MK Pengantar Basis Data

Program Studi S1 Teknologi Sains Data

Fakultas Teknologi Maju dan Multidisiplin
Universitas Airlangga

3. Data Security, Data Privacy,

Ethics in Database
Ika Qutsiati Utami, S.Kom., M.Sc.
M. N. Fakhruzzaman, S.Kom., M.Sc.
Content
1. PART 1: Database Security
2. PART 2: Professional, Legal, and Ethical Issues in Data Management
PART 1 : Database Security – Why?
• Data is a valuable resource
• Data may have strategic
importance to an organization
• So, should therefore be kept secure
and confidential, controlled and
managed
• The DBMS must ensure that the
database is secure
Database Security – Why?
• The increasing amounts of crucial corporate data being stored on computer and
the acceptance that any loss or unavailability of this data could prove to be
disastrous.
Database Security – What?
• Security: the protection of the database against unauthorized access, either
intentional or accidental.
• Database security (DS): The mechanisms that protect the database against
intentional or accidental threats.
• Database security encompasses hardware, software, people, and data.
• DS:
1. Theft and fraud;
2. Loss of confidentiality (secrecy);
3. Loss of privacy;
4. Loss of integrity;
5. Loss of availability.
Threats
• Any situation or event, whether intentional or accidental, that may adversely
affect a system and consequently the organization.
• The harm:
1. Tangible: loss of hardware, software, or data.
2. Intangible: loss of credibility or client confidence.
• Any threat must be viewed as a potential breach of security.
Example of Threats
Example of Threats
How to Maintain Secure DB?
Authorization
• Authorization controls can be built into the software and govern not only what
system or object a specified user can access, but also what the user may do with
it.
• Authorization involves:
• Authentication: A mechanism that determines whether a user is who he or she
claims to be.
• A system administrator is usually responsible for allowing users to have access to a
computer system by creating individual user accounts.
Access Controls
• The typical way to provide access controls for a database system:
1. Granting of privileges
2. Revoking of privileges
• A privilege allows a user to create or access (read, write, or modify) some
database object (such as a relation, view, or index).
Backup and Recovery
• Back-up: the process of periodically copying of the database and log file (and
possibly programs) to offline storage media.
• It is always advisable to make backup copies of the database and log file at
regular intervals and to ensure that the copies are in a secure location.
• The backup copy and the details captured in the log file are used to restore the
database to the latest possible consistent state.
Encryption
• Encryption: The encoding of the data by a special algorithm that renders the data
unreadable by any program without the decryption key.
• If a database system holds particularly sensitive data, it may be necessary to
encode it as a precaution against possible external threats or attempts to access it.
• Techniques for encoding data:
1. Irreversible techniques, do not permit the original data to be known.
However, the data can be used to obtain valid statistical information.
2. Reversible techniques are more commonly used.
Encryption
• To transmit data securely over insecure networks requires the use of a
cryptosystem:
1. Encryption key to encrypt the data (plaintext);
2. Encryption algorithm that with the encryption key transforms the
plaintext into ciphertext;
3. Decryption key to decrypt the ciphertext;
4. Decryption algorithm that with the decryption key transforms the
ciphertext back into plaintext.
• Example: Data Encryption Standard (DES), a standard encryption algorithm
developed by IBM.
Perform Data & DB Administration
• DA: The management of the data resource, which includes:
1. BD planning
2. DB development
3. DB maintenance of standards, policies and procedures
4. Conceptual and logical database design.

• DBA: The management of the physical realization of a database system:

1. Physical database design and implementation
2. Setting security and integrity controls
3. Monitoring system performance
4. Reorganizing the database
Data
Administration
Tasks
Database
Administration
Tasks
Comparison of Data and Database Administration
PART 2 : Ethical Issues in Data Management
• WHY legal ?
1. To develop knowledge of what constitutes professional and
unprofessional behavior.
2. To develop policies to ensure more transparency and effectiveness in IT
resource and data management.
Ethics
• Ethics: A set of principles of correct conduct or a theory or a system of moral
values.
• Ethical behavior: “doing what is right” according to the standards of society (ex:
country, religion, and ethnicity).
• What constitutes legal behavior is most often aligned with ethical behavior,
although this is not always the case.
Strategies
• Internal controls: a set of measures that an organization adopts to ensure that
policies and procedures are not violated, data is properly secured and reliable, and
operations can be carried out efficiently.
• Intellectual property (IP) includes inventions, inventive ideas, designs, patents
and patent applications, discoveries, improvements, trademarks, designs and design
rights, written work, and know-how devised, developed, or written by an individual
or set of individuals.
Strategies
• Patent provides an exclusive (legal) right for a set period of time to make, use, sell,
or import an invention.
• Copyright provides an exclusive (legal) right for a set period of time to reproduce
and distribute a literary, musical, audiovisual, or other “work” of authorship.
• Trademark provides an exclusive (legal) right to use a word, symbol, image,
sound, or some other distinction element that identifies the source of origin in
connection with certain goods or services another make, use, sell, or import an
invention.
Several recent regulations on data management
1. Securities and Exchange Commission (SEC)
2. Regulation National Market System (NMS)
3. The Sarbanes-Oxley Act
4. COBIT
5. COSO
6. The Health Insurance Portability and Accountability Act
Example 1: COBIT 5
Example 1:
COBIT 5
Example 1: COBIT 5
Example 1: COBIT 5
Example 1: COBIT 5
Example 2: COSO
1. Control environment: establishes a culture of control, accountability, and ethical
behavior.
2. Risk assessment: evaluates the risks faced in carrying out the organization’s
objectives.
3. Control activities: implements controls necessary to mitigate risks.
4. Information and communications: specifies the paths of reporting and
communication within an organization and between the organization and its trading
partners.
5. Monitoring: assessing the effectiveness of controls put in place.
Example 3: The Health Insurance Portability
and Accountability Act
1. Privacy of patient information.
2. Standardizing electronic health/medical records and transactions between
healthcare organizations.
3. Establishing a nationally recognized identifier for employees to be used by all
employee health plans.
4. Standards for the security of patient data and transactions involving this data.
5. Need for a nationally recognized identifier for healthcare organizations and
individual providers.
Diskusi
• Apakah manajemen data BPJS telah memenuhi regulations on
data management baik secara legal dan ethical? Jelaskan.
Terima Kasih ☺