Documente Academic
Documente Profesional
Documente Cultură
Best Practices
for
Securing a Teradata Data Warehouse
December 2011
Les McMonagle
Director - Information Security COE
Vulnerability Management
Database Security
Authentication
Access Rights
Encryption
Physical Security
Network Security
Assurance • Common Criteria EAL4+ Evaluation • BITS Audit Program AUP & SIG v6.2
• ISO 27001 Certification • Safe Harbor (SaaS, DWaaS)
09
• Separation of Duties 126 • Operating System Security
12
• Data Classification 128 • Vulnerability Management
• Data Classification
BEGIN LOGGING WITH TEXT ON EACH ALL ON MACRO DBC.LogonRule, MACRO DBC.AccLogRule ;
– Examples
» Passwords (could lead to further system compromise)
» Social Security Numbers or Tax IDs (could lead to identity theft)
» Credit card information
» Company financial results prior to announcement (could lead to
insider trading and other SEC violations)
– Examples
» Customer account information (privacy protected under GLBA and
other regulations)
» Patient health information (privacy protected under HIPAA and other
regulations)
» Employee personal information
– Example
» Competitive data
– Example
» Product brochures
PasswordSpecChar
N, n Y, y A, a B, b C, c D, d E, e F, f G, g H, h I, i J, j K, k L, l M, m O, o P, p R, r
SPECCHAR
Username Y Y Y Y Y Y Y Y Y N N N N N N N N N
Upper/Lower Case Y Y Y Y Y Y R R R Y Y Y Y Y Y R R R
Alpha Characters Y Y Y R R R R R R Y Y Y R R R R R R
Special Characters N Y R N Y R N Y R N Y R N Y R N Y R
KEY
N – Not Allowed
Y – Allowed, Not Required
R – Required
INQ_USER_1 INQ_USER_2
INQ SELECT, GRANT
VIEWS &
MACROS
TABLE
SELECT DATABASE
EXECUTE UPD VIEWS,
MACROS, & DROP/CREATE TABLE
STORED SELECT, INSERT, CHECKPOINT, DUMP,
PROCEDURES DELETE, UPDATE, RESTORE, SELECT,
GRANT EXECUTE,
EXECUTE INSERT, DELETE,
INSERT, DELETE UPDATE
UPDATE
UPD_PROFILE MAINT_PROF
• Role
A set of database access rights granted to a group of users
> The newly created role does not have any associated access
rights
> GRANT (or REVOKE) statements are used to assign (or take
away) access rights to (or from) a role
GRANT access_rights ON database.object TO role_name;
> WITH ADMIN OPTION gives the user the right to GRANT or
DROP the role
> Users may be granted multiple roles
> Roles can also be granted to other roles (nested roles)
• Nested Roles
> Security roles can be nested one level deep
> Example:
X
Role_AB Role_AC Role_CD Role_ABC
• Current Role
> The active (or enabled) role plus any nested roles
> Use the SELECT ROLE statement to display the current role
> At logon, the current role is determined by the DEFAULT
ROLE assignment for the user
> A user may change roles by using the SET ROLE statement
SET ROLE role_name ;
SET ROLE ALL ;
HR Consultant
HR Consultant Employee
HR
Data
HR Consultant
Financial
Financial
Analyst Finance
Data
Financial
Analyst
Sales
Customer
Specialist Sales
Data
Sales
Specialist
Sales
Specialist
• LDAP Authentication
> User logs on to Teradata Database
using directory user identifier and
password
Teradata Database
LDAPv3
bind to external LDAP-compliant
directory
SASL DIGEST-MD5
• Kerberos Authentication
> Sign-on As
> Allows users to access the Teradata Database based on a
valid Windows username and password*
* Not available for SLES-9, not yet available for Non-Windows Clients (Feb 2010)
July 6, 2018 Teradata Confidential 36 36
Kerberos-based Authentication
OpenLDAP Directory N Y Y Y
Novell eDirectory N Y Y Y
• Directory User
A database user that is authenticated and authorized through an
external LDAP directory or Microsoft Active Directory or ADAM
• External Roles
> Security roles created in the database and assigned to users
defined in an external directory *
CREATE EXTERNAL ROLE role_name;
DROP EXTERNAL ROLE role_name;
> Creator must have been granted CREATE ROLE and DROP ROLE
privileges
– Cannot include WITH ADMIN option
> External roles cannot be granted to a database user
– Must be assigned directly to directory users
> External roles are mapped to security groups
– Directory users that are members of a group have access to all roles
assigned to that group
dc=acme,
dc=com
> Views
– Limit user access to only selected columns of the base table
CLS - (Column-Level Security)
– Provide value-based security for the information in a table
RLS (Row-Level Security)
Routine
Application
Analytic
User/Application
Database
Infrastructure
…. Data Protection
Marketing Privacy
Application Infrastructure Security Admin
Officer
Customer Base Tables
Opt-out
View
Databases/Tables
Views, Macros
User Profiles
Disclosure Logs
Application Audit Reports
Opt-out/
Anonymized
View
High-level Usage
High-level Usage
High-level Usage
High-level Usage
Employee Table
EmpNumber LastName FirstName Phone JobTitle DeptNumber HireDate BirthDate Sex Salary
21769 Hinson Ken 1340 Programmer 4216 02-Apr-88 26-Aug-68 M 56240.00
21838 Bolton Caroline 1715 Manager 4216 21-Oct-90 22-Sep-58 F 72351.00
22041 Nelson Carrie 5056 Product Manager 3856 26-Apr-92 01-Sep-66 F 48771.00
22399 Sutton Annie 6228 Admin 4216 19-Jun-95 05-May-70 F 28990.00
22410 Hill Marion 2133 Programmer 4216 30-May-97 30-May-72 F 47621.00
22569 Lewis Ben 4869 Product Manager 3856 13-Apr-98 28-Jul-75 M 46354.00
22890 Cothran Mark 4702 Manager 3245 19-Mar-00 02-Dec-71 M 69433.00
23450 Payton Jessica 4991 Marketing Specialist 3245 20-Aug-02 09-Mar-77 F 48221.00
24108 Shaw Josh 5205 Programmer 4216 18-Feb-03 10-Jun-82 M 41295.00
24569 Cureton Frank 9394 Marketing Specialist 3245 21-Nov-04 14-Jan-82 M 44566.00
Employee Table
EmpNumber LastName FirstName Phone JobTitle DeptNumber HireDate BirthDate Sex Salary
21769 Hinson Ken 1340 Programmer 4216 02-Apr-88 26-Aug-68 M 56240.00
21838 Bolton Caroline 1715 Manager 4216 21-Oct-90 22-Sep-58 F 72351.00
22041 Nelson Carrie 5056 Product Manager 3856 26-Apr-92 01-Sep-66 F 48771.00
22399 Sutton Annie 6228 Admin 4216 19-Jun-95 05-May-70 F 28990.00
22410 Hill Marion 2133 Programmer 4216 30-May-97 30-May-72 F 47621.00
22569 Lewis Ben 4869 Product Manager 3856 13-Apr-98 28-Jul-75 M 46354.00
22890 Cothran Mark 4702 Manager 3245 19-Mar-00 02-Dec-71 M 69433.00
23450 Payton Jessica 4991 Marketing Specialist 3245 20-Aug-02 09-Mar-77 F 48221.00
24108 Shaw Josh 5205 Programmer 4216 18-Feb-03 10-Jun-82 M 41295.00
24569 Cureton Frank 9394 Marketing Specialist 3245 21-Nov-04 14-Jan-82 M 44566.00
EmpNumber LastName FirstName Phone JobTitle DeptNumber HireDate BirthDate Sex Salary
21769 Hinson Ken 1340 Programmer 4216 02-Apr-88 26-Aug-68 M 56240.00
21838 Bolton Caroline 1715 Manager 4216 21-Oct-90 22-Sep-58 F 72351.00
22399 Sutton Annie 6228 Admin 4216 19-Jun-95 05-May-70 F 28990.00
22410 Hill Marion 2133 Programmer 4216 30-May-97 30-May-72 F 47621.00
24108 Shaw Josh 5205 Programmer 4216 18-Feb-03 10-Jun-82 M 41295.00
Employee Table
EmpNumber LastName FirstName Phone JobTitle DeptNumber HireDate BirthDate Sex Salary
21769 Hinson Ken 1340 Programmer 4216 02-Apr-88 26-Aug-68 M 56240.00
21838 Bolton Caroline 1715 Manager 4216 21-Oct-90 22-Sep-58 F 72351.00
22041 Nelson Carrie 5056 Product Manager 3856 26-Apr-92 01-Sep-66 F 48771.00
22399 Sutton Annie 6228 Admin 4216 19-Jun-95 05-May-70 F 28990.00
22410 Hill Marion 2133 Programmer 4216 30-May-97 30-May-72 F 47621.00
22569 Lewis Ben 4869 Product Manager 3856 13-Apr-98 28-Jul-75 M 46354.00
22890 Cothran Mark 4702 Manager 3245 19-Mar-00 02-Dec-71 M 69433.00
23450 Payton Jessica 4991 Marketing Specialist 3245 20-Aug-02 09-Mar-77 F 48221.00
24108 Shaw Josh 5205 Programmer 4216 18-Feb-03 10-Jun-82 M 41295.00
24569 Cureton Frank 9394 Marketing Specialist 3245 21-Nov-04 14-Jan-82 M 44566.00
Security Table
UserName Dept
cbolton 4216
CREATE VIEW Department AS
mcothran 3245
SELECT * FROM Employee
WHERE DeptNumber IN
(SELECT Dept FROM Security WHERE UserName = USER);
________
EmpNumber LastName FirstName Phone JobTitle DeptNumber HireDate BirthDate Sex Salary
21769 Hinson Ken 1340 Programmer 4216 02-Apr-88 26-Aug-68 M 56240.00
21838 Bolton Caroline 1715 Manager 4216 21-Oct-90 22-Sep-58 F 72351.00
22399 Sutton Annie 6228 Admin 4216 19-Jun-95 05-May-70 F 28990.00
22410 Hill Marion 2133 Programmer 4216 30-May-97 30-May-72 F 47621.00
24108 Shaw Josh 5205 Programmer 4216 18-Feb-03 10-Jun-82 M 41295.00
• Description
> Provides the capability to create and assign sensitivity
labels to database tables/rows and users, and to control
access to data based upon the labels.
– Only rows that a user is allowed to access are visible.
> New security policies are written in constraint UDFs for
greater flexibility and modification.
• Benefit
> Simpler and easier to maintain than the current
workaround of using complex views.
> Meet Govt Mandatory Access Control (MAC) requirement. *
– Added security over Discretionary Access Control (DAC) model
• Considerations
> Row Level Security is a separate optional feature.
> There may be a small performance cost from the addition
of constraints to DML statements.
* Not NSA Labeled Security Protection Profile (LPSS) Compliant which is for OS not database
July 6, 2018 Teradata Confidential 65
Row-Level Security BEFORE <V14.0
Simple Example
Employee Table
EmpNumber LastName FirstName Phone JobTitle DeptNumber HireDate BirthDate Sex Salary
21769 Hinson Ken 1340 Programmer 4216 02-Apr-88 26-Aug-68 M 56240.00
21838 Bolton Caroline 1715 Manager 4216 21-Oct-90 22-Sep-58 F 72351.00
22041 Nelson Carrie 5056 Product Manager 3856 26-Apr-92 01-Sep-66 F 48771.00
22399 Sutton Annie 6228 Admin 4216 19-Jun-95 05-May-70 F 28990.00
22410 Hill Marion 2133 Programmer 4216 30-May-97 30-May-72 F 47621.00
22569 Lewis Ben 4869 Product Manager 3856 13-Apr-98 28-Jul-75 M 46354.00
22890 Cothran Mark 4702 Manager 3245 19-Mar-00 02-Dec-71 M 69433.00
23450 Payton Jessica 4991 Marketing Specialist 3245 20-Aug-02 09-Mar-77 F 48221.00
24108 Shaw Josh 5205 Programmer 4216 18-Feb-03 10-Jun-82 M 41295.00
24569 Cureton Frank 9394 Marketing Specialist 3245 21-Nov-04 14-Jan-82 M 44566.00
Security Table
UserName Dept
cbolton 4216
CREATE VIEW Department AS mcothran 3245
SELECT * FROM Employee
WHERE DeptNumber IN
(SELECT Dept FROM Security WHERE UserName = USER);
________
EmpNumber LastName FirstName Phone JobTitle DeptNumber HireDate BirthDate Sex Salary
21769 Hinson Ken 1340 Programmer 4216 02-Apr-88 26-Aug-68 M 56240.00
21838 Bolton Caroline 1715 Manager 4216 21-Oct-90 22-Sep-58 F 72351.00
22399 Sutton Annie 6228 Admin 4216 19-Jun-95 05-May-70 F 28990.00
22410 Hill Marion 2133 Programmer 4216 30-May-97 30-May-72 F 47621.00
24108 Shaw Josh 5205 Programmer 4216 18-Feb-03 10-Jun-82 M 41295.00
• Security Labels
> Associated with subjects (users) and objects (tables, rows)
> Two parts
– Classification - a single, hierarchical level
– e.g.: TOP SECRET, SECRET, CONFIDENTIAL, UNCLASSIFIED
– Compartments – (optional) nonhierarchical - represent distinct
areas of information
• No Read Up
> Read access is allowed if the subject’s label dominates the object’s label
– The subject’s classification must be >= the object’s classification
– Subject’s label must include all compartments in the object’s label
• No Write Down
> Write access is allowed if the object’s label dominates the subject’s label
– The object’s classification must be >= the subject’s classification
– The object’s label must include all compartments included in the
subject’s label
value for
Insert a constraint column
value for
Update a a constraint column
User Row
Allow read if: Level Allies Level Allies
Select 1) user Level >= row Level 5 01100000 4 10000000 deny
2) user Allies is superset of row Allies
5 11111100 4 10000000 grant
User Row
insert user’s session constraint value
Insert into column
Level Allies Level Allies
3 10000000 3 10000000
User Row
Allow delete if row Level is Level Allies Level Allies
Delete Unclassified (1) 3 11110000 1 10000000 grant
3 11110000 1 00000100 deny
3 10000000 2 10000000 deny
User Row
If user Level >= row Level then Level Allies Level Allies
Update
update row Level to user Level 2 10000000 2 10000000
CREATE|MODIFY USER|PROFILE … AS
CONSTRAINT=<name_1>(valuename_1,
.....,
valuename_n),
Max 5 non-set constraints
CONSTRAINT=<name_2>(valuename_1, or 2 set constraints
.....,
valuename_n);
If no operation specified,
override granted for all
operations.
Database,
Table or
Column
Explanation
---------------------------------------------------------------------------
1) First, we do a single-AMP UPDATE constrained by
(RGATES.Aircrafts.Classification_Level =
SYSLIB.UPDATELEVEL (5,RGATES.Aircrafts.Classification_Level)),
(RGATES.Aircrafts.Allies =
SYSLIB.UPDATEALLIES ('FC00'XB, RGATES.Aircrafts.Allies)) from
RGATES.Aircrafts by way of the primary index
"RGATES.Aircrafts.Country = 'Iran '" with a residual condition ("
((SYSLIB.SELECTLEVEL (5, RGATES.Aircrafts.Classification_Level)) =
'T') AND
((SYSLIB.SELECTALLIES ('FC00'XB RGATES.Aircrafts.Allies ))= 'T')").
-> No rows are returned to the user as the result of statement 1.
Explanation
---------------------------------------------------------------------------
1) First, we lock a distinct RGATES."pseudo table" for write on a
RowHash to prevent global deadlock for RGATES.Aircrafts.
2) Next, we lock RGATES.Aircrafts for write.
3) We do an all-AMPs DELETE from RGATES.Aircrafts by way of an
all-rows scan with a condition of (“
(((((SYSLIB.SELECTALLIES ('FC00'XB, RGATES.Aircrafts.Allies ))= 'T') AND
((SYSLIB.DELETEALLIES (RGATES.Aircrafts.Allies ))= 'T')) AND
((SYSLIB.SELECTLEVEL (5, RGATES.Aircrafts.Classification_Level ))=
'T')) AND (RGATES.Aircrafts.Air_Base = 'Ahmadi ')) AND
((SYSLIB.DELETELEVEL (RGATES.Aircrafts.Classification_Level ))=
'T')"). The size is estimated with no confidence to be 1 row.
FastLoad
BTEQ
– Data Size
– Impacted by block-level encryption, Format Preserving Encryption (FPE)
– User/Application Transparency
– Particularly important for middle-tier applications
Views
Policy & Log
Repository
Views
Security Manager •DataProtector
(Security Reporter) •UDF
Log Service
Views
Security Manager
• Thin client for
enterprise-wide policy
management
> One application for all
targets on all platforms
> System configuration
> Security administration
> Policy deployment, and
implementation
SQL Director
• Key user tool for policy
deployment at the
database level
• Selects tables and
columns to encrypt
• Applies encryption rules
• Builds required SQL Code
SQL Director
• Launched from Security Manager
• Generates migration scripts
• Support for all target databases
• ODBC for connectivity
• Supports SQL features
> Identifiers
> Views
> Triggers
• Option to set no-access value for users not having access
to protected data
Teradata DataProtector
• Applies policy through UDFs
• Handles runtime policy and
policy changes
• Policy distribution through
shared memory
• Local policy cache for
standalone operation
• Enforces Policy
> User Rights, Time of Day, Audit Trail
• Uploads Access Logs to ESA
DB User
In-memory UDFs
Policy • Policy check
• Encrypt/decrypt
DataProtector
The system also uses Data Dictionary Views and Macros that access or manage
information in the Data Dictionary tables. Views and Macros are created by
running DIP scripts.
Managing the size of Data Dictionary Tables (sometimes called logs) can help
improve performance. Teradata Database does not delete system data on its own
so you must manage the logs and tables yourself. Determine what you should
archive and what you should delete as needed for your site.
Refer to the Data Dictionary Quick Reference v??.xx.pdf (for your version of
Teradata) for a listing of all Data Dictionary Log Tables, Views and Macros
Teradata recommends copying data off the DBC Tables into a separate database or
archive the data as required then delete information from the DBC tables.
• DBQL logs, which include all DBQL tables that have logging enabled.
(The tables DBC.DBQLRuleTbl and DBC.DBQLRuleCountTbl are not part of the log maintenance list.
These tables are automatically maintained by the Teradata SQL BEGIN/END QUERY LOGGING statements
An error is returned if you attempt to delete their contents.)
• DBC.SW_Event_Log
Note: Entries in DataDemographics are deleted automatically when you use the INSERT
EXPLAIN WITH STATISTICS AND DEMOGRAPHICS statement. For more
information, see "Query Capture Facility" in SQL Request and Transaction Processing and
"COLLECT DEMOGRAPHICS" in SQL Data Manipulation Language.
For a full list of other tables to consider purging, see “Cleaning Out Frequently Updated
Logs” in the appropriate version Security Administrator Guide.
Also, the security administrator should purge the logs associated with access logging as
well as any other security-related views as needed.
In addition to maintaining the size of system tables and logs, you can reduce log file sizes as follows:
• Use only DBC.ResUsageSpma instead of activating logging on multiple ResUsage tables.
ResUsageSpma may provide all the information you need.
• Use roles to manage privileges which help reduce the size of DBC.AccessRights.
For other tips on reducing the size of the DBC.AccessRights table, see “Housekeeping on an Ad-Hoc
Basis” section of Security Administrator Guide.
• Track only the information you need for DBQL. The DBQLogTbl may provide required information.
• Track only the information you need for accounting.
• Use active row filter mode where possible for ResUsage tables.
The contents shown by the View apply only to the User submitting the query that
acts upon the View.
They return information only on objects the requesting User owns or on which
the User has privileges.
Restricted Views have the same columns as non-X Views with the exception that
because the definition for the restricted view has a WHERE clause, the User can
only view objects he or she owns, is associated with, has been granted privileges
on, or is assigned a Role which has required privileges.
The Data Dictionary defaults to storing object names in Unicode so that the same
set of characters are available with the same length restrictions regardless of the
character set of a client.
Note: The Data Dictionary functions the same whether or not Japanese
Language support mode is enabled.
Also, object names with multi-byte character sets can be shared between non-
Japanese session character sets.
For more information, see International Character Set Support.
Teradata also recommends that if you add any new Views to database DBC, add
a V suffix to the View name. For more information, see "Unicode System Views"
in Data Dictionary.
Backup Server
TD Firewall
TD VPN
Production
Data Warehouse
Firewall
Development
AWS Test
Teradata DMZ
July 6, 2018 Teradata Confidential 123 123
Teradata ServiceLink Security
Access List Reference Table
Windows AWS
TCP 20,21 (FTP)
Support TCP 22 (SSH)
TCP 23 (Telnet)
(Traffic from Teradata TCP 3389 (Terminal Services)
to your site)
TCP 8443 (SSL for Parallel Upgrade Tool (PUT))
TCP 8080, 9000 to 9010 (PUT)
TCP 22 (SSH)
Linux OS TCP 1025 (ODBC)
Support TCP 7060 (JDBC)
TCP 5801 (GUI Admin)
TCP 5901-5902 (VNC)
(Traffic from Teradata
to your site) TCP 8443 (SSL for Parallel Upgrade Tool (PUT))
TCP 8080, 9000 to 9010 (PUT)
Some or all ports may be required depending on the specific Teradata installation.
Custom ports can be used for customer specific toolsets if required.
Some or all ports may be required depending on the specific Teradata installation.
Custom ports can be used for customer specific toolsets if required.
• AppArmor
> Novell SUSE Linux Enterprise Server 10 (SLES 10) immunization
technology
> Provides host intrusion prevention and mandatory access controls
for applications
>
• Teradata 13.0 includes a set of AppArmor profiles
for Teradata executable processes
> Profiles enforce tighter restrictions on access to files and
administrative system calls
> Protects systems and networks from possible security vulnerability
exploits of database processes running with root privileges
> Profiles can be enabled/disabled using new tdapparmor utility
– Teradata AppArmor profiles are enabled by default
> Periodically review data center access list and keep it current
> Ensure that all visitors to the data center are supervised
> Periodic audits allow for the data sensitivity and risk to be
reviewed and security controls revised if necessary
Advanced or
Warehouse Security Custom / PS •Custom Security Needs
•Fewer Ports
•Some Logging Capability
Foundation
ServiceLink ServiceLink •2 Factor Authentication
•Strong Encryption