Transcription

White PaperQlik Sense Enterprise security overviewJuly, 2018qlik.com

PlatformQlik Sense is Qlik’s next-generation platform for modern, self-service oriented analytics, supporting the fullspectrum of analytics use cases from visualization to reporting, all within a governed multi-cloudarchitecture that offers scalability, trust and ongoing choice for the organization. It delivers broad value forall types of users, offering unmatched associative exploration, accelerated self-service creation,collaboration and reporting, online and offline mobility, customization and extension, data integration, andgoverned, multi-cloud scalability supporting the entire enterprise ecosystem. Qlik Sense runs on thepatented Qlik associative engine, which allows users of all skill levels to explore information freely withoutthe limitations of query-based tools.Qlik Sense Enterprise for WindowsQlik Sense Enterprise for Windows provides self-service visualization that is scalable, secure,and governable. It can be deployed on-premise or in a customer-or partner-managed cloud,and users can perform a variety of analytic activities ranging from consumption to datapreparation to creation of visualizations. To ensure platform security, Qlik Sense leveragesinternal and external resources to manage access, authentication, authorization, and datagovernance on four levels. Network security: All communication between Qlik Sense services and web clients useweb protocols using Transport Layer Security (TLS). TLS uses digital certificates to encryptinformation exchanged between services, servers, and clients. Encrypted information flowsthrough tunnels requiring two certificates to secure the connection; a server certificate toidentify the correct server and a client certificate to allow the client to communicate with theidentified server. Server security: The operating system security system controls access to certificates,storage, memory, and CPU resources. Qlik Sense uses these controls to protect the platformby only allowing authorized users and processes access to required resources.1 Process security: Qlik Sense goes through a rigorous testing process duringdevelopment to mitigate security risks and handle unanticipated events. Additional testingverifies Qlik Sense can stand up against known security threats toward the software. App security: Attribute based access control provides a comprehensive framework togovern user capabilities within the platform. Row and column level data reduction throughsection access dynamically manages the data which users view and select in applications.1For more information about Qlik Sense architecture, review the Qlik Sense Architecture & Scalabilitywhitepaper.Qlik Sense Security Overview 2

AuthenticationQlik Sense ProxyAll authentication in a Qlik Sense deployment is managed by the QlikSense Proxy Service (QPS), including clients connecting to the Hubor the Qlik Management Console (QMC). Qlik Sense requires anexternal identity provider to verify an individual user’s identity. Uponverification, Qlik Sense transfers the user to Hub or QMC, encryptingtraffic using TLS and certificates with the following methods: SAML integration with Qlik Sense acts as a service providerintegrating with an identity provider. Windows Integrated Authentication allows for NTLM orKerberos based authentication.Qlik Sense - three stepauthentication1. Authentication module getsthe user identity andcredentials.2. Authentication modulerequests an external system toverify the user identity using thecredentials.3. User transferred to QlikSense using the Ticket API,Session API, HTTP headers, orSAML. JSON Web Tokens (JWT) enable secure transmission betweentwo parties as a JavaScript Object Notation (JSON) object. Ticket/Session APIs transfer the user and user’s attributesusing a one-time ticket allowing for integration with websites and portals. HTTP Headers in solutions with trusted systems that transfer user information using this method. Anonymous users can be configured to access Qlik Sense.Virtual ProxiesEach QPS in a Qlik Sense deployment uses Virtual Proxies to support authentication. Virtual Proxiesallow one proxy to support multiple authentication schemes, perform session management, and loadbalancing across multi-node deployments. Virtual Proxies may link to one or many QPS nodes to directtraffic, load balance between engines, or provide specific access to administrative layers of a deployment.Qlik Sense Security Overview 3

AuthorizationAfter a user authenticates and gains access to Qlik Sense, authorization through an attribute basedaccess control (ABAC)2 model enforces application visibility and self-service capabilities withinapplications.Attribute Based Access Control (ABAC)In Qlik Sense, ABAC is defined as an access control method where user requests to perform actions onresources are granted based on assigned attributes of the user, assigned attributes of the resource,environment conditions, and a set of security rules that are specified in terms of those attributes andconditions. Attributes from Active Directory, LDAP, and databases are loaded into Qlik Sense. Inaddition, attributes may be defined and managed directly within Qlik Sense as well.Security RulesQlik Sense security rules define user capabilitieson Qlik Sense resources provided a condition.Access is provided if at least one rule returns truebased on attributes like the roles or groups of theuser and resources.Security rules control access to applicationstreams in the hub, capabilities withinapplications (sheet, story, bookmark creation),and administrative capabilities in the QMC(publish apps, set stream access, create and runtasks).The security rules framework comes with severalpredefined rules enabling administrators to scalesecurity across users leveraging existing rolesand groups in the enterprise.In a roles based enterprise, BI authors areresponsible for app creation and have dataaccess. Content Admins do not create, butpublish applications to streams aimed at groupsof consumers. Consumers can extend their ownBIDeveloper'screate nspublish tostreams analysis with sheets and stories within an application; sharingnew found insights with their teammates withoutcompromising the integrity of the core application.These capabilities and corresponding rules are delivered outof the box with Qlik Sense.2ABAC is a special publication of the National Institute of Standards and Technology (NIST) cataloguedas NIST Special Publication 800-162.Qlik Sense Security Overview 4

Data ReductionData reduction in Qlik Sense determines what data users and groups are allowed to see when they entera Qlik Sense application. In Qlik Sense, data reduction is known as section access.Section AccessSection access performs row and column level security in a Qlik Sense application. With section access,a single Qlik Sense application may hold data for multiple users or groups. Through the authenticationand authorization process, user information is sent into the application to dynamically reduce the data sothat users access only the data they are allowed toview. Section access may use attributes and fieldsfrom external databases, directories, lookup tables, orcreated tables to enforce user visibility to data.Dynamic Data ReductionSection access reduces data in an applicationdynamically by associating section access data withthe business data loaded into the application with asingle defined relationship. Using common fieldnames, rows of data are excluded from the user duringapplication interaction. In addition, columns of datamay be hidden from view by specifying field names toomit for each user.Attributesand FieldsApp DataResultQlik Sense Security Overview 5

Qlik Sense Security User Access WorkflowCombining authentication, authorization, and data reduction is a seamless experience for a useraccessing Qlik Sense.213541. A user makes a request for Qlik Sense content.2. The Qlik Sense proxy service authenticates the user and creates a session cookie in the browser.3. The session cookie identifies the user to Qlik Sense and synchronizes with a user directory toimport attributes. At the same time the rules engine authorizes the user to Qlik Sense contentusing the attribute based access control model.4. The session state for the user is created in the engine. The engine performs dynamic datareduction using section access.5. The engine sends content through a web socket connection to the client to render Qlik Sensecontent.Qlik Sense Security Overview 6

AuditingGovernance is critical in enterprise business intelligence. Qlik Sense delivers auditing, monitoring andlogging using the QMC, applications, and log files to inform administrators and mitigate risks indeployments. Audit security rules using the Audit tab built into the Qlik Management Console.Using the filters at the top of the audit screen, administrators can evaluate user access control forapplications. Administrators can use inline auditing when creating security rules for streams, contentlibraries, and data connections to preview access control based on rules they write. Monitor Qlik Sense using the built-in Operations Monitor and License Monitor applications. Theseapplications present information related to uptime, sessions, resource utilization, change logging, andlicense compliance and management. Logging to text files runs in the background in a Qlik Sense. All services include audit, system, andtrace logs for deployment monitoring and management.Qlik Operations MonitorQlik Sense Security Overview 7

Qlik Sense Enterprise with Multi-Cloud DeploymentThe optional multi-cloud capability of QlikSense Enterprise allows organizations tobroadly scale policy-driven deployments toexpand the reach of analytics to new users,while retaining flexibility to choose whereanalytic consumption takes place.Organizations can use multi-cloudcapabilities to distribute apps from QlikSense Enterprise for Windowsdeployments to managed containerservices using Qlik Sense Enterprise forElastic or hosted by Qlik using Qlik CloudServices. Both capabilities are technicallysimilar, Qlik Sense Enterprise for Elastic (QSEfE) is customer-deployed while the Qlik Cloud Services is afully managed hosted service by Qlik. The underlying architecture is microservices-based and deliveredthrough Docker and Kubernetes.3 The following is an overview of the relevant services as used in bothQCS and QSEfE highlighting the differences where appropriate.Ingress[container name: qsefe-nginx-ingress-controller]All client communication and Qlik Sense Enterprise from Windows communication is routed through anNGINX-Ingress controller named qsefe-ngnix-ingress-controller. This ensures a single point of entry tothe multi-cloud environment, and by leveraging the capabilities of Kubernetes, NGINX-Ingress can takeadvantage of edge devices within managed container services such as a load balancer.Authentication[container name: qsefe-edge-auth]Users access content in the multi-cloud environment using a web based portal and analytics client. Theclient is protected an Identity Provider (IdP) conforming to OpenID Connect, such as Auth0 or Okta, andintegration between the IdP and the multi-cloud environment is handled via a container called qsefeedge-auth. All communication between the IdP and qsefe-edge-auth is encrypted using TLS. Customersshould ensure they are using an IdP that supports both SAML to connect to Qlik Sense Enterprise forWindows and OpenID to connect to the multi-cloud environment. With this, users can login using thesame credentials and leverage a single license and consistent entitlements throughout.Similarly, service communication between Qlik Sense Enterprise for Windows and the multi-cloudenvironment is encrypted using TLS and authenticates using the same IdP integration as above.3For more information about Qlik Sense architecture, review the Qlik Sense Architecture & Scalabilitywhitepaper.Qlik Sense Security Overview 8

Authorization[container name: qsefe-policy-decisions]The relevant entitlements defined using the Security Rules in Qlik Sense Enterprise for Windows areautomatically pushed to a multi-cloud environment and enforced with a container called qsefe-policydecisions. Other containers within the deployment leverage qsefe-policy-decisions to determine thepermissions of a user, such as which applications and collections of applications (e.g., Sales, Finance)the user can access. Additionally, section access, which provides row and column level security, isenforced in the multi-cloud environment.Data AccessDistribution PoliciesWith Distribution Policies that are defined and managed in the Qlik Sense Management Console, it ispossible to specify which applications that are to be delivered to the multi-cloud environment. Thoseapplications are transmitted using TLS and stored in a persistent volume using Kubernetes. Encryption ofpersistent volumes are managed by the host operating system.SecretsSecrets such as MongoDB credentials, IdP configuration, SSL certificates are stored using KubernetesSecrets.Qlik Cloud ServicesWith multi-cloud capabilities, apps can be distributed from Qlik Sense Enterprise for Windowsdeployments to Qlik Cloud Services, a fully managed service provisioned and administrated by Qlik, usingthe distribution policies described above.Qlik Cloud Services is hosted on Amazon AWS infrastructure in three regions; United States East(Virginia), Europe West (Ireland), and APAC (Sydney). Customers may choose the region in which theirdata resides, and data will not leave that region. Qlik leverages the AWS shared responsibility model asa secure foundation upon which Qlik Cloud Services is built.Qlik follows security best practices within Qlik Cloud Services such as strong authentication, the principleof least privilege, encrypted data at rest and in transit, disaster recovery testing, an