CDP for Teradata VCL Operation

Below is the CDP-TVCL operation diagram:

The UDF protect_string sends a cleartext string inside the UDF. The cleartext string is then protected. Likewise, the UDF reveal_string sends a protected string inside the UDF. The protected string is then revealed.

Protection Policy

The UDFs are invoked with a specified Protection Policy. The Protection Policy is created in the CipherTrust Manager and contains all the information required to protect the data, including key name, algorithm, access rule, etc. Provide the Protection Policy name as a parameter when invoking the UDF.

Access Control with UDFs

CDP for Teradata VCL supports access control of the protected data. Access Policy is defined in the CipherTrust Manager that specifies how the protected data should be revealed to a specific user. For example, an empowered user can see the whole protected data clearly, whereas another user can only see the last four digits of the protected data.

The UDF reveal_string() retrieves the currently logged-in user to the Teradata database and passes this information with the Protection Policy name to the Teradata VCL docker container. The Teradata VCL docker container looks up the user in Access Policy rules and reveals the protected data accordingly.

Components

CipherTrust Manager

CDP for Teradata VCL uses the CipherTrust Manager (CM) as the key manager to store and manage data encryption keys, protection policies, data access policies, administrative domains, and administrator and user profiles.

CDP-TVCL Docker Container

The CDP-TVCL docker container processes protect and reveal requests from the UDF and perform cryptographic operations locally. For this, the CDP-TVCL docker container retrieves cryptographic keys, protection and access policies from the CipherTrust Manager (CM). Finally, the protect and reveal operations results are returned to the UDF.