13 Replies Latest reply on Aug 9, 2017 9:20 AM by Kevin Taylor

    Tableau not secure enough for enterprise reporting/audit/EUC replacement

    Ross Moffitt

      Can someone point me to a thread/article/user guide that speaks to Tableau security, administration and audit tracking? Has anyone been successful in replacing their legacy business intelligence reporting with Tableau? How about replacing an EUC with an automated Tableau report consumed via Tableau Server? What controls exist to help with audit and security? What is the most secure way of sharing reports with end-users? Any thoughts or ideas are welcome. Thanks.

        • 1. Re: Tableau not secure enough for enterprise reporting/audit/EUC replacement
          lei.chen.0

          Hello Ross,

           

          I've moved your post to  Server Administration for there will be more experienced server administrators here to help you on your question.

           

           

          Regards

          Lei

          • 2. Re: Tableau not secure enough for enterprise reporting/audit/EUC replacement
            Donna Coles

            Hi Ross - here's a link to the Security Whitepapaer for Tableau Server Tableau Server Platform Security | Tableau Software that might be a useful starting point and will hopefully give you a general overview to help then lead you to ask some more specific questions.

             

            For info : My company uses Tableau server for all reporting.  The server currently sits inside our firewall.  All users are authenticated via the AD.  We have a single site on server and organise workbooks and data sources into projects.  Access to projects s managed by Groups rather than granting individual access.  Generally everything is considered open access unless there is a specific need to lock down. The majority of our projects all have permissions managed at a project level.  We have some projects that allow adhoc permissions to be assigned (permissions managed at the workbook level).  Some of our data sources uses row level security via SQL Server impersonation to restrict what data is seen (these are HR related data sources).  We only have 1 server admin who manages the permissions.  Tableau server comes with a postgres database referred to as the repository, which a lot of people (us included) query too.  The repository contains a lot of rich information about the content on the server, server events etc etc.  I haven't really looked into how well changes to permissions get tracked from an audit point of view (there's nothing in the UI), though I would imagine there would be something in the postgres.

             

            Donna

            4 of 4 people found this helpful
            • 3. Re: Tableau not secure enough for enterprise reporting/audit/EUC replacement
              Ross Moffitt

              Thanks, Donna.

               

              In terms of "controlled" reporting and viable SOX control, I have the following more detailed questions:

               

              1) Do updates follow a “controlled” process and prevent Production updates prior to acceptable testing/documentation?

               

              2) Are administrators able to implement segregation of duties to ensure the people producing the reports aren’t able to update them themselves?

               

              3) How does the risk of reporting with Tableu compare to the risk of an EUC? (Currently performed manually using Microsoft Access database)

               

              4) Is there a way to schedule the execution of queries at a specific time? If they don't run, how can you tell? How do you re-run the same queries the same day?

               

              Also, if Tableau Server is not an option, Does anything change above if Tableau Reader is the only method for sharing?

              • 4. Re: Tableau not secure enough for enterprise reporting/audit/EUC replacement
                Donna Coles

                Hi Ross

                 

                I'll answer what I can based on my knowledge/experience, but hopefully others may step in

                 

                 

                1) Do updates follow a “controlled” process and prevent Production updates prior to acceptable testing/documentation?

                If by updates you mean upgrades/patches, then Tableau Server won't just auto update; you are in control of when that happens.

                If you mean updates as in a change to a workbook or data source published then there is no 'built in process' to server.  You have to define your own process.  Some companies have multiple servers (dev & prod) and implement automated processes to move content from one to the other once in an 'approved' state, but migrating content between environments again isn't part of the out of the box offering.  We don't do this - we have a single server and everyone has rights to create content in at least 1 project.  You need to think hard about what you're getting Tableau for.  The concept of a dev -> QA -> production process is very much (IMO) an IT/development type process so if they're the type of people who'll be developing your content then you're probably ok, but if you're trying to extend to a more self-service type model, then your typical business user isn't going to be familiar with having to follow this type of governence.

                 

                2) Are administrators able to implement segregation of duties to ensure the people producing the reports aren’t able to update them themselves?

                By default, the owner of a workbook on server had rights to do what they want with the workbook once published (amend it, delete it etc).  The only way to stop this is for the owner to be changed and then you'd need to think about 'who' it is changed to and how you'd change it.

                 

                3) How does the risk of reporting with Tableu compare to the risk of an EUC? (Currently performed manually using Microsoft Access database)

                Sorry EUC isn't a term I'm familiar with.

                 

                4) Is there a way to schedule the execution of queries at a specific time? If they don't run, how can you tell? How do you re-run the same queries the same day?

                Tableau server has a facility to schedule data extracts which can be as often as every 15 mins.  If they fail, v10 functionality now sends the owner of the content an email.  Most server admins also have their own custom monitoring dashboards/processes they've written to help them understand this too.

                 

                Also, if Tableau Server is not an option, Does anything change above if Tableau Reader is the only method for sharing?

                Without Tableau Server how you distribute & refresh your content will become much more cumbersome, and there is also questions as to whether you'd be breaching the Tableau EULA by going down this route.

                 

                Donna

                2 of 2 people found this helpful
                • 5. Re: Tableau not secure enough for enterprise reporting/audit/EUC replacement
                  Shon Thompson

                  If the administrator performs initial deployment of a workbook, they will be the owner which will limit who can update the workbook.  You can automate many things using tabcmd or rest API.  IMO, tabcmd approach has security flaws because the login tabcmd does not support integrated windows authentication.  If you setup the server to use windows authentication without requiring a login, all tabcmd calls still require a session login.  Without integrated authentication, you must hard code the password in a file.  I have not tried to do this with the rest API, but it appears to have the same limitation.

                  • 6. Re: Tableau not secure enough for enterprise reporting/audit/EUC replacement
                    Shon Thompson

                    https://community.tableau.com/ideas/2889

                     

                    It looks like Tableau has no intention of adding the ability for integrated authentication because they archived this request.  I'm shocked that it only received 4 votes.  Am I the only one who feels this is a security issue?  Most companies I have worked for do not allow passwords to be hard coded.

                    • 7. Re: Tableau not secure enough for enterprise reporting/audit/EUC replacement
                      Russell Christopher

                      Hey Shon -

                       

                      If you're worried about hard-coding passwords in a batch script (a bad idea, for sure), consider writing a bit of extra code that retreives the password from a secure store (whereever it is) and providing it to tabcmd dynamically).

                       

                      Many of our customers have also written a wrapper around the REST API which can be called like any other service. You can then choose to use whatever authentication mechanism you wish against your wrapper and let your code handle the rest.

                      • 8. Re: Tableau not secure enough for enterprise reporting/audit/EUC replacement
                        Toby Erkson

                        Shon Thompson wrote:

                         

                        https://community.tableau.com/ideas/2889

                         

                        It looks like Tableau has no intention of adding the ability for integrated authentication because they archived this request.  I'm shocked that it only received 4 votes...

                        That is a very old Idea and I never knew it existed.  I think if it was re-introduced it may fare better vote-wise.

                        • 9. Re: Tableau not secure enough for enterprise reporting/audit/EUC replacement
                          Toby Erkson

                          Donna Coles wrote:

                           

                          ...

                          1) Do updates follow a “controlled” process and prevent Production updates prior to acceptable testing/documentation?

                          If by updates you mean upgrades/patches, then Tableau Server won't just auto update; you are in control of when that happens.

                          If you mean updates as in a change to a workbook or data source published then there is no 'built in process' to server.  You have to define your own process.  Some companies have multiple servers (dev & prod) and implement automated processes to move content from one to the other once in an 'approved' state...

                          Just a FYI, I unpleasantly found out this is not legal in the eyes of the EULA

                          • 10. Re: Tableau not secure enough for enterprise reporting/audit/EUC replacement
                            Toby Erkson

                            Donna did an excellent write-up (as always) and I agree with her.  Take a hard look as to why you are considering Tableau because it's meant to give end users a LOT more freedom to access data and visually present it because it is so much easier to use versus other products.

                             

                            Because of its ease-of-use it doesn't facilitate the old (and still very predominate) report development life cycle paradigm.  Tableau's idea is more like what I call a continuously improving production paradigm, meaning that there are no formal development, testing/approval, and production environments it's just all production!  Yeah...get IT managers to wrap their head around that concept   Thus the report author/developer bangs out the report, gets a thumbs-up from the end user (or themselves is they are the main consumer of it) and publishes it to the Tableau Server for the world to see it*.  If the report doesn't quite meet the consumer's needs then the author makes the adjustments and republishes it.  Annnnd repeat.  This means the report doesn't have to be perfect before it is published, instead, it gets perfected iteratively.

                             

                            This actually makes more sense to business users and it does allow very rapid...dare I say agile?...report development.  End results occur far more quickly than the traditional method of the reporting life cycle, especially if one is not dependent on a [slow, time budgeted] traditional report development team

                             

                             

                             

                            * If they want to restrict who sees it or how they can interact with it (download details, web edit it, fiddle with the filters, read comments, etc.) then permissions are set accordingly.  Further publishing defaults to keeping permissions the same unless later changed.

                            • 11. Re: Tableau not secure enough for enterprise reporting/audit/EUC replacement
                              Toby Erkson

                              Tableau is certainly secure enough for enterprise reporting.  Firewalls, proxies, SSL, authentication, Site/Project/Workbook/Sheet permissions are all methods available to create a secure environment.

                               

                              For us, we used to have military contracts and thus we had to deal with information security.  Tableau was vetted by our security team (I wasn't part of that process) and passed thus we were allowed to use it company-wide.

                               

                              As for auditing, well, that can depend on how deep you need to go.  The internal history logs capture a decent amount of info but it's only held for a relatively short period of time -- others here have exported this info another database in order to keep a longer history.  Data capturing in log files can be changed, just make sure you have the hard drive capacity for them if you set it to really detailed mode!  Using 3rd party tools like Splunk! are great to have to get information out of the logs.

                              • 12. Re: Tableau not secure enough for enterprise reporting/audit/EUC replacement
                                Donna Coles

                                ooooo interesting to note.. thinking about it I guess it makes sense - if actively being used daily it needs to be licensed properly.  The ability to use your licence key for up to 2 other servers is for testing upgrades etc (I'm sure there's more to it, but that's how my simple brain works). 

                                • 13. Re: Tableau not secure enough for enterprise reporting/audit/EUC replacement
                                  Kevin Taylor

                                  This link should help you with some of the compliance rigor that we go through internally to ensure Tableau Server and Tableau Online are in check:

                                   

                                  Security | Tableau Software

                                  1 of 1 people found this helpful