The 'Must Haves' of Database Security

APPLIED SOLUTIONS

The ‘Must Haves’ of Database Security

Teradata provides security controls to ensure compliance with security standards, policies, regulations and legislation.

by Jim Browning

he security, privacy and protection of database assets are increasingly important to organizations. To that end, the Teradata® Database provides a rich set of security features and Tcontrols that can be used to implement a comprehensive data security strategy. The features ensure that users can access only the database objects for which they have been authorized. Controls make sure that all sensitive data is fully protected and access to it is effec- tively audited and monitored. The database capabilities fall under four main categories that are needed for effective data security.

Authentication using strongly constructed creden- Security features in the database are Authentication allows the database tials. The Teradata Database provides integrated with corporate lightweight to securely verify a user’s identity options for both internal and external directory access protocol or Kerberos- before allowing any access to database authentication of users. based authentication systems. This objects. A fundamental security best Passwords for logging into the allows for the centralized management practice is to ensure that all users are database must use a combination of of database users to be consistent uniquely identified and authenticated alpha, numeric and special characters. with the management of users for

PAGE 1 l Teradata Magazine l Q3/2015 l ©2015 Teradata Corporation l AR-7119 other systems and applications within authorization can significantly reduce encryption through industry-standard an enterprise. the complexity and cost of security cryptographic algorithms and securely In addition, the Trusted Sessions administration in large database generated encryption keys. feature in the database is used to assert environments and also allows for Network traffic encryption protects end-user identities and roles through security management at a level that the confidentiality of sensitive infor- middle-tier, application-pooled con- closely corresponds to an organiza- mation when it’s transmitted over any nections. These identities can then be tion’s structure. public or untrusted network. It also used for access rights and checking protects the data from being compro- and auditing queries submitted by the mised by network “sniffers.” middle tier on behalf of an end user. The database also lets organizations Teradata Wallet can be employed to employ column-level encryption or ® securely store and protect passwords. The Teradata tokenization to secure information This eliminates the need to store pass- Database allows stored in tables. This helps protect words in clear text in scripts, Teradata sensitive data from both internal businesses to assess, Parallel Transporter operator defini- and external threats, including tions or within an open database implement and being compromised by privileged connectivity data source name. maintain strong database users. The database can also enforce IP Disk and tape archives contain- filters to lock down privileged user security measures that ing sensitive information can be accounts to only the applications, are consistent with encrypted before they are transferred load/export systems and backup/ industry best practices. to an offsite or commercial storage archive operations for which the facility. This removes the possibility accounts have been authorized. This of the data being at risk if the archives provides additional protection in the are lost, stolen or misplaced. event an account is compromised. Row- and column-level controls are Auditing and Monitoring Authorization used by the database to further restrict Teradata Database audit logging The “principle of least privilege” access to selected information in facilities assess different kinds of requires that a user be granted the database tables. Column-level security security events to detect possible minimum level of access required for restricts access to specific columns, security violations, such as attempts his or her job. The Teradata Database while row-level security filters access to compromise a user’s login, unau- supports a discretionary access control to rows based on the identity of the thorized attempts to access database policy that is implemented with an user submitting queries. objects or changes to the logging extensive, granular set of rights and rules. Access log rules can be config- privileges that allows users to be given Data Security ured to audit all access to sensitive only the access needed to perform spe- Sensitive information can be vulner- data and all operations performed by cific operations on particular database able when transmitted over non- privileged database users. objects. Proper management of these secure networks or when appropriate A security administrator can rights is critical to prevent unauthor- access controls have not been enabled. configure the system to log any com- ized or inappropriate access. Moreover, compliance with some bination of access requests, requests The Teradata Database handles this standards and regulations requires denied or specific types of requests by using security roles to authorize encryption to secure the data during for any or all users. The log records database access rights by application, transmission and when it’s stored. The can include the SQL expression that job description or responsibility. This Teradata Database supports strong was used to perform the access,

FIGURE Defense in Depth Security Framework MULTIPLE LAYERS OF SECURITY Security policies and procedures

Defense in depth is a strategy Auditing and monitoring that involves implementing multiple layers of security Intrusion detection/prevention defense mechanisms to Physical security protect critical business data.

If a single layer or mechanism Vulnerability management fails or is compromised, other

layers ensure the security of Database security the data.

The security layers take Authentication

multiple forms. Some include Access rights a company’s security policies and standards, others Encryption include the procedures to manage and monitor system

Operating system hardening access, while still others are implemented as technological controls. It is important to recognize that there is no Network security one layer or set of controls that can be implemented to fully and properly secure a Certification and accreditation database system.

whether indirectly through views or the system might be accessible via best practices. A properly protected directly to base tables. non-secure networks. database is one essential component Companies can use database The database gives organizations of a comprehensive security strategy, features to regularly monitor all the ability to periodically archive all and features in the Teradata solution audit logs. This helps ensure that audit logs for use in security investiga- provide the critical components to users are performing only activities tions or forensic analysis. If a breach safeguard the data. T for which they have been explicitly is detected, the availability of the audit authorized. The frequency of reviews logs is critical to determine the source. Jim Browning is the enterprise security should be determined by risk factors architect for Teradata Labs. such as the criticality of the database Critical Security to business operations, the value or Components sensitivity of the information stored The Teradata Database allows busi- ONLINE in the database, past issues with nesses to assess, implement and This article is based on the white paper “Security Features in the system compromises or misuse of maintain strong security measures Teradata Database.” Download it information and the extent to which that are consistent with industry on Teradata.com.