Keamanan BasisData

CHAPTER 1

Mempelajari dan mengkaji issue-issue keamanan basis data dan implementasinya pada sistem yang menggunakan DBMS komersial / non-komersial

Tujuan

¡        Memahami konsep, prinsip, dan konteks keamanan basis data.

¡        Mampu melakukan analisis kebutuhan dan perancangan keamanan basis data.

¡        Mampu menerapkan hasil perancangan keamanan basis data pada sistem tertentu.

¡        Mengetahui berbagai model keamanan basis data pada sistem yang menggunakan DBMS komersial / non-komersial.

Tujuan keamanan Basisdata

¡        Secrecy/Confidentiality: Information should not be disclosed to unauthorized users. For example, student should not be allowed to examine other student’s grades.

¡        Integrity: Only authorized users should be allowed to modify data. For example, student may be allowed to see their grades, yet not allowed (obviously) to modify them.

¡        Availability: Authorized users should not be denied access. For example, an instructor who wishes to change a grade should be allowed to do so

Materi

¡        Konsep, prinsip, dan konteks keamanan basis data.

¡        Database security management:

  • Analisis kebutuhan keamanan basis data
  • Perancangan keamanan basis data

¡        Implementasi keamanan basis data:

  • Model-model keamanan basis data
  • Mekanisme umum keamanan basis data
  • Statistik keamanan basis data

Ruang lingkup

Referensi

¡        Raghu Ramakrishnan & Johannes Gehrke, “Database Management Systems”, Chapter 21.

¡        http://www-1g.cs.luc.edu/~van/cs468/lecture22/

index.html

¡        DBMS Reference Manual:

  • MySQL 5.0
  • MS-Access 2.0
  • Oracle 9i atau Oracle 10g
  • MS-SQL Server 2000

Situasi

¡        Sistem pengolahan data yang menggunakan basis data sebagai tempat penyimpanan datanya.

¡        Basis data mungkin disimpan secara terpusat atau tersebar dengan duplikasi (replikasi, fragmentasi).

¡        Ada banyak pemakai yang dapat mengakses basis data melalui jaringan komputer (LAN, intranet, internet).

Tindakan keamanan

¡        Tindakan untuk melindungi sumber daya basis data dari pengaksesan yang tidak berhak, modifikasi, atau bentuk intervensi lainnya.

¡        Sekumpulan perangkat yang dirancang untuk melindungi record-record data dan sumber daya basis data lainnya dari orang-orang yang tidak berhak.

Ancaman keamanan terhadap Basisdata

¡        Interuption: Sumber daya basis data dirusak atau menjadi tidak dapat dipakai (ancaman terhadap availability).

¡        Interception: Pemakai atau bagian yang tidak berhak mengakses sumber daya basis data (ancaman secrecy).

¡        Modification: Pemakai atau bagian yang tidak berhak tidak hanya mengakses tapi juga merusak sumber daya sistem komputer (ancaman integrity).

¡        Fabrication: Pemakai atau bagian yang tidak berhak menyisipkan objek palsu kedalam sistem (ancaman integrity).

Bentuk ancaman VS CIA

Tahap ancaman dan Penangkalan

Tahap Ancaman Penangkalan
Pengamatan Pencegahan
Penyusupan Deteksi
Pelaksanaan Pemberantasan, Pemulihan
Penghilangan Jejak Log System

Contoh keamanan basisdata

Mengapa keamanan basisdata sangat penting ?

¡        Databases often store data which is sensitive in nature.

¡        Incorrect data or loss of data could negatively affect business operations.

¡        Databases can be used as bases to attack other systems from.

Evolving Database Threat Environment

¡        A decade ago, databases were:

  • Physically secure
  • Housed in central data centers – not distributed
  • External access mediated through customer service reps, purchasing managers, etc.
  • Security issues rarely reported

¡        Now increasingly DB’s externally accessible:

  • Suppliers directly connected
  • Customers directly connected
  • Customers & partners directly sharing data

¡        Data is most valuable resource in application stack

  • Value increases with greater integration & aggregation
  • Opportunities for data theft, modification, or destruction

¡        DB security a growing problem

Strategi Keamanan Basis data

¡        Principle of least privilege

¡        Password security

¡        Firewalling / access control

¡        Remove / disable unneeded default accounts

¡        Disable unneeded components

¡        Running database processes under dedicated non-privileged account.

Beberapa bentuk penerapan keamanan basisdata

¡        Kerberos security (network authentication protocol)

¡        Port access security

¡        Virtual private databases

¡        Role-based security

¡        Grant-execute security

CHAPTER 2

DATABASE SECURITY MANAJEMEN

¡        Database Security Management can defined as a set activities that covers:

  • Database Security Plan
  • Database Security Requirements Analysis
  • Database Security Design
  • Database Security Implementation
  • Database Security Audit

Database Security Management vs Database Design

Database security Plan

¡        Describes how an organization will address its database security needs.

¡        Identifying and organizing the database security activities for a computing system.

¡        The objective of a database security plan is to enable staff to act effectively to prevent and mitigate the effects of database security problems.

¡        Database Security Plan must address six issues below:

  • Policy
  • Current Security Status
  • Recommendation
  • Accountability
  • Timetable
  • Continuing Attention

Database security Policy

¡        Database security policy indicate the goals of a database security effort and the willingness to work to achieve.

¡        Security policies for database operation:

  • System Security Policy
  • Data Security Policy
  • User Security Policy
  • Password Management Policy
  • Auditing Policy
  • A Security Checklist

¡        System Security Policy

  • Database User Management
  • User Authentication
  • Operating System Security

¡        Data Security Policy

Includes the mechanisms that control the access to and use of the database at the object level.

¡        User Security Policy

  • General User Security
  • End-User Security
  • Administrator Security
  • Application Developer Security
  • Application Administrator Security

¡        Password Management Policy

  • Account Locking
  • Password Aging and Expiration
  • Password History
  • Password Complexity Verification

¡        Auditing Policy

  • Monitor suspicious database activity
  • Gather historical information about particular database activities

¡        A Security Checklist

Provides guidance on configuring DBMS in a secure manner for operational database deployments.

Current Security Status

¡        Describing the status of a database security at the time of the plan.

¡        Status includes:

  • A listing of the database resources
  • The security threats to the resources
  • The controls in place to protect the resources

Database security Recommendation

¡        Recommendations and requirements which lead to meeting the database security goals.

  • Ownership and Responsibility
  • Resources and Their Vulnerabilities
  • Threats
  • Solutions
  • Security Measures
  • Guidelines to Personnel

Database Security Accountability

¡        A plan of accountability so that responsible people can later be judged on the results they have achieved.

¡        It should describe who is responsible for each database security activity

Database security Timetable

¡        Identifying when different security functions are to be done.

¡        Also gives a milestones by which the progress can be judged.

Database security Continuing Attention

¡        Specifying a structure to update the database security plan periodically.

¡        Periodically the inventory of objects and the list of controls should be updated, the risk analysis should be reviewed.

¡        The security plan should be set a time for this periodic review.

Database Security Requirements Analysis

¡        Making a determination of what must be done, when it must be done, what is needed to do it, and who should be doing it.

¡        Also includes an examination of the physical access point to data

¡        Database security requirements analysis steps:

¡        Identification and evaluation of securable resources (subjects and objects).

¡        Examination of each of these resources to determine if they need to be secured.

¡        Risk analysis / risk evaluation.

¡        Determine how to achieve the desired level security.

Beberapa Contoh Jenis Threats

¡        User / Pihak Luar

  • Mengakses dan mengupdate data yang bukan menjadi haknya.
  • Menggunakan hak akses orang lain
  • Melihat dan mengupdate data yang tidak diotorisasi

¡        Programmer

  • Membuat program yang tidak aman
  • Membuat account sendiri
  • Menyimpan virus atau program lainnya yang merusak

¡        Database administrator

  • Menyalahgunakan kewenangan yang dimiliki

Database Security Design

¡        Identification of the subjects and objects relevant from a security viewpoint.

¡        Identification of access modes granted to different subjects on different objects; constraints on access.

¡        Translate the analysis model to a specific DBMS view-based and query-based security technique.

Contoh hasil Database security design

Database security Implementation

¡        Transform database security design model to specific DBMS using its features or SQL statements.

¡        Issues in database security implementation usually to be concerned, respectively:

  • User Authorization

▪         Userid

▪         Password

  • Discretionary Security

▪         GRANT statements

▪         REVOKE statements

  • Mandetory Security

▪         Security level

  • Creating a User
    • CREATE USER cs IDENTIFIED BY sohib;
    • CREATE USER teller IDENTIFIED BY kobam;
    • CREATE USER finance IDENTIFIED BY doku;
    • Add Account Locking
      • CREATE PROFILE prof LIMIT FAILED_LOGIN_ATTEMPTS 4 PASSWORD_LOCK_TIME 30;
      • ALTER USER cs PROFILE prof;
      • Granting Privileges
        • GRANT SELECT, INSERT ON tblAccount TO cs;
        • GRANT SELECT, UPDATE ON tblAccount TO teller;
        • GRANT SELECT, UPDATE, DELETE ON tblAccount TO finance;
        • Using Roles
          • CREATE USER manager IDENTIFIED BY boss;
          • CREATE ROLE supervisor;
          • GRANT SELECT, INSERT, UPDATE, DELETE ON tblAccount TO supervisor;
          • GRANT SELECT ON tblCustomer TO supervisor;
          • GRANT SELECT, INSERT, UPDATE ON tblTransaction TO supervisor;
          • GRANT supervisor TO manager;

¡        Security level

  • All end-users of a database (or an application) should be mapped to a single database user:

CREATE TABLE user (name CHAR(30), userid CHAR(10), password CHAR(10), group CHAR(10), sec_level NUMBER(2), email_addr VARCHAR(80));

    • The task of authorization in above cases falls on the application program, with no support from SQL.

11 Responses

  1. good, bro..

  2. mantabs…. bagus bgt.

  3. KOK DALAM BAHASA INGGRIS…. TRANSLET DONG…

  4. Informasi di Blog Anda sangat membantu saya untuk menyelesaikan paper akademik saya di http://widiaribowo.blogstudent.mb.ipb.ac.id/
    Terimakasih.

  5. terimakasih atas referensinya

    silakan kunjungi blog saya http://armiastho.blogstudent.mb.ipb.ac.id/

  6. terima kasih atas informasinya

  7. terima kasih buat referensinya yurindra

    visit blog saya http://armiastho.blogstudent.mb.ipb.ac.id/

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: