denodo data virtualization platform: security (session 5 from architect to architect webinar series)
TRANSCRIPT
Five In-depth Technology and Architecture Sessions on Data Virtualization
Session 5: Security
Today’s Speaker
■ Jesus Barrasa
Senior Solutions Architect, Denodo
Architect-to-Architect Series
■ Series of five webinars over 3 months
■ Deeper look into Denodo Platform
■ Architectural Overview
■ Performance
■ Scalability
■ Data Discovery and Governance
■ Security (today’s session)
Denodo Express
■ Denodo Express
■ Free to Download
■ Fully functioning Data Virtualization Platform
■ Single user, supports common data sources
■ Many of the same capabilities of Denodo Platform
■ Performance, Data Discovery, Governance, internal Security, Publishing, …
Security – Architecture Modules
Security
■ Authentication & Authorization
■ Built-in User/Role Management Module
■ Integration with external entitlement servers (LDAP/AD)
■ Multi-level access controls
■ Database, View, Row, Column, and Cell
■ Policy-based Security and Workload Management
■ Enforcement of custom policies for query execution according to security & workload considerations
Overview
■ Unified security management through Data Virtualization
• Data Virtualization offers an abstraction layer that decouples data sources from consumer applications
■ Single point for accessing all the information avoiding point-to-point connections to sources
• As a single point of access, Security can be enforced in this layer:
■ Access restrictions to sources are enforced here
■ They can be defined in terms of the canonical model (e.g. access restrictions to “Bill”, to “Order”, and so on) with a fine granularity
Layered Security Architecture
Detailed Security Architecture
Data Securely Handled
■ Data Virtualization secures the access from consumers to sources:
• Consumer – Data Virtualization Platform security layer
■ Communications between consumer applications and the DV layer can be secure
• Typically using SSL (data in motion).
• Data Virtualization Platform – Sources security layer
■ Communications between the DV layer and the sources can also be secure
• Specific security protocol depends on the source: SSL, HTTPS, sFTP, etc. (data in motion)
Data Securely Handled (Cont’d)
• Information can be:
■ encrypted in the sources,
■ read by the Data Virtualization layer
■ and exported in encrypted form if needed (data at rest)
Denodo Platform Security Layer
■ Role-based Authentication and Authorization
• Users/roles can be defined in the Denodo Platform
■ Fine-grained authorization
• Schema-wide permissions
■ Virtual Database
• Access to a database schema (e.g. credit risk database, operational risk database, etc.)
■ Views of the canonical model
• Access to specific views (e.g. “Regional Risk Exposure”, etc.)
• Data specific permissions
■ Row (by selections) and column level authorization
■ Data masking (hide sensitive fields)
Denodo Platform Permissions
■ Database Permissions:
• Connect – connect to virtual database
• Create – create new data sources, views, stored procedures, and web services. Deploy web services
• Read – List views and stored procedures in database catalog, view schema of the views, query the views and stored procedures (i.e. execute SELECT/CALL statements)
• Write – delete and modify views and stored procedures, execute INSERT, UPDATE, and DELETE statements
• Admin – manage the database i.e. configure the database, grant or revoke privileges to users and roles to access database elements (views, stored procedures, etc.)
■ Cannot create or delete users and roles, grant admin privileges to others
Denodo Platform Permissions
■ View Permissions:
• Read – view schema and execute SELECT statements
• Write – modify the view and execute INSERT, UPDATE, & DELETE statements
• Insert – execute INSERT statements
• Update – execute UPDATE statements
• Delete – execute DELET statements
■ Column Permissions
• Do not allow access to restricted columns
■ Row Permissions
• Restrict access to rows
• Mask sensitive data in columns
Secure Access to Cached Data
■ When accessing cached data, the same security restrictions are taken into account:
• Data is stored in the cache in terms of the canonical model (e.g. “Regional Risk” view).
• The Denodo Platform applies the security restrictions for the user/role on a given database, view, columns and/or row in the cache.
Hierarchical Role Definition
■ A role can inherit and redefine an existing role at any level in the tree
Integration with Existing Security Architecture■ Seamless integration with existing security
policies:
• The Denodo Platform can import security definitions from external directory services
■ LDAP and Microsoft Active Directory
• If needed, the Denodo Platform can pass through security credentials directly to the sources
■ Pass-through authentication
■ User credentials defined at the consumer application level can be used to authenticate directly in the sources
• It can enforce security policies defined in an external entitlement management system
Integration with Existing Security Architecture (Cont’d)■ LDAP and Active Directory based
authentication
• The Denodo Platform delegates authentication to a designated LDAP/Active Directory service.
■ Users don´t need to be defined in the Denodo Platform built-in user management system.
■ The Denodo Platform queries the LDAP/AD server to check the user role.
• Roles can be imported from LDAP/Active Directory and used to constrain the access to any database or view within the Data Virtualization Platform.
■ Custom fine-grained access control
• Queries intercepted before they hit the virtual views
Policy-based SecurityCustom policies
Conditions satisfied
Data consumers
Query
Accept+ Filter+ Mask
Reject
Policy Server(e.g. Axiomatics)
Data Sources
Security: applies custom security
policies
• If person accessing data has role of
'Supervisor' and location is 'New York',
then show compensation information for
employees in the New York office only.
Enforcement: rejects/filters queries by
specified criteria like user priority, cost,
time of day etc.
• If the production batch window runs
from 3 am - 6 am, there is increased
load on production servers at this time.
So, all queries on these servers can be
blocked during this time to prevent
failure of a process.
Custom Policy
Auditing
■ Audit trail of all the queries and actions executed in the platform
• Configurable multi-level log for later analysis (based on log4j)
■ Generation of events for any action that causes any change in the data catalog
■ With this information it is possible to check at any time who has accessed which resources, what changes have been made or what queries have been executed
Auditing – Tracing User Activity
■ For an event the Denodo Platform generatesa JMX notification and logs it in a log file
jConsole receiving JMX “requests” notifications
Auditing – Tracing User Activity
■ The Denodo Platform logs the event into thevdp_queries.log file
• The log file can be read as a data source through the DV platform.
Reading the log file through the Data virtualization platform
Exposing Events to Reporting Tools
■ The events can be exposed to reporting tools:
• Denodo Monitor Report, Tableau, etc.
Accessing event information from Tableau
Denodo Monitor Report aggregate view on user access
Security - Summary
■ Three layered security architecture
■ Consumer, Denodo Platform, Source
■ Fine grained access control
■ Database, View, Column, Row, Cell
■ Integration with existing security architecture
■ Extensible using custom policies
■ Comprehensive auditing
■ Who, what, and when
Q&A
Data Virtualization – Next Steps
Move forward at your own pace
Download Denodo Express –
The fastest way to Data Virtualization
Denodo Community: Documents, Videos, Tutorials, and more.
Attend Architect-to-Architect Series
Performance
Scalability
Move forward with one of our Data Virtualization experts
Phone: (+1) 877-556-2531 (NA)
Phone: (+44) (0)20 7869 8053 (EMEA)
Email: [email protected] | www.denodo.com
Data Discovery and Governance
Security
Five In-depth Technology and Architecture Sessions on Data Virtualization
Thank You!