Securing Tableau Online:Protecting Data as a Service

#data19

Braxton Ehle

Senior Product Security Engineer

Tableau

Anir Agarwal

Senior Product Manager

Tableau

Slides: https://tableau.egnyte.com/fl/xEsWxBRJgM

• Shared Responsibility Model

• Layer 1: Amazon Web Services (AWS)

• Layer 2: Tableau Online Infrastructure

• Tableau Online Security Architecture Overview

• Tableau-managed Infrastructure

• Layer 3: Customer-managed Online Sites

• Q&A

Agenda

AWS

1. Can spell AWS

2. Have Launched an Instance

3. Built a service in AWS

Survey Says…Tableau

1. Used Tableau

2. Published to Tableau Server/Online

3. Administered a Tableau Online Site

Planning move to Tableau Online.

TOL checks the boxes.

Wants to be sure data is secure.

Most data is in HQ in Las Vegas.

Some offices in EU.

Meet Bob

Shared Responsibility Model

CustomerSecurity in the Service

TableauSecurity in the cloud &

of the Service

AWSSecurity of the Cloud

• Data Published• IAM• Data Access

• Customer Data• Platform, Application, IAM• OS, Network & Firewall Configuration• Client-Side data encryption & integrity |

Server-side encryption | Network segmentation

• Software:Compute | Storage | Database | Networking

• Hardware / Global InfrastructureRegions | Availability Zones | Edge Locations

Bob

Layer 1: AWS

Why AWS? • Industry-leading IaaS, PaaS, SaaS solutions• Data Gravity: Allows us to be where our customer data is

Secure Services and Building Blocks• Manage datacenter and core-infrastructure security• Services like IAM, CloudTrail, and etc. enable security

AWS Security

AWSSecurity of the Cloud

• Software:Compute | Storage | Database | Networking

• Hardware / Global InfrastructureRegions | Availability Zones | Edge Locations

Layer 2: Tableau-managed Infrastructure

Online Architecture Overview

Where in the world does my Tableau Online data live?

Bob

How does my data in Tableau Online move around? Is it safe?

What about my on-premises data?

World-Wide Deployment• Customers select their region when they set up their site• Data local within their region, with logical site-level isolation

Redundancy and Availability• Built-in redundancy, so Tableau Online is highly available for customers

Data Locality

Bob

Tableau Online

Key Services and StoresWorkers: Workers are performing tasks – anything from running your queries, handling your interactions to refreshing your extracts

Storage( ): Where your data is stored – various Amazon stores (RDS, S3, etc.)

Bridge: Tableau Online only software to connect to data behind firewalls

Tableau Online Architecture

Application Workers

Background WorkersTableau Bridge

Requests

Cloud DB Env

Web Editing and Live Queries

Cloud Databases

Tableau Online

Application Workers(Encrypted Volumes)

TLS 1.2 TLS 1.2

Scheduled Extracts

Cloud DB Env Tableau Online

Background Workers(Encrypted Volumes)

TLS 1.2

On-Prem Databases with BridgeHow Bridge Works

• Runs in application mode or service mode on Windows• Authorized by a user with their credentials (Admins, Creators)• Encrypted WebSocket between Tableau Bridge and Tableau Online• Live Queries pass through Bridge, Extracts built on Bridge and sent to Online

Bridge Scheduled Extracts

On-Premise / VPC Environment Tableau Online

Background Workers(Encrypted Volumes)Tableau Bridge

TLS 1.2

Vegetable Eating as a Service:• Server configuration• Patching• Logging• Monitoring• Bears?• Oh my!

Online Infrastructure Security

Leverage AWS Security Tools:• Each instance uses a specific IAM

role, ~15/POD• Utilize native logging capabilities• GuardDuty: Incident Detection• Patch Manager

Online Infrastructure Security

Do you encrypt EBS volumes in Online?Yes.

Periodic Security Assessments:• Yearly external penetration tests• Regular internal security

assessments• Security reviews• Public security researcher reports

via security@tableau.com

Watching the Watchers

Ongoing Security Assessments:

• Static analysis of code and infrastructure as code

• Continuous external vulnerability scans

• Regular internal vulnerability scans

Watching the Watchers

Demonstrable Security:• SOC 2 Type II & SOC 3 report• Reports from external penetration

tests, vulnerability scanning• CSA Self-Assessment to answer

questions you didn’t know you had

Watching the Watchers

Layer 3: Customer-managed Online Sites

Online Site Hardening: Starting Point

https://www.tableau.com/security -> Tableau SOC 3 - May 2019

Authentication• Use SSO• Use SCIM (soon)

Online Site Hardening

Visibility - Admin InsightsSee and understand your site activity

Online Site Hardening

Extensions• Whitelisting• Full data access / user prompting

Online Site Hardening

General:• Support Access• Data source security

Bridge:• Limited access service accounts• Standard design pattern: avoids

firewall pokingMobile:

• Tableau Mobile works with a variety of MDM solutions

Online Site Hardening

Layers of Security…

CustomerSecurity in the Service

TableauSecurity in the cloud &

of the Service

AWSSecurity of the Cloud

• Outsource Authentication• Least Privilege• See & understand your Admin

Insights

• Encrypting all the things• Secure operations while you

sleep

• Secures the hardware and datacenters

• Provides handy security levers

Bob

Thank You

Security Meetup2019-11-13 | 12:15 – 1:15 | Level 3 – South Seas D

May I Interest you in a bottle of the ‘19 TC SecuritySessions?

Drive Online Site Adoption with Admin Insights2019-11-15 | 2:15 – 3:16 | Level 2 – Reef C

Slides: https://tableau.egnyte.com/fl/xEsWxBRJgM

Thank You & Q&A & Thank You

View ‘My Evaluations’ in the menu or find your session under ‘Schedule’

Please complete the session survey in the mobile app

Tableau Online Admin Experience

Managing and Leveraging Data with Tableau Online

Tableau Bridge: Bring Your Data to Tableau Online

Tableau Online Architecture

Talks You May Have Missed

Tableau Security Resources:• https://www.tableau.com/security

Tableau Permissions:• https://help.tableau.com/current/serv

er/en-us/license_permissions.htm• https://help.tableau.com/current/serv

er/en-us/license_permissions_backgrnd.htm

Online Site Hardening:• Enabling SAML for your site:

https://help.tableau.com/current/online/en-us/saml_config_site.htm

• SCIM configuration: https://help.tableau.com/current/online/en-us/scim_config_online.htm

AppendixContacting Tableau

• Security@tableau.com• PGP Key

Other• Security bulletins• Tableau Trust