AWS and Azure security
Before you deploy Qlik Sense on AWS or Azure you need to get an overview of the basic security implications. In AWS and Azure there are specific tools that you use during setup to configure permissions and to set security options. Once you have deployed Qlik Sense to your chosen cloud environment, you use the Qlik Management Console to configure security in the same way as you would in an on-premise Qlik Sense deployment.
An overview of your Qlik Sense security considerations:
- In Qlik Sense, you manage all security and authentication settings from the Qlik Management Console.
- A module in the Qlik Sense Proxy Service handles authentication of Microsoft Windows users.
- Authentication is often used in conjunction with a single sign-on (SSO) system that supplies a reverse proxy or filter for authentication of the user.
- Other authentication methods are available, and it is possible to implement your own customized solutions for different authentication scenarios.
Resources managed directly from the QMC:
- Admin roles to grant QMC users administrator level access to various sections
- Proxy certificate for communication between the web browser and the proxy component
- Virtual proxies to allow different modules based on the URI to be used to access the Qlik Sense environment
- Custom properties enabling you to use your own values in security rules
- Access control and security rules to grant users access to Qlik Sense resources
Authentication methods used by Qlik Sense:
- Security Assertion Markup Language (SAML)
- Anonymous authentication
- Session/Ticket API
For more information about Qlik Sense security, see Qlik Sense Enterprise on Windows security
To configure security in an AWS deployment you need a basic understanding of how to set up AWS security groups, key pairs, and Qlik Sense security groups. Use the Amazon Management Console to configure AWS security, and the Qlik Management Console to configure all security and authentication settings in Qlik Sense. A module in the Proxy Service (QPS) handles the authentication of Microsoft Windows users. If required, it is also possible to implement your own custom authentication solutions.
Use the Amazon Management Console to configure:
- AWS security groups - configure access rules for an initial Qlik Sense security group for your EC2 instance.
- Key pair - In the AWS console, create a Qlik Sense key pair. Save the Qlik Sense.pem keypair file locally, as you will need it later to access your instance.
You can use AWS Directory Services to set up security and authentication on the Qlik Sense server side. This service makes it easier to setup and run Microsoft Active Directory (AD) in the AWS cloud, or connect your AWS resources to an existing on-premises Microsoft Active Directory.
AWS Directory Service provides you with the following three directory types:
- AWS Directory Service for Microsoft Active Directory (Enterprise Edition), also referred to as Microsoft AD
- Simple AD
- AD Connector
AWS Directory Services makes it possible to connect AWS resources to an on-premises directory using the same corporate credentials. This option uses the Microsoft Security Support Provider Interface (SSPI) to read the Windows user name and password working in a similar way to single sign-on. If you have multiple nodes in the Qlik Sense Server environment, all nodes need to be part of the same domain.
For more information, see AWS security.
Use the Resource Manager to configure Azure security and the QMC to configure all security groups and authentication settings in Qlik Sense. In Azure, to configure security you first set up a subnet, a virtual network, an IP address for an instance, and network security rules. This is similar to configuring ports in a firewall. You then set up a network interface that your instance can use, and bind it to the previously set up network and subnet. A module in the Qlik Sense Proxy Service (QPS) handles the authentication of Microsoft Windows users. If required, it is also possible to implement your own custom authentication solutions.
Use the Azure Resource Manager to configure:
- Azure security groups
- Azure Active Directory and Identity Management
Azure Active Directory (Azure AD) is Microsoft’s multi-tenant cloud based directory and identity management service. For IT administrators, Azure AD provides an easy to use solution to give users single sign-on (SSO) access to other cloud SaaS Applications, such as Office365, Salesforce.com, and Concur. Azure AD also includes a full suite of identity management capabilities including multi-factor authentication, device registration, self-service password management, self-service group management, privileged account management, role based access control, application usage monitoring, rich auditing, and security monitoring and alerting.
For more information, see Azure security.