Skip to main content Skip to complementary content

Security and governance

A Qlik Cloud Data Integration deployment is made up of three key components:

  • Qlik Cloud Data Integration

  • Cloud-storage: S3 bucket(s) or data warehouse tables

  • Data Gateway - Data Movement

There are several aspects of how we secure different data delivery strategies, which we will discuss here.

Connection and perimeter security

All the connections from on-premise to the cloud are outbound. This means there is no need to open any port through the corporate firewall, nor to provide a publicly resolvable IP address. The connection is initiated by the data movement gateway and promoted to a web socket secure (WSS) connection, which allows Qlik Cloud to send command and control to initiate the data synchronization. All data in transit is secured by the TLS 1.2 and 1.3 protocol. Command and control plane communication is additionally encrypted with a random channel key which is changed every time the gateway connects to Qlik Cloud.

Data storage

Qlik Cloud Data Integration does not transfer data into Qlik Cloud for the purposes of running a data pipeline, nor does it cache this data in Qlik Cloud. Data is only stored in Qlik Cloud if either of the following is true:

  • Qlik Cloud is the target platform

  • It is metadata

Qlik Cloud as a target

Data from source systems can be stored either in Qlik-managed or customer-managed storage. The only time data is stored in Qlik Cloud is when choosing Qlik Cloud – Qlik-managed storage as data platform (target) for a data project. This means that the landed data will reside in a Qlik data space encrypted with the customer's unique encryption keys. Customer must still provide a separate S3 storage area for the landing of the data (staging).

All other targets

If you choose Qlik Cloud – customer-managed storage as data platform (target), one or two S3 buckets must be connected for staging and storage. The same S3 bucket can be used for both connections.

If the data platform is any one of the cloud targets, such as Snowflake, Azure Synapse Analytics, Microsoft SQL Server, Databricks or Google BigQuery, the data will be both staged and landed there, and never in Qlik Cloud.

The Data Movement Gateway's replication engine will directly push source data from on-premise / VPC source systems to the cloud target, only involving Qlik Cloud if the source is a SaaS application (or Qlik Cloud is the target) . The gateway manager will be responsible for metadata and command and control, but never data transfer.

The Data Movement Gateway

Data Movement Gateway

Metadata storage

Metadata about the data source and connections are stored in Qlik Cloud Data Integration and are not persisted in the Data Movement Gateway. Metadata required to run a job is transferred securely to the gateway, but is kept in-memory and not persisted to the gateway server.

Data encryption

The Data Movement Gateway communicates with the source and target endpoints (typically databases) using either the vendor-provided client package or via a standard ODBC driver. For this reason, the Data Movement Gateway relies on the source/target endpoint's vendors for the in-transit encryption. While the majority of vendors all support encrypted connections, it is out of scope for this document to cover the specifics of other vendor software.

Databases are assumed to sit on a private high-secure network with limited access from other applications. The Data Movement Gateway requires access to the source databases. Data landing on the client-managed cloud storage can be encrypted using server-side encryption.

Qlik Cloud offers data at rest encrypted with the tenant private key or optionally with the customer's own managed keys. For more information about encryption, see the Qlik Cloud platform evaluation guide.

Service-to-service authentication and authorization

The Data Movement Gateway uses a JWT-based token to communicate with Qlik Cloud. Communication between the Data Movement Gateway and Qlik Cloud is always encrypted with TLS 1.2 or higher.

Client-managed cloud storage (S3 bucket) requires a key and secret and is subject to IAM control. This allows customers to set the read/write permissions for different buckets. See What is IAM? for more details.

User authentication and authorization


Authentication of users on the Qlik Cloud platform is handled by the configured identity provider:

  • Qlik Account — This is the default mechanism and is managed by Qlik. It provides a secure but basic authentication solution for customers, however is not configurable and does not integrate with a customer's existing solutions.

  • Third party identity provider — Qlik Cloud supports configuring third party identity providers that support the OpenID Connect (OIDC) protocol.

For more information about authentication, see the Qlik Cloud platform evaluation guide.


Users of Qlik Cloud Data Integration are managed using the same role based access control system as is used for the rest of Qlik Cloud. The available roles are described in the following table:

Data space role Summary
Is owner Full permissions on the space including the ability to grant others access
Can view Monitor, but not alter the data pipeline
Can consume Consume data from data tasks in the data space
Can manage Manage the space details and members
Can operate View data tasks with basic details and perform actions, such as run, stop, and resume
Can edit View and edit data tasks in this space, as well as create new data assets

For more information about platform level authentication and authorization, see the Qlik Cloud platform evaluation guide.

Did this page help you?

If you find any issues with this page or its content – a typo, a missing step, or a technical error – let us know how we can improve!