Skip to main content

Security Considerations for Snow Analytics

2018-10-23

Introduction

Note

The document refers to Snow Analytics, which is the former name of Risk Monitor, but the contents still apply.

Snow Analytics is a platform for displaying business intelligence (BI) dashboards that help organizations extend the existing reporting capabilities of their Snow Software solution. This enhanced reporting allows organizations to:

  • Make effective, data-driven decisions

  • See the potential impact of these decisions even before they are implemented

The platform enables Snow to progress from providing simple management of data and reporting to offering self-service BI, delivering actionable insight to the organizations' key decision-makers.

Cloud-based subscription service

Snow Analytics is a cloud-based subscription service, requiring organizations to:

  • Purchase a data subscription—such as Governance & Risk—to access the platform

  • Allow a Send service to provide data from their Snow solution to this cloud-hosted service

Why this document?

Security officers within organizations that are using or considering Snow Analytics want to confirm how their organizations' data gets into Snow Analytics, how it is protected, and what Snow does with this data.

To address these concerns, Snow Software has built protection into the Analytics platform to prevent unauthorized access and destructive attacks.

This document describes the flow of data between the customer's Snow solution and their Snow Analytics subscription(s) in the cloud.

Note

All Snow Analytics data is stored and located within an Azure service (North Europe). As the data is stored with serverless technology, it does not require any OS patching or management. Also, all data that is stored within this platform is only retained during the customer’s subscription period. 

Third-party perimeter security test results

A perimeter assessment has been conducted by Snow's penetration test partner, an industry-leading security services company. While their scan identified two medium issues and two low-grade issues, all identified vulnerabilities have now been resolved.

Note

We at Snow Software will continue to penetration test our software stack on a regular basis during the lifetime of the product.

How data is handled and protected

Snow Analytics bases its data handling and protection standards on application threat modeling from the Open Web Application Security Project (OWASP).

Phase-by-phase flow details

Now it's time to look at each phase of the Snow Analytics data flow. 

Snow_Power_BI_no-flow-description_CROPPED.png

The numbers in the diagram above correspond to the list below.

  1. SUS sends customer Snow License Manager (SLM) usage data to Azure Blob Storage.

  2. The customer SLM data is now in Blob Storage.

  3. At this point, an Azure function app reads the Azure Key Vault for an access token.

  4. The function app moves the customer data to a protected Blob Storage.

  5. Next, the Azure Data Factory moves the data into SQL Server.

  6. The Data Factory calls a function app to resize the Azure Analysis Services data partition.

  7. The Data Factory then calls an Azure Logic App to process Analysis Services.

  8. And finally, data is served from a service through the Snow Analytics web app via a Power BI embedded capacity.

Security threat measures

The following table documents the controls that Snow Software has put in place to handle likely threats: 

Threat type

Examples

Controls in place to combat threats

Spoofing

Inject bad data

Impersonate a customer and view customer data

HTTPS

Controls within the customer's own security policy

Tampering

Remove data

Inject bad data

Delete the entire database

Delete the Azure subscription

Authentication

Azure admin accounts require MFA

SQL data warehouse is backed up

Repudiation

This means illegal operation in a system that cannot trace the operation, such as:

Customers continually upload new data, which is constantly overwritten.

Not applicable

Information disclosure

This means read information in transit or without access, such as:

  • GDPR risk loss of PII

  • Exposure of customer not having a license

  • Exposure of software/hardware assets and contracts

Authentication

HTTPS

Denial of service

DDoS attack

MS defenses

Elevation of privilege

Steal administration credentials (3 accounts)

Azure admin accounts require MFA

Summary

The key takeaways from this document are as follows:

  • Snow Analytics is a cloud-based subscription service for displaying BI dashboards that deliver actionable insight for organization decision makers who use a Snow Software solution.

  • Organizations using Snow Analytics send usage data from their Snow solution beyond their firewall to Snow Analytics. 

  • Third-party perimeter security test results were conducted by a world-leading provider. The results: No critical or high-level issues were identified, and all remaining items were fully remediated.

  • The phase-by-phase data flow is encapsulated in the following diagram:

    Snow_Power_BI_compact_FOR-SUMMARY_2.png

For any other questions related to Snow Analytics security, please contact your Snow Software representative.