Download Security Features in Teradata Database

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
Document related concepts

Open Database Connectivity wikipedia , lookup

Concurrency control wikipedia , lookup

Relational model wikipedia , lookup

Database wikipedia , lookup

Functional Database Model wikipedia , lookup

Microsoft Jet Database Engine wikipedia , lookup

Database model wikipedia , lookup

Clusterpoint wikipedia , lookup

ContactPoint wikipedia , lookup

Transcript 
Data Warehousing > Database
Security Features in Teradata Database
By:
Jim Browning and
Adriaan Veldhuisen
Security Features in Teradata Database
Table of Contents
Executive Summary
2
Introduction
3
Teradata Solutions Methodology
4
Teradata Database Security Features
5
Executive Summary
The Teradata® Database supports many important features
that are designed to enhance the security of an enterprise
Authentication
5
data warehouse. These security features include:
Authorization
8
> User-level security controls.
Data Security
10
Auditing and Monitoring
11
Assurance
12
Teradata Database Security Advantage 12
Conclusion
13
Endnotes
13
> Increased user authentication options.
> Support for security roles.
> Enterprise directory integration.
> Network traffic encryption.
> Auditing and monitoring controls.
This white paper provides an overview of the security
features and describes scenarios for their usage. The
paper will also discuss the independent evaluation of
the Teradata Database to the International Common
Criteria for Information Technology Security Evaluation
(ISO 15408) standard.
EB-1895 > 1007 > PAGE 2 OF 13
Security Features in Teradata Database
Introduction
Increased public attention to security
is driving the restructuring of security
requirements. The role that IT will play
in helping address these challenges will be
significant. However, IT departments are
under pressure to cut their operating costs,
while being asked to improve and standardize information security. Teradata
Corporation’s security approach will assist
Teradata Database Security Administrators
who are facing these new challenges.
Legislated requirements, government
regulations, and industry standards all
Health Insurance Portability
that internal controls be established to
and Accountability Act
protect data from both internal and
The Health Insurance Portability and
external threats, and Section 404 requires
Accountability Act of 1996 (HIPAA)
that corporations report on the effective-
mandates standards and requirements
ness of those controls. Also, Section 409
for maintaining and transmitting health
requires the disclosure of any material
information that identifies individual
changes to the financial condition or
patients, and compliance is required by all
operation of the company (potentially to
U.S. health care organizations that maintain
include a major security compromise).
or transmit electronic health information.
A Security Rule establishes specific security
requirements for authorization, authentication, audit trail requirements, secure data
storage and transmission, and data integrity.
Personal Information
Protection Act (Japan)
The Japanese Personal Information
Protection Law requires that companies
operating in Japan develop and implement
Gramm-Leach-Bliley Act
information privacy and security controls
The Gramm-Leach-Bliley Act of 1999
for any databases or documents containing
(also known as the Financial Moderniza-
consumer or employee information. This
tion Act) requires that financial institutions
obligation will be applied to any party who
adopt policies and procedures to provide
stores and uses more than 5000 persons’
for the protection of financial information
information in total in the party for its
European Union Privacy
that identifies individual consumers.
business. Japan’s Ministry of Economy
Directives
Such procedures must protect against any
Trade and Industry (METI) has issued
The principles established by the European
anticipated threats or hazards and protect
specific guidelines for maintaining the
Union (EU) Privacy Directives serve as
against unauthorized access which could
security of these databases.
the foundation for many international
result in substantial harm or inconven-
privacy and security laws. These directives
ience to a customer.
result in a continually evolving security
landscape. Following are examples that
are driving increased requirements for
data warehouse security across many
industries and geographies:
require the use of appropriate technical
and organizational measures to ensure
confidentiality and security of processing
of personal data.
EB-1895 > 1007 > PAGE 3 OF 13
Payment Card Industry Data
Security Standard
Sarbanes-Oxley Act
Developed by Visa and MasterCard, the
The Sarbanes-Oxley Act of 2003 includes
Payment Card Industry Data Security
a number of reforms intended to increase
Standard applies to merchants and service
corporate responsibility, improve financial
providers that store, transmit, or process
disclosures, and protect against corporate
credit card transactions. The standard
and accounting fraud. While this legisla-
outlines 12 specific requirements that
tion does not mandate the use of specific
must be implemented to protect cardholder
security controls, Section 302 does require
information.
Security Features in Teradata Database
Security, as an aspect of IT control
requirements, defines an attribute of
value
Owners
information systems, and includes specific
wish to minimize
policy-based mechanisms and assurances
for protecting the confidentiality and
to reduce
impose
Safeguards
integrity of information, the availability
that may
possess
of critical services and, indirectly, privacy.
that may be
reduced by
Data in a data warehouse must be protected
at both ends of a transaction (user and
that
exploit
enterprise). Figure 1 depicts the relationships in simple terms.
Vulnerabilities
may be aware of
leading to
Risk
Threat Agents
These concepts and relationships are taken
from the Common Criteria ISO 154081
that
increase
give rise to
to
Threats
standard specifying the “Privacy Class of
Assets
Common Criteria”. It proposes that all
security specifications and requirements
wish to abuse and/or may damage
should come from a general security
Figure 1. Determining a Basis for Change
context. This context states that “security
is concerned with the protection of assets
systems be protected by antivirus software
operational or data mart systems. To
from threats, where threats are categorized
and up-to-date virus definition files.
that end, Teradata has developed an
as the potential for abuse of protected
assets.”
end-to-end capability for designing and
The remainder of this paper will specifically discuss some of the security features
Data warehouse security requires protec-
that can be used to effectively secure a
tion of the database, the server on which it
Teradata Database.
resides, and appropriate network access
controls. Teradata highly recommends that
customers implement appropriate network
gateways, etc.) to protect network access
Teradata believes that organizations with
to a data warehouse. Additionally, for data
data warehouses that consolidate and
warehouse systems deployed on Microsoft®
centralize the management of sensitive
Windows®-based operating systems,
data are in a much better position to
Teradata highly recommends that such
manage security and privacy than those
with such data spread across multiple
Common Criteria for Information Technology Security Evaluation, Part 1: Introduction and general model
EB-1895 > 1007 > PAGE 4 OF 13
warehouses.
Teradata Solutions Methodology, as
depicted in Figure 2, is a formal, proven,
Teradata Solutions
Methodology
perimeter security controls (e.g., firewalls,
1
implementing secure, privacy-aware data
patented approach to data warehousing
based on integrated processes and customized tools refined through use at the
world’s most successful data warehouse
implementations. Teradata Solutions
Methodology comprises a comprehensive
set of privacy and security project features.
Security Features in Teradata Database
For example, the Analyze phase includes
services to specifically collect and analyze
Planning
Implementation
Production
all of the information necessary to inteIterate
grate data warehouse security into an
existing security infrastructure. It considers any current processes by which security
Project Management
STRATEGY
RESEARCH
ANALYZE
DESIGN
EQUIP
BUILD
INTEGRATE
MANAGE
Opportunity
Assessment
Business
Value
Application
Requirement
System
Architecture
Hardware
Installation
Physical
Database
Components
for Testing
Capacity
Planning
Enterprise
Assessment
Data
Warehouse
Maturity
Logical
Model
Package
Adaptation
Software
Installation
ECTL
Application
System Test
System
Performance
Enterprise
Information
Governance
Information
Sourcing
Data
Mapping
Custom
Component
Support
Management
Information
Exploitation
Production
Install
Business
Continuity
Infrastructure
& Education
Test Plan
Operational
Mentoring
Operational
Applications
Initial
Data
Data
Migration
Education
Plan
Technical
Education
Backup &
Recovery
Acceptance
Testing
System
Relocation
User
Training
Hardware/
Software
Upgrade
Value
Assessment
Availability
SLA
and privacy may be implemented for new
systems and applications, the information
security and privacy infrastructure already
in place, and any tools used.
The Design phase ensures that the database
DBMS Neutral
Services
User
Curriculum
design and data model fully address all
identified privacy and security requirements. Such tasks include identifying
System
DBA
data fields that reveal customer identity,
Solution
Architect
identifying data fields containing personal
Analytical
Models
data, identifying data fields containing
special categories of data, and adding
consent flags for individual privacy
Figure 2. Teradata Solutions Methodology
preferences that are tied to personal data
fields and their uses.
to driving significant benefit for our
database system. The Teradata Database
The Build phase creates the database
customers now and into the future, and
provides multiple options for authenticat-
administration processes for security and
to achieving our vision for a leadership
ing database users. Additionally, custom
privacy. Implementation includes the
role in data warehouse security.
authentication methods can be developed
definition of Views for making personal
data anonymous for analysis purposes.
and deployed to further enable integration
The following sections describe some of
the security features that aid Teradata
of a Teradata solution into diverse security
management environments.
This methodology, implemented by
Database clients in effectively implement-
experienced Teradata consultants, ensures
ing a data warehouse security policy, and
All supported authentication methods are
that a Teradata Warehouse implementa-
highlight some attributes and intended
described by a set of properties that can
tion appropriately considers the impact
usage of these features.
be managed by a security administrator.
of all privacy and security requirements.
These properties allow for the security
Authentication
Teradata Database
Security Features
Authentication refers to the process of
Teradata is continuously adding security
Proper authentication of users is funda-
features to its products. We are committed
mental to ensuring the security of any
EB-1895 > 1007 > PAGE 5 OF 13
establishing the legitimacy of a user before
allowing access to database resources.
administrator to establish default authentication methods and to restrict or limit
the methods that may be selected by a
database user. Other properties may
similarly be managed by the security
administrator.
Security Features in Teradata Database
User-Level Security Controls
Usage Controls
Description
Password
Expiration
Allows the security administrator to define a time span
during which a password is valid. After the time elapses,
the user must change the password.
Password Reuse
Allows the security administrator to define the time
span that must elapse before a previously used
password can be reassigned to a user.
Maximum Logon
Attempts
Allows the security administrator to define the number
of erroneous sequential logon attempts a user is
allowed before the user is blocked from further logon
attempts.
Password Lockout
Time
Allows the security administrator to set the user
lock time duration after the user has exceeded the
maximum number of logon attempts.
Format Controls
Description
Password Length
Allows the security administrator to define the
minimum and maximum number of characters
required in a valid password string.
Password
Construction
Allows the security administrator to specify whether
alpha characters, digits, special characters, and a
combination of upper- and lowercase characters are
to be allowed or required in the password string.
Also, allows the security administrator to specify
whether the username should be allowed to be
included in the password string.
Typically, a database user must provide a
valid username and password as part of
the logon string in order for a database
session to be established. However, properly
securing such password-based schemes
requires that a security administrator be
able to ensure that passwords are regularly
changed, are sufficiently complex, and that
effective precautions can be taken to protect
against attempts to guess user passwords.
As such, the Teradata Database supports a
rich set of password security controls that
can be specified at either the user level or
the system level. This is important since it
is often desirable to establish and enforce
different password management policies
for different types of database users (e.g.,
batch versus interactive).
User-level controls are implemented using
the User Profiles feature that was introduced in Teradata Warehouse 7.0. In this
manner, profiles specifying specific
Figure 3. Password Controls
password management policies can be
defined and assigned to individual users,
Windows Network Authentication
that is performed upon initial network
groups of users, or an entire enterprise.
Effective user authentication is a founda-
access. This capability improves the
When a user logs on to the Teradata
tion of a database system’s security
productivity of network users, reduces
Database, any associated profile password
services. However, secure authentication
the cost of network operations, and,
controls will take effect. If no associated
may be compromised in large, heteroge-
ultimately, improves network security.
profile password controls have been
neous networks where users may be
Further, security is improved by eliminat-
defined, then the system-level controls
required to remember multiple user
ing the need for an application to declare
will take effect.
names and passwords. To address this
or store a password on the client system.
Figure 3 describes the password security
controls that are supported in Teradata
Database V2R6.1 (reference the Security
Administration reference manual for
implementation specifics2).
EB-1895 > 1007 > PAGE 6 OF 13
issue, a single sign-on capability can be
used to allow network users to seamlessly
access authorized network resources and
applications, including an enterprise data
warehouse, with a single authentication
For homogeneous Windows environments,
the Teradata Database, since Release
V2R4.1, supports a single sign-on capability
through integration with Windows
Network Authentication. Upon connection
Security Features in Teradata Database
Domain 1
These systems typically store and manage
Domain 2
user information through a directory
User
service that supports the Lightweight
Directory Access Protocol (LDAP). LDAPenabled applications, services, and
MS Active
Directory Server
MS Active
Directory Server
databases can readily leverage a single,
centralized repository of user information
Logon to
Domain 1
Trust Relationship
to control user access.
The Teradata Database supports an LDAP
Logon to
Database
authentication method that allows for
Logon to Domain 2
User
Authenticate User
authentication of database users against
a centralized LDAP directory rather than
using credentials maintained in the data
dictionary. This method authenticates a
user (by means of the user’s distinguished
Logon to Database
name and password) through a secure
Teradata Server
LDAPv3 bind to the directory. This feature
Figure 4. Windows Network Authentication
to the Teradata Database, database users
access to many applications and systems,
are not required to provide a username
it is common to manage separate user
and password as part of the logon proto-
accounts for each application resulting in
col. Rather, the system will determine the
redundant and/or inconsistent data and
user’s Windows identity and authenticate
increased user management costs. This
the user using the underlying Microsoft
lack of centralization also represents a
Security Service Provider Interface (SSPI).
significant security risk because unused or
Users may be authenticated using either
expired accounts and privileges are subject
the Windows NT® LAN Manager (NTLM)
to misuse. As such, many enterprises are
or Kerberos protocols as appropriate.
adopting centralized security management
Figure 4 depicts the relationship between
frameworks that provide for a single point
users, the Teradata Database server, and
of administration for internal and external
Microsoft Active Directory in implement-
users, configuration information, and
ing Windows single sign-on.
security policies. Such systems can often
simplify the process of creating, modify-
LDAP Authentication
For enterprises where users may have
EB-1895 > 1007 > PAGE 7 OF 13
ing, and deleting user accounts, as well as
authorizing access to protected resources.
was introduced in Teradata Warehouse 8.0.
Extensible User Authentication
Many enterprises have made significant
investments in infrastructure technologies,
such as user, identity, or access management systems, which provide enhanced
support for the authentication and
authorization of user access to systems and
applications. Many of these systems also
support single sign-on architectures
wherein session credentials are created
upon initial log on to a network or to a
supported application. Subsequent logons
to other supported applications can use
the session credentials for authentication
and authorization without requiring
additional interaction with the user. While
the Teradata Database offers a number
Security Features in Teradata Database
of options for authenticating database
authentication methods without requiring
RBAC, security is managed at a level that
users, it is often desirable to integrate the
installation on an active system.
more closely corresponds to an organiza-
authentication with that provided by such
access management systems.
tion’s structure. Each database user may
Authorization
Ensuring appropriate and authorized access
be assigned one or more roles with each
role assigning access rights or privileges
With Teradata Warehouse 8.0, the Teradata
to data is a major objective – and concern –
Database supports an Extensible User
in database security. The Teradata Database
Authentication architecture that allows
contains a robust set of fully integrated
for custom authentication methods to be
system access control capabilities. The
developed (with the assistance of Teradata
mission of security administration on a
Professional Services) and used for
Teradata Database system is to prevent
authentication of database users. This
unauthorized persons from accessing the
architecture is built around the use of
system and its resources, as well as permit-
standard application programming
ting legitimate users access to those
interfaces, such as the Generic Security
resources to which they are authorized. The
Services API (GSS-API) and the Security
Teradata Database supports a discretionary
Introduced in Teradata Warehouse 7.0, the
Service Provider Interface (SSPI). As
access control policy in which access to
Teradata Database provides support for
such, new methods can be developed and
database objects is restricted based upon the
Security Roles, which are used to define
deployed without requiring new releases of
identity of users and/or groups to which
access privileges on database objects. For
base Teradata client and database software.
they belong. The controls are discretionary
example, a user who is a member of a role
in the sense that a user with certain access
can access the specific views for which the
permissions is capable of passing those
role has been granted appropriate access
permissions on to other users.
rights or privileges. For enterprise data
The architecture readily accommodates
different types of credentials (e.g., tokens
and certificates) that can be used to identify
that are permitted to users in that role.
Security administration with RBAC
requires determining the operations that
must be allowed by users in particular
jobs and assigning those users to the
proper roles. RBAC effectively manages
complexities resulting from differing roles
or hierarchies, thereby easing the task of
security administration.
warehouses that provide access to many
and authenticate a user. Moreover, custom
Security Roles
methods can be developed to implement
One of the most challenging problems in
agents that interface to external access
managing large data warehouse systems is
or policy servers thereby extending the
the complexity of security administration.
authentication or single sign-on services
Often, security administration is costly
provided to include the Teradata Database.
and prone to errors because security
Teradata Warehouse 8.1 provides a Soft-
administrators must specify access con-
ware Developer’s Kit (SDK) to support
trols individually for each database user.
easier development and testing of custom
Role-based access control (RBAC) is a
authentication methods. The SDK
technology that can reduce the complexity
includes a test framework that enables
and cost of security administration in
Management of access rights is simplified
initial development and testing of new
large data warehouse environments. With
by allowing grants and revokes of multiple
EB-1895 > 1007 > PAGE 8 OF 13
users, the use of roles will significantly
simplify access rights administration and
enhance overall security. A security administrator can create different roles for
different job functions and responsibilities.
For example, a security administrator can
grant rights on a clinician view to a role
and have these rights automatically applied
to all users assigned to that role (Figure 5).
Security Features in Teradata Database
Users
Roles
Views
Base Tables
policies that may be enforced by applications to authorize user access to enterprise
resources.
With Teradata Warehouse 8.0, Teradata
Clinician
has defined directory schema attributes
and objects that allow for the extension
Clinician
Clinician
of a directory schema to map the distinguished name of a directory user to a
Clinician
Researcher
Teradata Database permanent user. Such
users inherit the roles assigned to the
Researcher
mapped permanent user. However,
additional external roles can be created
Researcher
and assigned to the directory user. External roles assigned to a directory user can
Lab Analyst
Lab Analyst
be used in addition to any roles inherited
from the mapped permanent user. A user
profile may be created and assigned to a
Lab Analyst
directory user in a similar manner.
Lab Analyst
These schema extensions are provided
Figure 5. Security Roles
for popular directory services such as
access rights with one request. This is
rights are only granted through the role
Microsoft Active Directory and Sun Java
important when a user changes job
definition.
System Directory Server. Upon successful
authentication, Teradata Database will
functions (role) within the company.
Should a job function need a new access
right, it can be granted to the role and
would be effective immediately for all
users with that role.
To effectively use the Security Roles
Typically, only one role will be the session’s
enable the specified security role(s) and
current or active role. Enabled roles are
user profile for the database session.
the current role plus any nested roles. At
logon, the current role is the user’s default
Normally, users are defined in the database
role. Alternatively, it is possible to enable
via a CREATE USER request. However,
all roles granted to a user for a session.
some data warehouse environments may
support large numbers of users that do
feature, individual rights must be converted into role rights. This requires
creating the required roles and granting
appropriate rights to each role. Roles
can then be granted to users and users
assigned their default roles. Finally, all
individual access rights that have been
replaced by role rights should be revoked
from the users to ensure that all access
EB-1895 > 1007 > PAGE 9 OF 13
Directory Integration
not have unique system requirements
As noted earlier, many enterprises are
(such as the need for PERM space or
adopting centralized security management
unique SPOOL or TEMP space alloca-
frameworks, built using LDAP directory
tions). To simplify the management of
services, which provide for a single point
such users, the Directory Integration
of administration for users and associated
feature allows for user access without
security policies. Often, with such systems,
requiring the creation of a database
the directory maintains access control
instance for every user. Users that are not
Security Features in Teradata Database
mapped in the directory to an existing
operate in a traditional client/server
for complex key management processes.
permanent Teradata Database user may
environment. If clients are accessing the
Strong encryption is accomplished using
be mapped to a system-defined user
database server over non-secure networks,
the industry-standard Advanced Encryp-
called EXTUSER. Access rights for such
there is a risk that data may be compro-
tion Standard (AES) algorithm.
external users are determined by the user’s
mised by a malicious user who is snooping
directory-assigned security role(s). Space
on the network.
transmitted from a client application to a
allocations may default or can be determined by the user’s directory-assigned
user profile.
In networked environments, a password
To mitigate this risk, Teradata Warehouse
database server may pose a security risk. If
8.0 provides for encryption of data
the password is transmitted in clear text
transmitted between client applications
over a non-secure network, there is a risk
With Teradata Warehouse 8.1, the LDAP
and the Teradata Database. Encryption is
it could be intercepted by a malicious user
authentication method properties can be
a CPU-intensive function that can nega-
snooping for data on the network. To
configured to allow for directory users that
tively affect the performance of some
protect against this, the Teradata Database
correspond to a user defined in the database
operations. As such, its use should be
client tools and utilities always encrypt
to log on without requiring directory
carefully considered. The use of encryp-
the logon string (including username
schema extensions. In this scenario, authori-
tion is determined by the user through the
and password) that is transmitted to the
zation to access database objects is managed
client application and can be controlled on
Teradata Database server.
entirely within the database.
a per request basis. As such, the user has
complete flexibility in the use of encryp-
Tools are provided to validate directory
content and the operation of the directory
when using the Teradata schema extensions.
tion to protect payloads transmitted over
a network and to minimize any negative
performance impacts. Alternatively, the
Data Security
client interfaces can be configured such
It is important to implement appropriate
that all sessions between the client applica-
controls to protect sensitive data. Data
tions and the database server are encrypted.
can be vulnerable when transmitted over
non-secure networks or when appropriate
access controls have not been enabled
for stored data. The Teradata Database
provides facilities to manage the encryption of sensitive data when transmitted
over non-secure networks. Further, rowand column-level security can be implemented readily using database views.
The security provided by encryption is
dependent upon the strength of the encryption algorithm and the security of the key
used to perform the encryption. The
Teradata Database uses the public-key
based Diffie-Hellman key agreement
protocol to generate a secure 128-bit key
for use by the client and the database. A
unique key is generated for each database
Network Traffic Encryption
session. The key generation is built into
The Teradata Database and associated
the underlying client/server communica-
client applications and utilities typically
tion protocol thereby eliminating the need
EB-1895 > 1007 > PAGE 10 OF 13
For compatibility purposes, the client and
server are not required to be at the same
version level. However, only the security
features common to each version level
can be used. This can allow for security
features to be utilized according to individual client needs.
Row- and Column-Level Security
Database views are used to restrict the
rows and columns that users (or groups
of users) can access. Views are part of the
SQL standard and can be thought of as
virtual tables that can be accessed as if
they were physical tables to retrieve data
from the database. Views can be defined
to reference columns or rows from underlying views and/or tables. A view does not
actually contain data but rather is used to
provide users with their own logical view
of the data within the database. Figure 6
Security Features in Teradata Database
depicts an example from the healthcare
Clinician
industry where researchers, clinicians, lab
analysts, and business analysts each represent a specific group of users with their
own view of the database. These views
Views
enforce different security policies and
access rights and privileges by limiting the
data elements that are visible by each view.
Teradata Database support for views is
Researcher
Business
Analyst
particularly high performance because
the optimizer generates optimized SQL
for selecting the appropriate columns
Base Tables
and rows from the underlying base tables.
Additionally, query access through views
can generate very complex SQL expressions, which further exploit the inherent
Lab
Analyst
parallelism of the Teradata Database
architecture.
Auditing and Monitoring
Figure 6. Database Views
configure the system’s Access Log to log
database tables within the data dictionary
An important aspect of any security
any successful and/or unsuccessful attempt
and access to the information requires
implementation is the creation and
to access any or all database objects by
appropriate access rights and privileges.
monitoring of a record of system activity
any or all database users. Also, the Access
The audit records can be viewed through
to detect abnormal activity and to ensure
Log has controls to filter the logging by
ad hoc queries or with any appropriate
that users are held accountable for their
frequency of access or type of access.
application or query tool. Additionally,
actions. To detect intruders and ensure
Teradata Database security features include
Teradata Manager includes facilities that
data integrity, the Teradata Database
the option to log the SQL expression
enable the security administrator to access
provides a comprehensive set of auditing
that was used to perform the access to a
preconfigured reports or to generate
capabilities. A security administrator can
database object. As such, all accesses are
custom reports from the Access Log.
periodically audit events on the Teradata
effectively audited.
Assurance
Database to effectively detect potential
attempts to gain unauthorized access to
Parameterized macros or triggers may be
Assurance refers to a level of confidence
database resources or attempts to alter the
used to further customize or refine the
that a product’s security features have
behavior of the auditing facilities.
auditing. Triggers are particularly useful
been evaluated against a well-defined and
when creating audit logs based upon
widely accepted set of security require-
specific data or content-based rules.
ments. Security evaluations are conducted
The Teradata Database automatically
audits all logon and logoff activity. However, the security administrator can also
EB-1895 > 1007 > PAGE 11 OF 13
by independent, licensed, and accredited
All audit information is stored in protected
organizations most often to the require-
Security Features in Teradata Database
ments of a specific industry standard. A
France, Germany, the Netherlands, United
confidential data within a database.
security evaluation provides assurance
Kingdom, the U.S. National Institute of
Important patents protect this intellectual
through an analysis of a system’s security
Standards and Technology, and the U.S.
property:
functions using functional and interface
National Security Agency.
> U.S. Patent # 6,253,203 – Privacy-
specifications, guidance documentation,
and the high-level design of the system
to understand the security behavior.
Independent testing of the security
functions supports the analysis, evidence
of developer testing based on a functional
specification, selective independent
confirmation of the developer test results,
and a search for obvious vulnerabilities.
Assurance is also provided through a
configuration list for the system and
evidence of secure delivery procedures.
The security evaluation of the Teradata
Database was conducted by the Booz Allen
enabled database (issued June 26, 2001)
> U.S. Patent # 6,275,824 – System and
Common Criteria Test Lab under the
method for managing data privacy in a
National Information Assurance Partner-
database management system (issued
ship Common Criteria Evaluation and
August 14, 2001)
Validation Scheme (CCEVS). The Teradata
> U.S. Patent # 6,438,544 – Method and
Database was evaluated against 31 separate
apparatus for dynamic discovery of
security functional requirements that
data model allowing customization
describe the security behavior of the
of consumer applications accessing
system3. These requirements spanned
privacy data (issued August 20, 2002)
multiple functional classes including
> U.S. Patent # 6,480,850 – System and
Identification and Authentication, User
method for managing data privacy in a
Security Evaluation under
Data Protection, Access, Security Audit,
database management system including
Common Criteria
Security Management, and others. While
a dependently connected privacy data
Teradata Database V2R5.0.2 has been
the evaluation considered the design of the
mart (issued November 12, 2002)
independently
system, it also considered processes used
evaluated to the requirements of the
for testing and installation and included a
The architecture represented by these
Common Criteria for Information Tech-
vulnerability analysis. As such, this evalua-
patents leverages core Teradata Database
nology Security Evaluation (Common
tion provides a high level of assurance in
strengths such as:
Criteria) standard. The Common Criteria
the security design and implementation of
> The ability to store and manage large
is a multi-part standard that aligns with
a Teradata Database system.
the International
Standard ISO/IEC
15408:1999, which is
meant to be used as a
basis for evaluating
security properties of Information Technology
(IT) products and systems. The Common
This evaluation is intended to satisfy the
requirements of those customers (primarily
government agencies) that are required
to procure only IT systems for which the
security robustness has been formally
evaluated and validated.
security organizations known as “the
Common Criteria Project Sponsoring
Teradata has a defined architecture for
Organizations” represented by Canada,
protecting personal information or other
EB-1895 > 1007 > PAGE 12 OF 13
support for normalized data models,
an infrastructure that efficiently
enables multiple views, and data
models that are easily extended.
> A high-performance implementation
that makes views practical for privacy.
Optimized SQL selects appropriate
Teradata Database
Security Advantage
Criteria are defined by seven governmental
volumes of detailed data through
columns and rows from base tables,
and complex SQL expressions exploit
Teradata Database parallelism.
> A security mechanism that can deny
access to restricted views or macros.
Security Features in Teradata Database
Teradata.com
> Access logging that provides a privacy
authentication methods, access controls,
audit trail and includes options to log
high-performance database views, network
all accesses (or access attempts) to a
traffic encryption, access logging, and
table (or view, macro), and log the
audit reporting.
Endnotes
1
Technology Security Evaluation, Part 1:
Introduction and general model
associated SQL expression.
New industry regulations, especially in the
Conclusion
Common Criteria for Information
2
retail, financial services, and healthcare
Teradata Database Security Administration – www.info.ncr.com
industries, present increased challenges
The Teradata Database provides a rich
for securing an enterprise’s information
Teradata Relational Database Man-
set of security controls for managing,
assets. The security capabilities described
agement System Version 2, Release
protecting, and auditing access to stored
in this paper can assist Teradata Database
5.0.2 Security Target (Version 1.0) –
data. These capabilities include extensive
security administrators in meeting these
niap.nist.gov/cc-scheme/st/
password controls, support for multiple
new challenges.
ST_VID7001.html
3
This document, which includes the information contained herein, is the exclusive property of Teradata Corporation. Any person is hereby authorized to view, copy,
print, and distribute this document subject to the following conditions. This document may be used for non-commercial, informational purposes only and is
provided on an “AS-IS” basis. Any copy of this document or portion thereof must include this copyright notice and all other restrictive legends appearing in this
document. Note that any product, process or technology described in the document may be the subject of other intellectual property rights reserved by Teradata
and are not licensed hereunder. No license rights will be implied. Use, duplication, or disclosure by the United States government is subject to the restrictions set
forth in DFARS 252.227-7013 (c) (1) (ii) and FAR 52.227-19.
Microsoft and Windows are registered trademarks of Microsoft Corporation. Teradata continually enhances products as new technologies and components become
available. Teradata continually improves products as new technologies and components become available. Teradata, therefore, reserves the right to change
specifications without prior notice. All features, functions, and operations described herein may not be marketed in all parts of the world. Consult your Teradata
representative or Teradata.com for more information.
Copyright © 2005-2007 by Teradata Corporation
EB-1895 > 1007 > PAGE 13 OF 13
All Rights Reserved.
Produced in U.S.A.
Related documents
2010 Teradata Universe, Sydney
2010 Teradata Universe, Sydney
here - Internet Marketing Association
here - Internet Marketing Association
Teradata SQL Assistant - Walton College of Business
Teradata SQL Assistant - Walton College of Business
Technology Definitions Student Information Systems
Technology Definitions Student Information Systems
Teradata Overview - dbmanagement.info
Teradata Overview - dbmanagement.info
Data Resource Management
Data Resource Management
Designing 3NF for Ad Hoc Queries
Designing 3NF for Ad Hoc Queries
Document
Document
Data Mining: Approach Towards The Accuracy Using “Teradata”!
Data Mining: Approach Towards The Accuracy Using “Teradata”!
teradata utilities - dbmanagement.info
teradata utilities - dbmanagement.info
Evolution of Data warehousing
Evolution of Data warehousing
Panel 1: Database Management in the Year 2000
Panel 1: Database Management in the Year 2000