With this post we dive into the security features built into Platfora.
First a quick refresher on the powerful Platfora workflow concepts and capabilities: Platfora provides analysts with fast, interactive access to Big Data through visualizations and analytical tools designed to tap into all an organization's data. It is designed to be fast, leveraging an unique in-memory method for data analysis and giving analysts access anywhere that HTML5 can be used (meaning any modern web browser). A key capability is building in-memory lenses that can scale out to terabytes of in-memory data. Platfora transforms Apache Hadoop into a subsecond-interactive, exploratory business intelligence and analytics platform. This removes key bottlenecks for organizations seeking to make use of their data holdings and is very empowering to analysts.
Now back to security:
Platfora has developed a security model that is comprehensive and complete, but still simple to understand and intuitive to configure.
Platfora's Role-Based Access Controls (RBAC) authorize what users and administrators can do in the system, both at broad and detailed levels.
Users log into Platfora with their identity using local or industry standard enterprise Authentication, Authorization, and Accounting solutions. To simplify management of security
roles, Platfora supports User Groups and batch management of access roles and permissions.
Platfora approaches security from three separate axes:
• Data Level Security
• User-Created Object-Level Security
• System-Level Security
With this three-pronged approach, Platfora provides a simple, intuitive model for security configuration, as well as a model that provides comprehensive protection against unauthorized access to sensitive data.
Regarding data-level security, Platfora allows organizations to control data access at multiple levels.
Raw Data Sources
As data sources are defined in Platfora, administrators can determine which users have access to the raw data
exposed through the data source (or mount point). This coarse-grained permission is easy to configure and
provides blanket access to raw data.
To give organizations more flexibility, Platfora also allows administrators to define data access permissions
around datasets derived from the data source. With this finer degree of control, administrators can segment the
data from a data source into specific datasets with controlled access.
Platfora allows administrators to define data access permissions to restrict data access to specific fields in a dataset. Administrators can restrict access to detailed data fields, while still providing access to summary or aggregate data. For example, hiding detailed employee information, such as name and job title, yet still allowing access to salary data aggregated by gender, department or years of service. Platfora supports Kerberos for data access in the Hadoop cluster.
User-Created Object Level Security
In addition to data-level security, users can also control security at the object level. This gives users control over their own Platfora-created objects such as Lenses and Vizboards. Platfora Object Permissions control access such as:
- Who can see my Vizboard?
- Who can edit my Visualizations?
- Who can use my Lens?
In Platfora, data security is managed separately from object security.
This model provides a simple, straightforward method for managing data access.
The owner of a specific object has the flexibility to decide who can work with their objects – desirable in self-service and workgroup environments — without compromising data security.
By keeping data access control simple, and not combining it with object-level security, Platfora reduces the likelihood of security misconfiguration and user error. Security models that rely on a complex object inheritance model to control data access are much more likely to accidentally expose data to unauthorized users.
Platfora allows system administrators to control who can do what in Platfora, and who is allowed to make system-wide changes. System-level security is typically managed by a small group of trusted individuals (those with the role of system administrator). Administrators can assign users one of five system roles ranging from Viewer to System Administrator.
System-Level Permissions control application-level operations, such as:
- Who can build Lenses (the act of materializing the data from Hadoop into Platfora’s Fractal Cache™ technology)
- Who can manage system configuration settings?
- What is the maximum Lens size that a user can create?
- Who can manage users and groups?
Integration with Third Party Authentication and Authorization Systems
LDAP / Active Directory: Platfora supports LDAP / Active Directory integration for user authentication and group membership. By leveraging LDAP, users can log into Platfora using their familiar credentials. Organizational policies around password complexity and periodic password changes are enforced.
Kerberos: Platfora supports Kerberos authentication to Kerberos-protected Hadoop services.
For more information on Platfora and security see http://platfora.com