Transcription

WHITE PAPERQlik SenseEnterprise SecurityOverviewQLIK.COM

T AB LE OF C ON TE N TSPlatform2Qlik Sense Enterprise on Windows 3Authentication4Authorization5Data Reduction6Qlik Sense Security User Access Workflow8Auditing9Qlik Sense Enterprise with Multi-Cloud Deployment10Summary13Qlik Sense Enterprise Security Overview1

P L AT FOR MQlik Sense is Qlik’s next-generation platform for modern, self-serviceoriented analytics, supporting the full spectrum of analytics use casesfrom visualization to reporting, all within a governed multi-cloudarchitecture that offers scalability, trust and ongoing choice for theorganization. It delivers broad value for all types of users, offeringunmatched associative exploration, accelerated self-service creation,collaboration and reporting, online and offline mobility, customizationand extension, data integration, and governed, multi-cloud scalabilitysupporting the entire enterprise ecosystem. Qlik Sense runs on thepatented Qlik Associative Engine, which allows users of all skill levels toexplore information freely without the limitations of query-based tools.Qlik Sense Enterprise Security Overview2

QLIK SENSE ENTERPRISE ON W INDOWSQlik Sense Enterprise on Windows deployments provides self-service visualization that is scalable,secure, and governable. It can be deployed on-premise or in a customer-or partner-managed cloud,and users can perform a variety of analytic activities ranging from consumption to data preparation tocreation of visualizations. To ensure platform security, Qlik Sense leverages internal and externalresources to manage access, authentication, authorization, and data governance on four levels. Network security: All communication between Qlik Sense services and webclients use web protocols using Transport Layer Security (TLS). TLS uses digitalcertificates to encrypt information exchanged between services, servers, andclients. Encrypted information flows through tunnels requiring two certificates tosecure the connection; a server certificate to identify the correct server and a clientcertificate to allow the client to communicate with the identified server. Server security: The operating system security system controls access tocertificates, storage, memory, and CPU resources. Qlik Sense uses these controlsto protect the platform by only allowing authorized users and processes access torequired resources. 1 Process security: Qlik Sense goes through a rigorous testing process duringdevelopment to mitigate security risks and handle unanticipated events. Additionaltesting verifies Qlik Sense can stand up against known security threats toward thesoftware. App security: Attribute based access control provides a comprehensive frameworkto govern user capabilities within the platform. Row and column level data reductionthrough section access dynamically manages the data which users view and selectin applications.1For more information about Qlik Sense architecture, review the Qlik Sense Architecture & Scalability whitepaper.Qlik Sense Enterprise Security Overview3

AuthenticationQlik Sense ProxyAll authentication in a Qlik Sense deployment is managed by theQlik Sense Proxy Service (QPS), including clients connecting to theHub or the Qlik Management Console (QMC). Qlik Sense requiresQlik Sense – three stepauthenticationan external identity provider to verify an individual user’s identity.Upon verification, Qlik Sense transfers the user to Hub or QMC,encrypting traffic using TLS and certificates with the following1. Authentication module getsthe user identity andcredentials.methods:2. Authentication module SAML integration with Qlik Sense acts as a service providerintegrating with an identity provider.requests an external system toverify the user identity usingthe credentials. Windows Integrated Authentication allows for NTLM orKerberos based authentication. JSON Web Tokens (JWT) enable secure transmission between3. User transferred to QlikSense using the Ticket API,Session API, HTTP headers,or SAML.two parties as a JavaScript Object Notation (JSON) object. Ticket/Session APIs transfer the user and user’s attributesusing a one-time ticket allowing for integration with websites and portals. HTTP Headers in solutions with trusted systems that transfer user information using this method. Anonymous users can be configured to access Qlik Sense.Virtual ProxiesEach QPS in a Qlik Sense deployment usesVirtual Proxies to support authentication. VirtualProxies allow one proxy to support multipleauthentication schemes, perform sessionmanagement, and load balancing across multinode deployments. Virtual Proxies may link toone or many QPS nodes to direct traffic, loadbalance between engines, or provide specificaccess to administrative layers of a deployment.Qlik Sense Enterprise Security Overview4

AuthorizationAfter a user authenticates and gains access to Qlik Sense, authorization through an attribute-basedaccess control (ABAC)2 model enforces application visibility and self-service capabilities withinapplications.Attribute Based Access Control (ABAC)In Qlik Sense, ABAC is defined as an access control method where user requests to perform actions onresources are granted based on assigned attributes of the user, assigned attributes of the resource,environment conditions, and a set of security rules that are specified in terms of those attributes andconditions. Attributes from Active Directory, LDAP, and databases are loaded into Qlik Sense. Inaddition, attributes may be defined and managed directly within Qlik Sense as well.Security RulesQlik Sense security rules define user capabilitieson Qlik Sense resources provided a condition.Access is provided if at least one rule returns truebased on attributes like the roles or groups of theuser and resources.Security rules control access to application streamsin the hub, capabilities within applications (sheet,story, bookmark creation), and administrativecapabilities in the QMC (publish apps, set streamaccess, create and run tasks).The security rules framework comes with severalpredefined rules enabling administrators to scalesecurity across users leveraging existing roles andgroups in the enterprise.2ABAC is a special publication of the National Institute of Standards and Technology (NIST) catalogued as NIST SpecialPublication 800-162.Qlik Sense Enterprise Security Overview5

In a roles-based enterprise, BI authors are responsible for app creationand have data access. Content Admins do not create, but publishapplications to streams aimed at groups of consumers. Consumers canextend their own analysis with sheets and stories within an application;sharing new found insights with their teammates without compromisingthe integrity of the core application.These capabilities and corresponding rules are delivered out of the boxwith Qlik Sense.Data ReductionData reduction in Qlik Sense determines what data users and groups are allowed to see when theyenter a Qlik Sense application. In Qlik Sense, data reduction is known as section access.Qlik Sense Enterprise Security Overview6

Section AccessSection access performs row and column level security in a Qlik Sense application. With sectionaccess, a single Qlik Sense application may hold data for multiple users or groups. Through theauthentication and authorization process, user information is sent into the application to dynamicallyreduce the data so that users access only the data they are allowed to view. Section access may useattributes and fields from external databases, directories, lookup tables, or created tables to enforceuser visibility to data.Dynamic Data ReductionAs Big Data is gathered, it’s copied into a repository. Tech vendors like Amazon, Google, Microsoft alloffer their own platform with a suite of related services. Open source tools like Hadoop offerdistributed, scalable, and portable file systems designed to run on commodity hardware which manybusinesses use. All of these tools give you some ability to aggregate and manipulate data, but only as afirst step toward making it ready for analysis.Qlik Sense Enterprise Security Overview7

Qlik Sense Security User Access WorkflowCombining authentication, authorization, and data reduction is a seamless experience for a useraccessing Qlik Sense.1. A user makes a request for Qlik Sense content.2. The Qlik Sense proxy service authenticates the user and creates a session cookie in thebrowser.3. The session cookie identifies the user to Qlik Sense and synchronizes with a userdirectory to import attributes. At the same time, the rules engine authorizes the user toaccess Qlik Sense content using the attribute-based access control model.4. The session state for the user is created in the engine. The engine performs dynamic datareduction using section access.5. The engine sends content through a web socket connection to the client to render QlikSense content.Qlik Sense Enterprise Security Overview8

AuditingGovernance is critical in enterprise business intelligence. Qlik Sense delivers auditing, monitoring andlogging using the QMC, applications, and log files to inform administrators and mitigate risks indeployments: Audit security rules using the Audit tab built into the Qlik Management Console. Using the filters atthe top of the audit screen, administrators can evaluate user access control for applications.Administrators can use inline auditing when creating security rules for streams, content libraries,and data connections to preview access control based on rules they write. Monitor Qlik Sense using the built-in Operations Monitor and License Monitor applications. Theseapplications present information related to uptime, sessions, resource utilization, change logging,and license complianceand management. Logging to text files runsin the background in a QlikSense. All services includeaudit, system, and tracelogs for deploymentmonitoring andmanagement.Qlik Sense Enterprise Security Overview9

Qlik Sense Enterprise with Multi-Cloud DeploymentThe optional multi-cloud capability of Qlik Sense Enterprise allows organizations to broadly scalepolicy-driven deployments to expand the reach of analytics to new users, while retaining flexibility tochoose where analytic consumption takes place. Organizations can use multi-cloud capabilities todistribute apps from Qlik Sense on Windows deployments to managed container services using QlikSense on Kubernetes deployments or hosted by Qlik using Qlik Cloud Services. Both capabilities aretechnically similar, Qlik Sense on Kubernetes deployments is customer-deployed while the Qlik CloudServices is a fully managed hosted service by Qlik. The underlying architecture is microservices-basedand delivered through Docker and Kubernetes.3 The following is an overview of the relevant services asused in both QCS and Qlik Sense on Kubernetes deployments highlighting the differences whereappropriate.3For more information about Qlik Sense architecture, review the Qlik Sense Architecture & Scalability whitepaper.Qlik Sense Enterprise Security Overview10

Ingress[container name: qsefe-nginx-ingress-controller]All client communication and Qlik Sense Enterprise from Windows communication is routed through anNGINX-Ingress controller named qsefe-ngnix-ingress-controller. This ensures a single point of entry tothe multi-cloud environment, and by leveraging the capabilities of Kubernetes, NGINX-Ingress can takeadvantage of edge devices within managed container services such as a load balancer.Authentication[container name: qsefe-edge-auth]Users access content in the multi-cloud environment using a web based portal and analytics client.The client is protected by an Identity Provider (IdP) conforming to OpenID Connect, such as Auth0 orOkta , and integration between the IdP and the multi-cloud environment is handled via a containercalled qsefe-edge-auth. All communication between the IdP and qsefe-edge-auth is encrypted usingTLS. Customers should ensure they are using an IdP that supports both SAML to connect to QlikSense Enterprise on Windows deployments and OpenID to connect to the multi-cloud environment.With this, users can login using the same credentials and leverage a single license and consistententitlements throughout.Authorization[container name: qsefe-policy-decisions]The relevant entitlements defined using the Security Rules in Qlik Sense Enterprise on Windowsdeployments are automatically pushed to a multi-cloud environment and enforced with a containercalled qsefe-policy-decisions. Other containers within the deployment leverage qsefe-policy-decisionsto determine the permissions of a user, such as which applications and collections of applications (e.g.,Sales, Finance) the user can access. Additionally, section access, which provides row and column levelsecurity, is enforced in the multi-cloud environment.Qlik Sense Enterprise Security Overview11

Data AccessDistribution PoliciesWith Distribution Policies that are defined and managedin the Qlik Sense Management Console, it is possible tospecify which applications that are to be delivered to themulti-cloud environment. Those applications aretransmitted using TLS and stored in a persistent volumeusing Kubernetes. Encryption of persistent volumes aremanaged by the host operating system.SecretsSecrets such as MongoDB credentials, IdPconfiguration, SSL certificates are stored using Kubernetes Secrets.Qlik Cloud ServicesWith multi-cloud capabilities, apps can be distributed from Qlik Sense Enterprise on Windowsdeployments to Qlik Cloud Services, a fully managed service provisioned and administrated by Qlik,using the distribution policies described above.Qlik Cloud Services is hosted on Amazon AWS infrastructure in three regions; United States East(Virginia), Europe West (Ireland), and APAC (Sydney). Customers may choose the region in which theirdata resides, and data will not leave that region. Qlik leverages the AWS shared responsibility model