The document outlines a technology session on security within the Denodo data virtualization platform, highlighting features such as user authentication, role management, and access controls. It describes a three-layered security architecture with fine-grained permissions and integration with existing security systems like LDAP and Active Directory. The session emphasizes comprehensive auditing capabilities and the importance of secure data access for consumers, with details on custom policy enforcement.

1. Five In-depth Technology and Architecture Sessions
on Data Virtualization
Session 5: Security

2. Today’s Speaker
■ Jesus Barrasa
Senior Solutions Architect, Denodo

3. Architect-to-Architect Series
■ Series of five webinars over 3 months
■ Deeper look into Denodo Platform
■ Architectural Overview
■ Performance
■ Scalability
■ Data Discovery and Governance
■ Security (today’s session)

4. Denodo Express
■ Denodo Express
■ Free to Download
■ Fully functioning Data Virtualization Platform
■ Single user, supports common data sources
■ Many of the same capabilities of Denodo
Platform
■ Performance, Data Discovery, Governance,
internal Security, Publishing, …

5. Security – Architecture Modules

6. Security
■ Authentication & Authorization
■ Built-in User/Role Management Module
■ Integration with external entitlement servers
(LDAP/AD)
■ Multi-level access controls
■ Database, View, Row, Column, and Cell
■ Policy-based Security and Workload
Management
■ Enforcement of custom policies for query
execution according to security & workload
considerations

7. Overview
■ Unified security management through Data
Virtualization
• Data Virtualization offers an abstraction layer that
decouples data sources from consumer applications
■ Single point for accessing all the information avoiding
point-to-point connections to sources
• As a single point of access, Security can be enforced in
this layer:
■ Access restrictions to sources are enforced here
■ They can be defined in terms of the canonical model (e.g.
access restrictions to “Bill”, to “Order”, and so on) with a
fine granularity

8. Layered Security Architecture

9. Detailed Security Architecture

10. Data Securely Handled
■ Data Virtualization secures the access from
consumers to sources:
• Consumer – Data Virtualization Platform security layer
■ Communications between consumer applications and the
DV layer can be secure
• Typically using SSL (data in motion).
• Data Virtualization Platform – Sources security layer
■ Communications between the DV layer and the sources can
also be secure
• Specific security protocol depends on the source: SSL, HTTPS,
sFTP, etc. (data in motion)

11. Data Securely Handled (Cont’d)
• Information can be:
■ encrypted in the sources,
■ read by the Data Virtualization layer
■ and exported in encrypted form if needed (data at rest)

12. Denodo Platform Security Layer
■ Role-based Authentication and Authorization
• Users/roles can be defined in the Denodo Platform
■ Fine-grained authorization
• Schema-wide permissions
■ Virtual Database
• Access to a database schema (e.g. credit risk database,
operational risk database, etc.)
■ Views of the canonical model
• Access to specific views (e.g. “Regional Risk Exposure”, etc.)
• Data specific permissions
■ Row (by selections) and column level authorization
■ Data masking (hide sensitive fields)

13. Denodo Platform Permissions
■ Database Permissions:
• Connect – connect to virtual database
• Create – create new data sources, views, stored
procedures, and web services. Deploy web services
• Read – List views and stored procedures in database
catalog, view schema of the views, query the views and
stored procedures (i.e. execute SELECT/CALL statements)
• Write – delete and modify views and stored procedures,
execute INSERT, UPDATE, and DELETE statements
• Admin – manage the database i.e. configure the
database, grant or revoke privileges to users and roles to
access database elements (views, stored procedures, etc.)
■ Cannot create or delete users and roles, grant
admin privileges to others

14. Denodo Platform Permissions
■ View Permissions:
• Read – view schema and execute SELECT statements
• Write – modify the view and execute INSERT, UPDATE, &
DELETE statements
• Insert – execute INSERT statements
• Update – execute UPDATE statements
• Delete – execute DELET statements
■ Column Permissions
• Do not allow access to restricted columns
■ Row Permissions
• Restrict access to rows
• Mask sensitive data in columns

15. Secure Access to Cached Data
■ When accessing cached data, the same
security restrictions are taken into account:
• Data is stored in the cache in terms of the canonical
model (e.g. “Regional Risk” view).
• The Denodo Platform applies the security restrictions for
the user/role on a given database, view, columns and/or
row in the cache.

16. Hierarchical Role Definition
■ A role can inherit and redefine an existing
role at any level in the tree

17. Integration with Existing Security
Architecture
■ Seamless integration with existing security
policies:
• The Denodo Platform can import security definitions
from external directory services
■ LDAP and Microsoft Active Directory
• If needed, the Denodo Platform can pass through
security credentials directly to the sources
■ Pass-through authentication
■ User credentials defined at the consumer application level
can be used to authenticate directly in the sources
• It can enforce security policies defined in an external
entitlement management system

18. Integration with Existing Security
Architecture (Cont’d)
■ LDAP and Active Directory based
authentication
• The Denodo Platform delegates authentication to a
designated LDAP/Active Directory service.
■ Users don´t need to be defined in the Denodo Platform
built-in user management system.
■ The Denodo Platform queries the LDAP/AD server to check
the user role.
• Roles can be imported from LDAP/Active Directory and
used to constrain the access to any database or view
within the Data Virtualization Platform.

19. ■ Custom fine-grained access control
• Queries intercepted before they hit the virtual views
Policy-based Security
Custom policies
Conditions satisfied
Data
consumers
Query
Accept
+ Filter
+ Mask
Reject
Policy Server
(e.g. Axiomatics)
Data Sources
Security: applies custom security
policies
• If person accessing data has role of
'Supervisor' and location is 'New York',
then show compensation information for
employees in the New York office only.
Enforcement: rejects/filters queries by
specified criteria like user priority, cost,
time of day etc.
• If the production batch window runs
from 3 am - 6 am, there is increased
load on production servers at this time.
So, all queries on these servers can be
blocked during this time to prevent
failure of a process.
Custom
Policy

20. Auditing
■ Audit trail of all the queries and actions
executed in the platform
• Configurable multi-level log for later analysis (based on
log4j)
■ Generation of events for any action that
causes any change in the data catalog
■ With this information it is possible to check at
any time who has accessed which resources,
what changes have been made or what
queries have been executed

21. Auditing – Tracing User Activity
■ For an event the Denodo Platform generates
a JMX notification and logs it in a log file
jConsole receiving JMX “requests” notifications

22. Auditing – Tracing User Activity
■ The Denodo Platform logs the event into the
vdp_queries.log file
• The log file can be read as a data source through the DV
platform.
Reading the log file through the Data virtualization platform

23. Exposing Events to Reporting Tools
■ The events can be exposed to reporting tools:
• Denodo Monitor Report, Tableau, etc.
Accessing event information from Tableau
Denodo Monitor Report
aggregate view on user
access

24. Security - Summary
■ Three layered security architecture
■ Consumer, Denodo Platform, Source
■ Fine grained access control
■ Database, View, Column, Row, Cell
■ Integration with existing security
architecture
■ Extensible using custom policies
■ Comprehensive auditing
■ Who, what, and when

25. Q&A

26. Data Virtualization – Next Steps
Move forward at your own pace
 Download Denodo Express –
The fastest way to Data Virtualization
 Denodo Community: Documents, Videos, Tutorials, and more.
 Attend Architect-to-Architect Series
 Performance
 Scalability
Move forward with one of our Data
Virtualization experts
 Phone: (+1) 877-556-2531 (NA)
 Phone: (+44) (0)20 7869 8053 (EMEA)
 Email: info@denodo.com | www.denodo.com
 Data Discovery and Governance
 Security

27. Five In-depth Technology and Architecture Sessions
on Data Virtualization
Thank You!