Transcription of Security Features in Teradata Database
1 By:Jim Browning andAdriaan VeldhuisenData Warehousing > DatabaseSecurity Features in Teradata DatabaseSecurity Features in Teradata DatabaseEB-1895 > 1007 > PAGE 2 OF 13 Executive SummaryThe Teradata Database supports many important featuresthat are designed to enhance the Security of an enterprisedata warehouse. These Security Features include:> User-level Security controls.> Increased user authentication options.> Support for Security roles.> Enterprise directory integration.> Network traffic encryption.
2 > Auditing and monitoring white paper provides an overview of the securityfeatures and describes scenarios for their usage. The paper will also discuss the independent evaluation ofthe Teradata Database to the International Common Criteria for Information Technology Security Evaluation(ISO 15408) Summary2 Introduction3 Teradata Solutions Methodology4 Teradata Database Security Features5 Authentication5 Authorization8 Data Security10 Auditing and Monitoring11 Assurance12 Teradata Database Security Advantage 12 Conclusion13 Endnotes13 Table of ContentsIntroductionIncreased public attention to Security is driving the restructuring of securityrequirements.
3 The role that IT will play in helping address these challenges will besignificant. However, IT departments areunder pressure to cut their operating costs,while being asked to improve and stan-dardize information Security . TeradataCorporation s Security approach will assistTeradata Database Security Administratorswho are facing these new requirements, governmentregulations, and industry standards allresult in a continually evolving securitylandscape. Following are examples that are driving increased requirements fordata warehouse Security across manyindustries and geographies:European Union PrivacyDirectivesThe principles established by the EuropeanUnion (EU) Privacy Directives serve as the foundation for many internationalprivacy and Security laws.
4 These directivesrequire the use of appropriate technicaland organizational measures to ensureconfidentiality and Security of processingof personal Insurance Portabilityand Accountability ActThe Health Insurance Portability andAccountability Act of 1996 (HIPAA)mandates standards and requirements for maintaining and transmitting healthinformation that identifies individualpatients, and compliance is required by health care organizations that maintainor transmit electronic health Security Rule establishes specific securityrequirements for authorization, authentica-tion, audit trail requirements, secure datastorage and transmission, and data ActThe Gramm-Leach-Bliley Act of 1999(also known as the Financial Moderniza-tion Act)
5 Requires that financial institutionsadopt policies and procedures to providefor the protection of financial informationthat identifies individual procedures must protect against anyanticipated threats or hazards and protectagainst unauthorized access which couldresult in substantial harm or inconven-ience to a ActThe Sarbanes-Oxley Act of 2003 includes a number of reforms intended to increasecorporate responsibility, improve financialdisclosures, and protect against corporateand accounting fraud. While this legisla-tion does not mandate the use of specificsecurity controls, Section 302 does requirethat internal controls be established toprotect data from both internal andexternal threats, and Section 404 requiresthat corporations report on the effective-ness of those controls.
6 Also, Section 409requires the disclosure of any materialchanges to the financial condition oroperation of the company (potentially toinclude a major Security compromise).Personal InformationProtection Act (Japan)The Japanese Personal InformationProtection Law requires that companiesoperating in Japan develop and implementinformation privacy and Security controlsfor any databases or documents containingconsumer or employee information. Thisobligation will be applied to any party whostores and uses more than 5000 persons information in total in the party for itsbusiness.
7 Japan s Ministry of EconomyTrade and Industry (METI) has issuedspecific guidelines for maintaining thesecurity of these Card Industry DataSecurity StandardDeveloped by Visa and MasterCard, thePayment Card Industry Data SecurityStandard applies to merchants and serviceproviders that store, transmit, or processcredit card transactions. The standardoutlines 12 specific requirements thatmust be implemented to protect Features in Teradata DatabaseEB-1895 > 1007 > PAGE 3 OF 13 Security Features in Teradata DatabaseEB-1895 > 1007 > PAGE 4 OF 13 Security , as an aspect of IT controlrequirements, defines an attribute ofinformation systems, and includes specificpolicy-based mechanisms and assurancesfor protecting the confidentialityandintegrityof information, the availabilityof critical services and, indirectly.
8 In a data warehouse must be protectedat both ends of a transaction (user andenterprise). Figure 1 depicts the relation-ships in simple concepts and relationships are takenfrom the Common Criteria ISO 154081standard specifying the Privacy Class ofCommon Criteria . It proposes that allsecurity specifications and requirementsshould come from a general securitycontext. This context states that securityis concerned with the protection of assetsfrom threats, where threats are categorizedas the potential for abuse of protectedassets.
9 Data warehouse Security requires protec-tion of the Database , the server on which itresides, and appropriate network accesscontrols. Teradata highly recommends thatcustomers implement appropriate networkperimeter Security controls ( , firewalls,gateways, etc.) to protect network access to a data warehouse. Additionally, for datawarehouse systems deployed on Microsoft Windows -based operating systems, Teradata highly recommends that suchsystems be protected by antivirus softwareand up-to-date virus definition remainder of this paper will specifi-cally discuss some of the Security featuresthat can be used to effectively secure aTeradata SolutionsMethodologyTeradata believes that organizations withdata warehouses that consolidate andcentralize the management of sensitivedata are in a much better position tomanage Security and privacy than thosewith such data spread across multipleoperational or
10 Data mart systems. To that end, Teradata has developed an end-to-end capability for designing andimplementing secure, privacy-aware Solutions Methodology, asdepicted in Figure 2, is a formal, proven,patented approach to data warehousingbased on integrated processes and cus-tomized tools refined through use at theworld s most successful data warehouseimplementations. Teradata SolutionsMethodology comprises a comprehensiveset of privacy and Security project Safeguards Vulnerabilities Risk Assets Threats Threat Agents value wish to minimize that may be reduced by may be aware of leading to to to reduce give rise to wish to abuse and/or may damage that exploit that increase that may possess impose Figure 1.
