Security and governance
Identity and access management
Identity providers (IDP) have become a standard way to manage authentication and authorization information for organizations. Qlik supports integration with a variety of identity providers by supporting the OpenID Connect protocol (OIDC).
Protocol based – OpenID Connect (OIDC) has become the de facto standard for single sign-on and identity provision on the Internet. OIDC has been designed to work in cloud and provides a solution for both user and machine authentication.
Control the credentials – When using an identity provider with Qlik, Qlik does not know customer logins and passwords. The login process is managed by the customer’s identity provider, and the customer decides what information to provide to Qlik Cloud. This information could be a short name or code that does not identify the individual. Also, Qlik Cloud can use identity provider groups for controlling access permissions.
Control access – If a user’s access in the customer’s identity provider is removed or changed, the user will automatically be prevented from accessing Qlik Sense Enterprise SaaS, or the corresponding changes are automatically applied.
Through OIDC support, the Qlik Cloud platform supports all the major identity providers including Okta, Auth0, Azure AD and ADFS.
For customers that do not have an identity provider available externally, or require an in-product solution that does not need to be managed, Qlik provides Qlik Account. This bundled identity provider option available as part of the Qlik Cloud platform at no extra cost. It allows customers to invite users by email to sign up for a Qlik Account which can then be used to log into the the Qlik Cloud platform.
While Qlik Account simplifies implementation for some customers, it requires a separate user name and password for Qlik Sense Enterprise SaaS. It is possible for customers to change from Qlik Account to their own identity provider if they desire to do so.
The Qlik Cloud platform supports multi-factor authentication for tenant administrators using Qlik Account or from the customer’s identity solution. Qlik multi-factor authentication can also be configured for all users using Qlik Account or the customer’s IDP.
Secure-by-design – how Qlik builds a secure platform
Qlik incorporates security during the software development lifecycle by adhering to the Qlik Security Model, which has been developed by the Qlik Software Security Office. The Qlik Security Model is an internal process that ensures that all software development is done with a security focus. The model is a result of sourcing best practices from several existing, well-renowned, and secure software development processes, and adapting them to fit the needs of Qlik. The model has five phases that span the entire lifecycle of software development:
Analysis and design: This phase of the processes includes system- and feature-level threat modeling. When a product is designed, the team considers each feature and determines the possible threats for this feature. Countermeasures are put in place to mitigate each threat.
Develop: Qlik uses industry-leading static code analysis tools to identify issues on both the code that is specific to new features and the end-to-end code. After deployment, the static code analysis tool runs the report on a regular basis. The automated reports are supplemented with manual security testing processes. If manual verification confirms a security issue exists, then it is addressed prior to deployment.
Assemble : Test cases are created from a security perspective and executed during the development process. Testing includes system level, feature level, penetration level, and fuzzing. Test cases consider the end-to-end new product release to identify any security issues within the new product. Specific tests are conducted on code that contains the new features within the product. An independent third-party security company regularly audits the products through penetration testing.
Deploy : The Software Security Office is involved in the deployment phase through its vulnerability management process. Working with external security companies, customers, and partners to identify vulnerabilities within the deployed code, the team will assess any reported vulnerability and determine appropriate action.
Evolve : All results from the activities that are a part of the security model are reviewed by the Software Security Office. The goal is to identify areas of improvements, and adjustments are made to the model accordingly.
Monitor activity in the tenant
The Qlik Cloud platform’s management console contains several tools to assist with the governance of a customer’s Qlik Cloud tenant. The event viewer shows what user- and system-initiated activities have taken place and provides an audit trail for major activities such as user logins, apps created, apps exported, reloading of apps, and apps deleted. Within a Qlik Cloud platform tenant, activity is also made available to the customer via APIs. This activity can be downloaded to the customer’s security information and event management solution.
Integrate into existing governance solutions
As well as documenting the audit trail though the Qlik Cloud platform’s management console, the Qlik Cloud platform provides application-programmable interfaces that allow viewing (but not modifying or removing) tenant activity. Customers can integrate the Qlik Cloud tenant’s audit trail into an existing security monitoring system or build a new audit application within Qlik Sense Enterprise SaaS via the APIs. For more information, see Reviewing system events in our help documentation.
API governance policy
Qlik’s API strategy follows an API governance policy to communicate additions, changes, and deprecations to Qlik’s API portfolio. Qlik R&D follows API guidelines for marking API stability, standardizing references on specifications (e.g. OpenAPI for ReST APIs), and handling API deprecations.
The main objective of the API strategy is to provide open and transparent guidance to customers and partners who rely upon Qlik APIs to extend the platform.
Qlik R&D has developed a patent-pending API governance framework that collects information from commits made by the development teams to help make APIs discoverable and maintainable. This helps the team deliver enhancements to the platform continuously and ensures API consumers outside the organization are accessing components of the highest caliber. For more information regarding Qlik’s API governance policy, see API policy.
Did this page help you?
If you find any issues with this page or its content – a typo, a missing step, or a technical error – let us know how we can improve!