Securing Teradata Database
Teradata Database is a Relational Database Management System (RDMS) developed by Teradata Corporation. Teradata Database has the ability to scale for very large data warehousing projects, where fast response times are required, often with many connecting clients. Think “Big Data” with databases that can contain many millions of records. Teradata has a mature optimizer, and scalable architecture, which provides excellent response times for simple queries, but also allows complex analytical queries to be efficiently run on very large data sets.
The total number of organisations using Teradata Database is relatively small (when compared to other popular databases), this is partly because few organisations need the level of scalability that Teradata provides. Teradata Database deployments often support an organisations’ mission-critical information systems – and need to be securely protected in terms of confidentiality, integrity and availability.
Teradata is a significant investment for an organisation, as large amounts of dedicated hardware is typically required. As a result, when organisations use Teradata there may be financial drivers to maximize the use of the solution. Typically, many large databases will be hosted within a single Teradata deployment, and multiple deployments may often be present within single organisations.
Teradata Database Security Issues
Functionality, up-time and responsiveness are often seen as the main priorities for enterprise data analysis systems. The focus on these primary business drivers can detract from background IT security tasks. This includes items such as patch-management, secure configuration, good password choices and policy, use of effective encryption, and other hygiene related security controls. On top of this, Teradata Databases are often partly managed by third parties, further complicating the delivery of important requirements needed for an effective security program.
As with other database solutions, there are various Teradata insecure default configurations that can be improved upon, and significant potential for critical security mistakes, providing several attack vectors for threat actors to gain unauthorised access to business-critical resources. Trivial compromise can occur when privileged accounts have default credentials or otherwise guessable passwords – and various paths for privilege escalation may exist for low-privileged accounts.
Items of interest when assessing a Teradata database include issues which are common to other database assessments (though there are various unique items specific to Teradata); these include:
- Insecure credentials (default credentials, password attacks, and hash-cracking)
- Assessment of security policies (password and lockout polices)
- Secure use of privileged access
- Assessment of roles and privileges
- Identification of sensitive data (especially in relation to GDPR, PCI, and other legislation)
- Assessment of patch-levels and security updates
- An assessment of user defined functions and user capabilities
- Identification and analysis of application user credentials stored in the database
- Assessment of the use of encryption (for data at rest or in transit)
- Assessment of monitoring and logging
Teradata Viewpoint is a performance monitoring, alerting, and management portal – which helps to maintain an efficient Teradata Database system. However, this solution can also introduce significant risk with insecure configurations. Teradata Viewpoint operates by holding multiple privileged Teradata credentials in a reversible format, so that it can authenticate to Teradata databases to collect statistical and performance information. Therefore, compromise of a component of Teradata Viewpoint could lead to compromise of multiple Teradata instances from an internal perspective. It is therefore important that Teradata Viewpoint hardening and general operating system hardening are undertaken.
Published date: 20 July 2018
Written by: Ben Williams