securing tableau online: protecting data as a service...why aws? • industry-leading iaas, paas,...
TRANSCRIPT
Securing Tableau Online:Protecting Data as a Service
#data19
Braxton Ehle
Senior Product Security Engineer
Tableau
Anir Agarwal
Senior Product Manager
Tableau
Slides: https://tableau.egnyte.com/fl/xEsWxBRJgM
• Shared Responsibility Model
• Layer 1: Amazon Web Services (AWS)
• Layer 2: Tableau Online Infrastructure
• Tableau Online Security Architecture Overview
• Tableau-managed Infrastructure
• Layer 3: Customer-managed Online Sites
• Q&A
Agenda
AWS
1. Can spell AWS
2. Have Launched an Instance
3. Built a service in AWS
Survey Says…Tableau
1. Used Tableau
2. Published to Tableau Server/Online
3. Administered a Tableau Online Site
Planning move to Tableau Online.
TOL checks the boxes.
Wants to be sure data is secure.
Most data is in HQ in Las Vegas.
Some offices in EU.
Meet Bob
Shared Responsibility Model
CustomerSecurity in the Service
TableauSecurity in the cloud &
of the Service
AWSSecurity of the Cloud
• Data Published• IAM• Data Access
• Customer Data• Platform, Application, IAM• OS, Network & Firewall Configuration• Client-Side data encryption & integrity |
Server-side encryption | Network segmentation
• Software:Compute | Storage | Database | Networking
• Hardware / Global InfrastructureRegions | Availability Zones | Edge Locations
Bob
Layer 1: AWS
Why AWS? • Industry-leading IaaS, PaaS, SaaS solutions• Data Gravity: Allows us to be where our customer data is
Secure Services and Building Blocks• Manage datacenter and core-infrastructure security• Services like IAM, CloudTrail, and etc. enable security
AWS Security
AWSSecurity of the Cloud
• Software:Compute | Storage | Database | Networking
• Hardware / Global InfrastructureRegions | Availability Zones | Edge Locations
Layer 2: Tableau-managed Infrastructure
Online Architecture Overview
Where in the world does my Tableau Online data live?
Bob
How does my data in Tableau Online move around? Is it safe?
What about my on-premises data?
World-Wide Deployment• Customers select their region when they set up their site• Data local within their region, with logical site-level isolation
Redundancy and Availability• Built-in redundancy, so Tableau Online is highly available for customers
Data Locality
Bob
Tableau Online
Key Services and StoresWorkers: Workers are performing tasks – anything from running your queries, handling your interactions to refreshing your extracts
Storage( ): Where your data is stored – various Amazon stores (RDS, S3, etc.)
Bridge: Tableau Online only software to connect to data behind firewalls
Tableau Online Architecture
Application Workers
Background WorkersTableau Bridge
Requests
Cloud DB Env
Web Editing and Live Queries
Cloud Databases
Tableau Online
Application Workers(Encrypted Volumes)
TLS 1.2 TLS 1.2
Scheduled Extracts
Cloud DB Env Tableau Online
Background Workers(Encrypted Volumes)
TLS 1.2
On-Prem Databases with BridgeHow Bridge Works
• Runs in application mode or service mode on Windows• Authorized by a user with their credentials (Admins, Creators)• Encrypted WebSocket between Tableau Bridge and Tableau Online• Live Queries pass through Bridge, Extracts built on Bridge and sent to Online
Bridge Scheduled Extracts
On-Premise / VPC Environment Tableau Online
Background Workers(Encrypted Volumes)Tableau Bridge
TLS 1.2
Vegetable Eating as a Service:• Server configuration• Patching• Logging• Monitoring• Bears?• Oh my!
Online Infrastructure Security
Leverage AWS Security Tools:• Each instance uses a specific IAM
role, ~15/POD• Utilize native logging capabilities• GuardDuty: Incident Detection• Patch Manager
Online Infrastructure Security
Do you encrypt EBS volumes in Online?Yes.
Periodic Security Assessments:• Yearly external penetration tests• Regular internal security
assessments• Security reviews• Public security researcher reports
Watching the Watchers
Ongoing Security Assessments:
• Static analysis of code and infrastructure as code
• Continuous external vulnerability scans
• Regular internal vulnerability scans
Watching the Watchers
Demonstrable Security:• SOC 2 Type II & SOC 3 report• Reports from external penetration
tests, vulnerability scanning• CSA Self-Assessment to answer
questions you didn’t know you had
Watching the Watchers
Layer 3: Customer-managed Online Sites
Online Site Hardening: Starting Point
https://www.tableau.com/security -> Tableau SOC 3 - May 2019
Authentication• Use SSO• Use SCIM (soon)
Online Site Hardening
Visibility - Admin InsightsSee and understand your site activity
Online Site Hardening
Extensions• Whitelisting• Full data access / user prompting
Online Site Hardening
General:• Support Access• Data source security
Bridge:• Limited access service accounts• Standard design pattern: avoids
firewall pokingMobile:
• Tableau Mobile works with a variety of MDM solutions
Online Site Hardening
Layers of Security…
CustomerSecurity in the Service
TableauSecurity in the cloud &
of the Service
AWSSecurity of the Cloud
• Outsource Authentication• Least Privilege• See & understand your Admin
Insights
• Encrypting all the things• Secure operations while you
sleep
• Secures the hardware and datacenters
• Provides handy security levers
Bob
Thank You
Security Meetup2019-11-13 | 12:15 – 1:15 | Level 3 – South Seas D
May I Interest you in a bottle of the ‘19 TC SecuritySessions?
Drive Online Site Adoption with Admin Insights2019-11-15 | 2:15 – 3:16 | Level 2 – Reef C
Slides: https://tableau.egnyte.com/fl/xEsWxBRJgM
Thank You & Q&A & Thank You
View ‘My Evaluations’ in the menu or find your session under ‘Schedule’
Please complete the session survey in the mobile app
Tableau Online Admin Experience
Managing and Leveraging Data with Tableau Online
Tableau Bridge: Bring Your Data to Tableau Online
Tableau Online Architecture
Talks You May Have Missed
Tableau Security Resources:• https://www.tableau.com/security
Tableau Permissions:• https://help.tableau.com/current/serv
er/en-us/license_permissions.htm• https://help.tableau.com/current/serv
er/en-us/license_permissions_backgrnd.htm
Online Site Hardening:• Enabling SAML for your site:
https://help.tableau.com/current/online/en-us/saml_config_site.htm
• SCIM configuration: https://help.tableau.com/current/online/en-us/scim_config_online.htm
AppendixContacting Tableau
• [email protected]• PGP Key
Other• Security bulletins• Tableau Trust