Security and governance
A Qlik Cloud Data Integration deployment is made up of three key components:
Qlik Cloud Data Integration
Cloud-storage: S3 bucket(s) or data warehouse tables
Data Gateway - Data Movement
There are several aspects of how we secure different data delivery strategies, which we will discuss here.
Connection and perimeter security
All the connections from on-premise to the cloud are outbound. This means there is no need to open any port through the corporate firewall, nor to provide a publicly resolvable IP address. The connection is initiated by the data movement gateway and promoted to a web socket secure (WSS) connection, which allows Qlik Cloud to send command and control to initiate the data synchronization. All data in transit is secured by the TLS 1.2 and 1.3 protocol. Command and control plane communication is additionally encrypted with a random channel key which is changed every time the gateway connects to Qlik Cloud.
Data storage
Qlik Cloud Data Integration does not transfer data into Qlik Cloud for the purposes of running a data pipeline, nor does it cache this data in Qlik Cloud. Data is only stored in Qlik Cloud if either of the following is true:
Qlik Cloud is the target platform
It is metadata
Qlik Cloud as a target
Data from source systems can be stored either in Qlik-managed or customer-managed storage. The only time data is stored in Qlik Cloud is when choosing Qlik Cloud – Qlik-managed storage as data platform (target) for a data project. This means that the landed data will reside in a Qlik data space encrypted with the customer's unique encryption keys. Customer must still provide a separate S3 storage area for the landing of the data (staging).
All other targets
If you choose Qlik Cloud – customer-managed storage as data platform (target), one or two S3 buckets must be connected for staging and storage. The same S3 bucket can be used for both connections.
If the data platform is any one of the cloud targets, such as Snowflake, Azure Synapse Analytics, Microsoft SQL Server, Databricks or Google BigQuery, the data will be both staged and landed there, and never in Qlik Cloud.
The Data Movement Gateway's replication engine will directly push source data from on-premise / VPC source systems to the cloud target, only involving Qlik Cloud if the source is a SaaS application (or Qlik Cloud is the target) . The gateway manager will be responsible for metadata and command and control, but never data transfer.
Metadata storage
Metadata about the data source and connections are stored in Qlik Cloud Data Integration and are not persisted in the Data Movement Gateway. Metadata required to run a job is transferred securely to the gateway, but is kept in-memory and not persisted to the gateway server.
Data encryption
The Data Movement Gateway communicates with the source and target endpoints (typically databases) using either the vendor-provided client package or via a standard ODBC driver. For this reason, the Data Movement Gateway relies on the source/target endpoint's vendors for the in-transit encryption. While the majority of vendors all support encrypted connections, it is out of scope for this document to cover the specifics of other vendor software.
Databases are assumed to sit on a private high-secure network with limited access from other applications. The Data Movement Gateway requires access to the source databases. Data landing on the client-managed cloud storage can be encrypted using server-side encryption.
Qlik Cloud offers data at rest encrypted with the tenant private key or optionally with the customer's own managed keys. For more information about encryption, see the Qlik Cloud platform evaluation guide.
Service-to-service authentication and authorization
The Data Movement Gateway uses a JWT-based token to communicate with Qlik Cloud. Communication between the Data Movement Gateway and Qlik Cloud is always encrypted with TLS 1.2 or higher.
Client-managed cloud storage (S3 bucket) requires a key and secret and is subject to IAM control. This allows customers to set the read/write permissions for different buckets. See What is IAM? for more details.
User authentication and authorization
Authentication
Authentication of users on the Qlik Cloud platform is handled by the configured identity provider:
Qlik Account — This is the default mechanism and is managed by Qlik. It provides a secure but basic authentication solution for customers, however is not configurable and does not integrate with a customer's existing solutions.
Third party identity provider — Qlik Cloud supports configuring third party identity providers that support the OpenID Connect (OIDC) protocol.
For more information about authentication, see the Qlik Cloud platform evaluation guide.
Authorization
Users of Qlik Cloud Data Integration are managed using the same role based access control system as is used for the rest of Qlik Cloud. The available roles are described in the following table:
| Data space role | Summary |
|---|---|
| Is owner | Full permissions on the space including the ability to grant others access |
| Can view | Monitor, but not alter the data pipeline |
| Can consume | Consume data from data tasks in the data space |
| Can manage | Manage the space details and members |
| Can operate | View data tasks with basic details and perform actions, such as run, stop, and resume |
| Can edit | View and edit data tasks in this space, as well as create new data assets |
For more information about platform level authentication and authorization, see the Qlik Cloud platform evaluation guide.
Did this page help you?
If you find any issues with this page or its content – a typo, a missing step, or a technical error – let us know how we can improve!