Qlik Security: More than a Password
Optimal Qlik security requires both application security, what people can see, Zero Trust, who can see it, and data governance, for assured analytics.
Qlik Application Security
In a world where data is shared, all data supply-chain components must apply relevant security measures to mitigate risk and ensure trust, whilst incorporating a Zero Trust security strategy. For more information on Qlik Trust, click here.
Administration and management – Qlik Cloud Security
Qlik Sense Enterprise SaaS solution brings the power of Qlik’s third-generation analytics platform to groups, teams and businesses that want to quickly start working with analytics to make data-driven decisions securely. Qlik hosts and manages the cloud infrastructure. The customer’s nominated administrator manages the tenant.
Qlik Sense Enterprise SaaS may be deployed independently or as part of a multi-cloud hybrid deployment, including Qlik Forts.
Qlik tenant admins (customers) have access to the Tenant Management Console where they configure and manage the Qlik Sense Enterprise SaaS tenant for their organisation. Tenant admins can invite new users and assign user roles to give them permissions. For example you can assign a user as tenant admin which gives them full access to the management console or you can assign a user as a developer which lets them create API keys.
The default identity provider for Qlik Sense Enterprise SaaS is to use the user’s Qlik ID. When you invite a user to the tenant by email they sign in with their Qlik ID. You can also set up other identity providers. There are several types of identity providers from which to choose:
- Interactive: provides options for login of users
- Machine to Machine: provides options for API access
- Multi-cloud provides options for entering your local bearer token to create the identity provider configuration
As the tenant admin, you assign licenses to users to give them either professional or analyser access. As a tenant administrator, you can create and maintain shared and managed spaces.
Managed Spaces
Only tenant administrators can create managed spaces. The managed spaces are restricted to members. No other users can open the apps in the managed space without permission. Only the space owner and target app consumers can open the apps in a managed space.
Permissions are assigned to members when they are added to a managed space and the permissions define what each member can access within a managed space.
Additional tenant admin features
The tenant admin manages system integration through API keys and web integration. They establish content security policies. You can use API keys to authenticate users, developers, or other programs.
Qlik’s content security policy helps to detect and mitigate certain types of attacks including cross-site scripting or XSS and data injection attacks. These attacks range from data theft and site defacement to the distribution of malware.
In the Settings menu, you can view your tenant information and enable or disable many of the features and functionality of Qlik Sense Enterprise SaaS. There you can enable or disable On-demand data dynamic user assignment, API keys, and email sharing.
Qlik Professional or Qlik Analyser?
Professional user access is for users that need to access all the features in a Qlik Sense SaaS installation. A user with professional access can create, edit, and publish sheets or apps and make full use of the available features including administration of a Qlik Sense site.
With a professional license, you can create shared and managed spaces in the hub. A defined group of users can utilise shared spaces to develop apps. Apps inside a shared space are only accessible by the group of users who have access to the space. In a shared space, permissions and license type determine the actions you can perform with an app. You can then add new members to your shared space and assign them permissions.
With an analyser user license, access is for users who consume sheets and apps created by others. With relevant permissions, analyser users can create bookmarks and stories, print objects, stories, and sheets and they can export data from an object to Excel.
How Qlik secures what users can see
Risks
Qlik Sense empowers end-users with self-serve capabilities, but how do we control the Qlik environment and Qlik user privileges?
Risks include:
- Unauthorised users accessing information
- Unreliable reporting
- Multiple versions of the truth
- Unmet use requirements
- Performance issues
Mitigate risks
Qlik Sense can mitigate risks through security rules and on a granular level, Section Access.
Qlik Sense ensures the operational effectiveness of a system that works according to a design approved by the business.
Different sized organisations can customise Qlik’s security preferences:
- Small environment
The primary requirement is to have a segregation of duties (SOD) between IT, and the business, IT – the QMC, and the business users that manage the hub. - Medium-sized business
A requirement for a segregation of duties between IT and business, but with more granular control within the business. Department based authorisation will ensure that each department only sees its own apps. - Large enterprise
A requirement for even finer control. This includes a split between audit content security and deployment activities. Additional controls over data access are manageable by adopting an enterprise-ready Qlik data architecture framework.
Qlik security rules
Qlik utilises security rules to derive access to streams and applications. The management console allows the tenant admin to author security rules to grant permissions or grant access to applications in different ways.
With Qlik, rules can be applicable to many streams. A single rule can affect multiple streams.
Manage data security with Section Access
Qlik Section Access allows the tenant admin to control an application’s security. It is part of the data load script where you add a security table to define who gets to see what. Qlik Sense uses this information to reduce data to the appropriate scope for the user. The application can hide data from the user, as a result of the user’s identity. The dynamic data reduction from Section Access can target table rows, columns, or a combination of both.
Manage user access to specific data in an app
Dynamic data reduction limits access to rows and columns in the data tables within Qlik Sense apps.
Manage access to row-level data
Tenant admins can hide specific records (rows) from users. Qlik Sense permanently hides all data excluded by these selections from the user.
User access controls
Active directory
Since the September 2020 release of Qlik Sense, it is now possible to sync users belonging to multiple domains with a single User Directory Connector, which simplifies administration.
Within the grid of the stream the tenant admin when hooked up to the Active Directory would see users, groups, and roles. With these, the tenant admin can define access across streams.
Groups
Qlik allows a tenant admin to assign different user groups with different levels of security to streams in the Management console, to simplify user access control management.
Roles
The QMC comes with a set of predefined administrative roles. Each role is associated with security rules tailored for specific purposes, additional roles can be created to meet the specific requirements of the Qlik deployment.
The user who provided the first valid license key to the QMC will receive the root admin role. The root admin has full access rights to all Qlik Sense resources. Other default users in the QMC are audit admin content admin deployment admin and security admin.
Qlik and Zero Trust
Zero Trust reverses the model of castle and moat security and instead assumes that the network is not safe and users are not to be trusted. As a result, both implicit trust and unencrypted traffic become unacceptable.
The key progression with a Zero Trust networking model is that there are no more IPs and ports. Zero trust is a model where instead of IPs and ports there are services and identities.
Identities and services are what grant access to systems. If you need to access a service you are an identity but not just you as a person your individual device might be an identity. You can even have an application as an identity and so Zero Trust allows you to have a granular degree of control when defining and curating policies: E.G. this person’s phone can access this one thing.
Qlik relies on its customers to ensure that Zero Trust persists in a hybrid architecture including the use of Forts. Qlik provisions for Zero Trust in relation to user access controls and identity management. Further analysis of a Qlik deployment framework should be performed prior to commissioning and necessary hardening implemented. This will mean that the entire data supply chain is protected from bad actors.
With Zero Trust, each element of the Qlik architecture should be protected via obfuscation to eliminate ability of bad actors to sniff the network or access network components that may otherwise be considered attack vectors. This protection is inclusive of all types of user, especially those with elevated privileged access.
Qlik Governance
It is imperative that organisations are able to provide security and governance to:
- Certify the data
- Certify the process
- Certify the output
1 Certify the data
Smarter.BI application platform …powered by Qlik feeds off data from one or multiple sources. Each of these data sources delivers data to the eventual output that is used to make better business decisions and thus it needs to be accurate and timely. Optimising data quality and data source management is just one element of delivering a Smarter.BI application platform …powered by Qlik as a service
2 Certify the process
The business rules and business logic that drive the presentation of data that leads to better business decisions are based on the ability to provide what we call a certified process. The concept is simple and a matter of reverse-engineering the output to the feeds that create it. The requirements of scheduled data delivery/reload need to be understood and implemented to create the right data at the right time. As part of the service definition, we can continually improve the back-end processes that feed Smarter.BI applications and the management of the applications themselves by creating certified processes. Good governance is then required to manage.
3 Certify the output
The final component is output validation. Whether Smarter.BI applications are deployed to the enterprise or locally to a department, our best practice would dictate that each and every Smarter.BI application has controls and exception reporting (integrity checking) in place to ensure that what the decision-maker is looking at is what the decision-maker should be looking at by way of meaningful intelligence. Further, we can trace each data element to its source provenance.
Qlik Security Services that we offer
Qlik Security services can be provided at any time during the life cycle of your Qlik deployment, usually either at the initial point of sale as a Security Workshop, as the use of Qlik estate grows as Qlik Security Training, or when you are looking to change your architecture as a Qlik Security Review, to include Qlik Forts, for example. Qlik Security services can be called upon as part of a Qlik Managed Services engagement or stand-alone. Clients may request Qlik Security Reviews at various times and we are happy to support these requirements. Qlik Security services are available to public sector.
