Security

Security in Qlik Sense consists of the following:

  • Protection of the platform

    How the Qlik Sense platform itself is protected and how it communicates and operates.

  • Authentication

    Who is the user and how can the user prove it? Qlik Sense uses standard authentication protocols (for example, Integrated Windows Authentication), HTTP headers, and ticketing to authenticate every user requesting access to data.

  • Authorization

    What does the user have access to? Authorization is the procedure of granting or denying users access to resources.

  • Auditing

    The Qlik Sense platform tracks changes in the repository database, provides comprehensive audit and security logging, and monitors applications.

  • Confidentiality

    Qlik Sense protects confidentiality by:

    • encrypting network connections with Transport Layer Security (TLS)
    • leveraging the operating system file system and server access controls to protect content on Qlik Sense nodes
    • protecting memory using operating system controls
    • securing application access at the resource level
    • encrypting sensitive information (e.g. passwords and data connection strings)
    • protecting app data using data reduction
  • Integrity

    Operating system controls like the file system are leveraged to provide integrity by protecting data at rest, encrypting sensitive information, and preventing data write back to the source system.

  • Availability

    Qlik Sense deployed in a multi-node environment is designed for resiliency and reliability.

Protection of the platform

Security in Qlik Sense relies not only on the Qlik Sense software, but also on the security of the environment it is deployed in. The following are must be considered to maximize the security of your Qlik Sense deployment:

  • Network security
  • Server security
  • Process security
  • App security

All communication between Qlik Sense services and web clients use web protocols that use Transport Layer Security (TLS). TLS uses digital certificates to encrypt information exchanged between services, servers, and clients. Encrypted information flows through tunnels requiring two certificates to secure the connection; a server certificate to identify the correct server and a client certificate to allow the client to communicate with the identified server.

The operating system security system controls access to certificates, storage, memory, and CPU resources. Qlik Sense uses these controls to protect the platform by only allowing authorized users and processes access to required resources.

Qlik Sense goes through a rigorous testing process during development to mitigate security risks and handle unanticipated events. Additional testing verifies Qlik Sense can stand up against known security threats toward the software.

Attribute based access control provides a comprehensive framework to govern user capabilities within the platform. Row and column level data reduction through section access dynamically manages the data that users view and select in applications.

Authentication

All authentication in a Qlik Sense deployment is managed by the Qlik Sense Proxy Service (QPS), including clients connecting to the Hub or the Qlik Management Console (QMC). Qlik Sense requires an external identity provider to verify an individual user’s identity. Upon verification, Qlik Sense transfers the user to the Hub or QMC, encrypting traffic using TLS and certificates with various methods, including support for single sign-on (SSO) solutions to minimize the number of times a user must log on to access apps and websites. The QPS supports the use of multiple proxies and each proxy can use multiple authentication methods over a network protected by Transport Layer Security (TLS).

Each Qlik Sense Proxy Service in a Qlik Sense deployment uses virtual proxies to support authentication. Virtual proxies allow one proxy to support multiple authentication schemes, perform session management, and load balancing across multi-node deployments. Virtual proxies may link to one or many Qlik Sense Proxy Service nodes to direct traffic, load balance between engines, or provide specific access to administrative layers of a deployment.

Authorization

After a user authenticates and gains access to Qlik Sense, authorization through an attribute based access control (ABAC) model enforces application visibility and self-service capabilities within applications. In Qlik Sense, ABAC is defined as an access control method where user requests to perform actions on resources are granted based on assigned attributes of the user, assigned attributes of the resource, environment conditions, and a set of security rules that are specified in terms of those attributes and conditions. Attributes from Active Directory, LDAP, and databases are loaded into Qlik Sense. In addition, attributes may be defined and managed directly within Qlik Sense as well.

Qlik Sense supports authorization in the following ways:

  • Security rules
  • Section access
  • Dynamic data reduction

Auditing

Governance is critical in enterprise business intelligence. Qlik Sense delivers auditing, monitoring and logging using the QMC, applications, and log files to inform administrators and mitigate risks in deployments.

Qlik Sense supports auditing in the following ways:

  • The repository database stores information about when the database was last changed and who made the change.
  • The logging framework provides audit and security logs.
  • The logs are centrally stored.
  • The log format is resistant to injection from the Qlik Sense clients.
  • The license logs are signed with a signature to protect them from tampering.

Confidentiality

Qlik Sense provides confidentiality by encrypting network connections with TLS, leveraging the operating system file system and server access controls to protect content on Qlik Sense nodes, protecting memory using operating system controls, securing application access at the resource level, encrypting sensitive information (e.g. passwords and data connection strings), and protecting app data using data reduction.

Qlik Sense supports confidentiality in the following ways:

  • The network uses Transport Layer Security (TLS) for encryption and certificates for authentication.
  • The information stored in the file share and the repository database, including Qlik Sense content, is protected by the operating system using server access control and file system controls.
  • The process memory and loaded data for Qlik Sense are protected by the physical server and the operating system controls.
  • The apps are secured using access control on the resource level.
  • Sensitive information (for example, passwords and connection strings) that is used to access external data sources is stored with encryption.

  • The app data is protected using data reduction.

Integrity

Qlik Sense provides integrity through operating system controls like the file system to protect data at rest, encrypt sensitive information, and prevent data write back to the source system.

Qlik Sense supports integrity in the following ways:

  • Stored data is protected using the operating system controls (for example, the file system).
  • Sensitive information (for example, passwords and connection strings) that is used to access external data sources is stored with encryption.

  • Qlik Sense does not support write back to the source system (that is, the Qlik Sense clients cannot edit the data sources).

Availability

Qlik Sense supports availability in the following ways:

  • The nodes in a multi-node site are resilient by design. Each node connects to a central node to access the data it needs to fulfill its role.
  • The Qlik Sense protocols are designed to be fault tolerant.

Hjälpte den här informationen?

Varför var informationen inte till hjälp och hur kan vi förbättra den?