securing sensitive information data security dashboards often contain the most important data in the...

Securing Sensitive Information

Data Security

• Dashboards often contain the most important data in the company

• Securing that information makes business sense

• In some instances, securing certain information is required by law or contract

Overview

• Securing External Access to CenterView Server

• Server-wide CenterView Settings

• Dashboard Settings

• Data Security

Securing Server Access

• Put CenterView server behind firewall– Only allow access to http port– Only run CV in that app server

• Protect CV Admin– Run Admin on separate App Server– Firewall blocks access to Admin port– To manage CV, administrators would need to

be behind firewall, or to VPN in

• Apache instructions

http://wiki.corda.com/confluence/display/CV40/Running+CenterView+Components+on+a+Separate+Apache+Tomcat+Instance

http://wiki.corda.com/confluence/x/vAUMAQ

Server Access cont….

• Run App server over SSL– Encrypts all data transfers with CenterView– Step by step instructions for installing a

certificate from a certificate authority can be found at the certificate authority’s website (Verisign or Thawte, eg.)

Overview




• Data Security

Lock down CV Server DB

• CenterView Server database– Use own secured database, or– Password protect the installed postgres db

• Modify the Pgsql/data/pg_hba.conf file (Change ‘trust’ authentication method to ‘md5’, eg.)

– Change the password for the corda user: ALTER ROLE corda WITH PASSWORD 'somenewpassword';

• Change the password in the Administrator for the DF Query Cache and the Snapshot DB (and CenterView Server Database, if enabled)

CenterView Admin Settings

• Deploy in Production Mode

• Set HTML Console to Off– Change Console Key to something else

• Disallow displaying of status page

• Remove example dashboards (Dashboards page)

Named Users

• Named Users always have access CenterView Resources

• Two options for set up– Allow automatic assignment of a named user

on first login• Great when there are lots of people

– Manually select the users• May be preferred when there are a few executives

Self-Service Login

• Can only be used with CenterView Authentication

• Users can register themselves into the system

• Users can modify their own account identity settings– Change password– Set/Change email address– Recover password

Authentication Plug-in Access

• Active Directory plug-in shipped with CenterView

• Same plug-in for LDAP – may need some customization to use company scheme

• Tailor authorization to local environment by using the Auth Plugin API– Single sign-on– Business Objects– Salesforce– Directory is kept in database

Overview




• Data Security

Dashboard Security

• Dashboard level access– Limit access to logged in users– Limit access to users in a specific group

• Pages and KPIs level access– Limit access to users in a specific group

Server Script User

• isLoggedIn()

• isUserInGroup(groupName)– Used in conjunction with ‘if’ tag, in the same

place show different kpis for each group

• isAuthorized(kpi1.kpixml)

• Demo

Overview




• Data Security

Datafunnel Alias Override

• Username and password set in the datafunnel tag override the username and password set in the alias.

• An Auth plug-in could set custom variables that are the username and password for the database for that user

• Use these custom variables in the datafunnel tag to override the alias.

Database Access

• Business Objects – Login with BO Auth Plug-in– BO Auth Plug-in can supply groups– User in CenterView uses BO credentials in

datafunnel queries to BO Universe• Build your own report or run an existing report with

user granularity

setup

Database Access Cont…

• Salesforce.com– Setting up embedded dashboards in

salesforce– Privileges of the saleforce user are used in

querying Salesforce data

Securing Sensitive Information




• Data Security

securing sensitive information data security dashboards often contain the most important data in the...

Documents