Security Features in Teradata Database

1 By:Jim Browning andAdriaan VeldhuisenData Warehousing > DatabaseSecurity Features in Teradata DatabaseSecurity Features in Teradata DatabaseEB-1895 > 1007 > PAGE 2 OF 13 Executive SummaryThe Teradata Database supports many important featuresthat are designed to enhance the Security of an enterprisedata warehouse. These Security Features include:> User-level Security controls.> Increased user authentication options.> Support for Security roles.> Enterprise directory integration.> Network traffic encryption.> Auditing and monitoring white paper provides an overview of the securityfeatures and describes scenarios for their usage. The paper will also discuss the independent evaluation ofthe Teradata Database to the International Common Criteria for Information Technology Security Evaluation(ISO 15408) Summary2 Introduction3 Teradata Solutions Methodology4 Teradata Database Security Features5 Authentication5 Authorization8 Data Security10 Auditing and Monitoring11 Assurance12 Teradata Database Security Advantage 12 Conclusion13 Endnotes13 Table of ContentsIntroductionIncreased public attention to Security is driving the restructuring of securityrequirements.

2 The role that IT will play in helping address these challenges will besignificant. However, IT departments areunder pressure to cut their operating costs,while being asked to improve and stan-dardize information Security . TeradataCorporation s Security approach will assistTeradata Database Security Administratorswho are facing these new requirements, governmentregulations, and industry standards allresult in a continually evolving securitylandscape. Following are examples that are driving increased requirements fordata warehouse Security across manyindustries and geographies:European Union PrivacyDirectivesThe principles established by the EuropeanUnion (EU) Privacy Directives serve as the foundation for many internationalprivacy and Security laws. These directivesrequire the use of appropriate technicaland organizational measures to ensureconfidentiality and Security of processingof personal Insurance Portabilityand Accountability ActThe Health Insurance Portability andAccountability Act of 1996 (HIPAA)mandates standards and requirements for maintaining and transmitting healthinformation that identifies individualpatients, and compliance is required by health care organizations that maintainor transmit electronic health Security Rule establishes specific securityrequirements for authorization, authentica-tion, audit trail requirements, secure datastorage and transmission, and data ActThe Gramm-Leach-Bliley Act of 1999(also known as the Financial Moderniza-tion Act)

3 Requires that financial institutionsadopt policies and procedures to providefor the protection of financial informationthat identifies individual procedures must protect against anyanticipated threats or hazards and protectagainst unauthorized access which couldresult in substantial harm or inconven-ience to a ActThe Sarbanes-Oxley Act of 2003 includes a number of reforms intended to increasecorporate responsibility, improve financialdisclosures, and protect against corporateand accounting fraud. While this legisla-tion does not mandate the use of specificsecurity controls, Section 302 does requirethat internal controls be established toprotect data from both internal andexternal threats, and Section 404 requiresthat corporations report on the effective-ness of those controls. Also, Section 409requires the disclosure of any materialchanges to the financial condition oroperation of the company (potentially toinclude a major Security compromise).

4 Personal InformationProtection Act (Japan)The Japanese Personal InformationProtection Law requires that companiesoperating in Japan develop and implementinformation privacy and Security controlsfor any databases or documents containingconsumer or employee information. Thisobligation will be applied to any party whostores and uses more than 5000 persons information in total in the party for itsbusiness. Japan s Ministry of EconomyTrade and Industry (METI) has issuedspecific guidelines for maintaining thesecurity of these Card Industry DataSecurity StandardDeveloped by Visa and MasterCard, thePayment Card Industry Data SecurityStandard applies to merchants and serviceproviders that store, transmit, or processcredit card transactions. The standardoutlines 12 specific requirements thatmust be implemented to protect Features in Teradata DatabaseEB-1895 > 1007 > PAGE 3 OF 13 Security Features in Teradata DatabaseEB-1895 > 1007 > PAGE 4 OF 13 Security , as an aspect of IT controlrequirements, defines an attribute ofinformation systems, and includes specificpolicy-based mechanisms and assurancesfor protecting the confidentialityandintegrityof information, the availabilityof critical services and, indirectly, in a data warehouse must be protectedat both ends of a transaction (user andenterprise).

5 Figure 1 depicts the relation-ships in simple concepts and relationships are takenfrom the Common Criteria ISO 154081standard specifying the Privacy Class ofCommon Criteria . It proposes that allsecurity specifications and requirementsshould come from a general securitycontext. This context states that securityis concerned with the protection of assetsfrom threats, where threats are categorizedas the potential for abuse of protectedassets. Data warehouse Security requires protec-tion of the Database , the server on which itresides, and appropriate network accesscontrols. Teradata highly recommends thatcustomers implement appropriate networkperimeter Security controls ( , firewalls,gateways, etc.) to protect network access to a data warehouse. Additionally, for datawarehouse systems deployed on Microsoft Windows -based operating systems, Teradata highly recommends that suchsystems be protected by antivirus softwareand up-to-date virus definition remainder of this paper will specifi-cally discuss some of the Security featuresthat can be used to effectively secure aTeradata SolutionsMethodologyTeradata believes that organizations withdata warehouses that consolidate andcentralize the management of sensitivedata are in a much better position tomanage Security and privacy than thosewith such data spread across multipleoperational or data mart systems.

6 To that end, Teradata has developed an end-to-end capability for designing andimplementing secure, privacy-aware Solutions Methodology, asdepicted in Figure 2, is a formal, proven,patented approach to data warehousingbased on integrated processes and cus-tomized tools refined through use at theworld s most successful data warehouseimplementations. Teradata SolutionsMethodology comprises a comprehensiveset of privacy and Security project Safeguards Vulnerabilities Risk Assets Threats Threat Agents value wish to minimize that may be reduced by may be aware of leading to to to reduce give rise to wish to abuse and/or may damage that exploit that increase that may possess impose Figure 1. Determining a Basis for Change1 Common Criteria for Information Technology Security Evaluation, Part 1: Introduction and general modelSecurity Features in Teradata DatabaseEB-1895 > 1007 > PAGE 5 OF 13 For example, the Analyzephase includesservices to specifically collect and analyzeall of the information necessary to inte-grate data warehouse Security into anexisting Security infrastructure.

7 It consid-ers any current processes by which securityand privacy may be implemented for newsystems and applications, the informationsecurity and privacy infrastructure alreadyin place, and any tools Designphase ensures that the databasedesign and data model fully address allidentified privacy and Security require-ments. Such tasks include identifying data fields that reveal customer identity,identifying data fields containing personaldata, identifying data fields containingspecial categories of data, and addingconsent flags for individual privacypreferences that are tied to personal datafields and their Buildphase creates the databaseadministration processes for Security andprivacy. Implementation includes thedefinition of Views for making personaldata anonymous for analysis methodology, implemented byexperienced Teradata consultants, ensuresthat a Teradata Warehouse implementa-tion appropriately considers the impact of all privacy and Security DatabaseSecurity FeaturesTeradata is continuously adding securityfeatures to its products.

8 We are committedto driving significant benefit for ourcustomers now and into the future, and to achieving our vision for a leadershiprole in data warehouse following sections describe some ofthe Security Features that aid TeradataDatabase clients in effectively implement-ing a data warehouse Security policy, andhighlight some attributes and intendedusage of these refers to the process ofestablishing the legitimacy of a user beforeallowing access to Database authentication of users is funda-mental to ensuring the Security of anydatabase system. The Teradata Databaseprovides multiple options for authenticat-ing Database users. Additionally, customauthentication methods can be developedand deployed to further enable integrationof a Teradata solution into diverse securitymanagement supported authentication methods aredescribed by a set of properties that can be managed by a Security properties allow for the securityadministrator to establish default authen-tication methods and to restrict or limitthe methods that may be selected by adatabase user.

9 Other properties maysimilarly be managed by the EducationSystem TestComponentsfor TestingProductionInstallAcceptanceTestin gUserTrainingValueAssessmentInitialDataC apacityPlanningSystemPerformanceDataMigr ationSystemRelocationHardware/SoftwareUp gradeAvailabilitySLAS ystemDBAS olutionArchitectAnalyticalModelsBusiness ContinuityBusinessValueDataWarehouseMatu rityInformationSourcingSTRATEGYANALYZEDE SIGNS ystemArchitecturePackageAdaptationCustom ComponentEducationPlanTest PlanEQUIPH ardwareInstallationSoftwareInstallationS upportManagementTechnicalEducationOperat ionalMentoringBUILDP hysicalDatabaseECTLA pplicationInformationExploitationBackup &RecoveryUserCurriculumOperationalApplic ationsINTEGRATEMANAGERESEARCHDBMS NeutralServicesIterateProductionPlanning ImplementationProject ManagementFigure 2. Teradata Solutions MethodologyUser-Level Security ControlsTypically, a Database user must provide avalid username and password as part ofthe logon string in order for a databasesession to be established.

10 However, properlysecuring such password-based schemesrequires that a Security administrator beable to ensure that passwords are regularlychanged, are sufficiently complex,and thateffective precautions can be taken to protectagainst attempts to guess user such, the Teradata Database supports arich set of password Security controls thatcan be specified at either the user level orthe system level. This is important since itis often desirable to establish and enforcedifferent password management policiesfor different types of Database users ( ,batch versus interactive).User-level controls are implemented usingthe User Profiles feature that was intro-duced in Teradata Warehouse In thismanner, profiles specifying specificpassword management policies can bedefined and assigned to individual users,groups of users, or an entire a user logs on to the TeradataDatabase, any associated profile passwordcontrols will take effect.