER finance IDENTIFIED BY doku;

Add Account Locking

CREATE PROFILE prof LIMIT
FAILED_LOGIN_ATTEMPTS 4 PASSWORD_LOCK_TIME 30;
ALTER USER cs PROFILE prof;

43

DATABASE SECURITY IMPLEMENTATION

( CONTINUED )

Granting Privileges

GRANT SELECT, INSERT ON tblAccount TO cs;

GRANT SELECT, UPDATE ON tblAccount TO teller;
GRANT SELECT, UPDATE, DELETE ON tblAccount TO
finance;

Using Roles

CREATE USER manager IDENTIFIED BY boss;

CREATE ROLE supervisor;
GRANT SELECT, INSERT, UPDATE, DELETE ON tblAccount
TO supervisor;
GRANT SELECT ON tblCustomer TO supervisor;
GRANT SELECT, INSERT, UPDATE ON tblTransaction TO
supervisor;
GRANT supervisor TO manager;
44

Database Security Implementation

( continued )
Security
All

level

end-users of a database (or an application)

should be mapped to a single database user:
CREATE TABLE user (name CHAR(30), userid
CHAR(10), password CHAR(10), group CHAR(10),
sec_level NUMBER(2), email_addr VARCHAR(80));

The

task of authorization in above cases falls on

the application program, with no support from
SQL.

45

Eksplorasi,
Kajian Pustaka

Analisis &
Perancangan

Sistem yang
Dipilih

DB Security
Management
yang Diacu

Analisis &
Perancangan DB
Security untuk
Sistem yang
Dipilih

DB Security pada
DBMS Tertentu

Implementasi

Implementasi DB
Security dengan
DBMS tertentu
untuk Sistem yang
Dipilih

Studi Kasus

Contoh
Penanganan
Kasus DB
Security dengan
DBMS untuk
Sistem yang
Dipilih

46

TERIMAKASIH

47