Watch full webinar here: https://bit.ly/2ZVbLAY
The Denodo Platform makes all data across the organization available to potentially everyone, internally and externally, in real time. But what does this mean for security?
In fact, the Denodo Platform is built from the ground up to ensure that people can only access the data that they are authorized to see. But this is only the beginning. The Denodo Platform enables organizations to implement highly granular access policies that can be applied to roles, groups, or individual users, and those that can govern data sets, tables, or even individual cells.
In this session, Vincent Fages-Gouyou, EMEA product management director at Denodo, takes you for a deep dive into the robust security capabilities of the Denodo Platform, which includes a short demo of the Denodo Platform in action.
You will learn the ins and outs of:
- The core Denodo security architecture
- Policy-based protocols, which can govern access based on time of day, query threshold, and many other user-defined parameters
- Role-based control, with row- and column-level masking
- Tag-based security policies, enabling the definition of security policies in the semantic layer
- Denodo Platform support for third-party security solutions
5. 5
The Importance of Data Sharing
• Gain of productivity
• Increases collaboration
• Widen scope of opportunities
• Necessary for efficient data governance
• Support Decentralized data ownership
• Enable self-service data platform
• Data as a product / as an enterprise asset
• Data monetization / Data services
6. 6
Data Sharing in Denodo
• Single place to access any data
• Hides complexity of back-ends
• On-prem vs. Cloud
• Formats and protocols
• Documentation, lineage, collaboration…
• Flexible access across multiple standard,
SQL, REST, OData, GraphQL, GeoJSON…
• Secure & controlled data delivery layer
SQL
API
MART
9. 9
Denodo Platform Authentication – Northbound
• Client application -> Denodo Platform.
• For SQL-based access:
• Username and passwords
• Often authentication is delegated to an external LDAP/AD
server
• Use Kerberos for Single Sign On / integrated Windows auth
• OAuth 2.0 for JDBC and ODBC
• For Web Application:
• SAML, OpenID, OAuth 2.0 authentication
• Integrate with Identity Providers
• e.g. Azure AD, PingFederate, Okta, …
10. 10
Denodo Platform Authentication – Southbound
• Denodo Platform -> Data Source.
• Multiple options adapted to the nature of each source:
• Use a service account for the source.
• The Denodo Platform always uses those credentials
• User/password, Kerberos, OAuth, AWS auth, etc.
• Use credentials pass-through.
• Access the data source using the same credentials that were used to
authenticate with the Denodo Platform northbound
• E.g. user/password passthrough, Kerberos constrained delegation, etc.
• No possible for all protocol combinations
• E.g. OAuth to user/password is not possible as password is not available in Oauth token
11. 11
Denodo Platform Authorization
• Role-based Authorization
• Users/roles can be defined in the Data Virtualization layer and assigned specific permissions
• Fine-grained authorization
• Several permissions scopes:
• Virtual Database level (e.g. credit risk database, etc.)
• Views level (e.g. “Regional Risk Exposure”, etc.)
• Row level (filter rows that are not authorized)
• Column level:
• Grant/block access
• Data masking (hiding sensitive fields)
15. 15
Policy Based Resource Management
Denodo includes a resource manager to further control and restrict how data is
accessed
• Specific rules (e.g. for a role, a time of the day, a specific table, etc.) that apply
restrictions to the execution
• Sources protection
• Pass/deny depending on time of the day
• Smaller timeouts for certain applications
• Quotas (10 queries per hour) per user or role
• Etc.
18. 18
Advanced Semantic Layer: Tags (8.0u3)
• Expand Denodo Semantic Layer beyond data delivery
• Tags, endorsements, comments, activity usage,…
• Tags add additional semantics that can be used for:
• Data Discovery
• Search and classification
• Security and Governance
• Integration with third party tools
• Import tags, classes and terms from leading DG and
metadata management tools (Collibra, etc.)
19. 19
Semantic Governance and Security Policies (Q4 2021)
• Define security rules in function of semantics (tags), independent of specific tables
and views
• Security rules apply to multiple elements. No need to define security for each
specific table/view
• E.g. columns with SSNs will be visible to HR and otherwise masked with *** except the last 4
digits
• Easier to govern, less error prone
• Allows for implementation of security rules across the data landscape,
independent of technologies underneath
22. 22
Cosmian’s Attributes Base Encryption and Access Control
Assigning “access control attributes” separately
to users and to data
Snowflake:
Data, Databases
Users
N
5
N
5
N
2
N
2
H
R
R
&
D
H
R
&
Attributes
N
5
N
2
N
1
R
&
D
[…]
H
R
[…]
1 Ultra-secure data access control
Snowflake:
Data, Databases
Users
N
5
N
2
N
2
R
&
D
H
R
&
2
N
2
N
5
H
R
N
2
X
● Increase security access policies by encrypting data with authorization attributes
● Trusted third party data decryption service, data access can be revoked in a single place
● Support monotonous logical policies: combination of OR and AND; ex: access if (a OR b) AND c
23. 23
Denodo, Role Base Data Access Control
Attributes
Confidential Data
Intelligence Platform
Key Vault
API / TSL
KMIP / TSL
Protected Source
Protected Source
N
1
N
2
JDBC
REST/JSON
N
1
N
2
KMIP / TSL
Finance
HR
K1
K2
K1 K2
N
1
N
1
N
2
24. 24
Cipher Data Sharing
DATA DELIVERY
RDMS
SAS
API
Cipher Join
Decrypt Role Based
Views
Interfaces
Remote Tables
Contact
SQL
Cipher Data
Data Materialization
Remote Table
Synchronization
Cipher
Cipher (val, attr)
Attributes
Confidential Data
Intelligence Platform
Decrypt (key, cipher)
API
N
1
N
2
Key Vault
Portfolios User Key
27. 27
Conclusions
• Data Sharing is a key piece in many digital transformation initiatives and analytic
architectures:
• API Economy, Self service BI, data mesh, etc.
• Security is the main pillar that sustains data sharing initiatives
• Denodo provides advanced security features that enable a data sharing practice at
scale
• SSO and IdP integration
• Role Based Access Control, with row, column and masking controls
• Attribute Based Access Control with tag-based security policies
• Integration with third party tools (e.g. for encryption, obfuscation, etc.)