Security Considerations for Snow Analytics
2018-10-23
Introduction
Note
The document refers to Snow Analytics, which is the former name of Risk Monitor, but the contents still apply.
Snow Analytics is a platform for displaying business intelligence (BI) dashboards that help organizations extend the existing reporting capabilities of their Snow Software solution. This enhanced reporting allows organizations to:
Make effective, data-driven decisions
See the potential impact of these decisions even before they are implemented
The platform enables Snow to progress from providing simple management of data and reporting to offering self-service BI, delivering actionable insight to the organizations' key decision-makers.
Cloud-based subscription service
Snow Analytics is a cloud-based subscription service, requiring organizations to:
Purchase a data subscription—such as Governance & Risk—to access the platform
Allow a Send service to provide data from their Snow solution to this cloud-hosted service
Why this document?
Security officers within organizations that are using or considering Snow Analytics want to confirm how their organizations' data gets into Snow Analytics, how it is protected, and what Snow does with this data.
To address these concerns, Snow Software has built protection into the Analytics platform to prevent unauthorized access and destructive attacks.
This document describes the flow of data between the customer's Snow solution and their Snow Analytics subscription(s) in the cloud.
Note
All Snow Analytics data is stored and located within an Azure service (North Europe). As the data is stored with serverless technology, it does not require any OS patching or management. Also, all data that is stored within this platform is only retained during the customer’s subscription period.
Third-party perimeter security test results
A perimeter assessment has been conducted by Snow's penetration test partner, an industry-leading security services company. While their scan identified two medium issues and two low-grade issues, all identified vulnerabilities have now been resolved.
Note
We at Snow Software will continue to penetration test our software stack on a regular basis during the lifetime of the product.
How data is handled and protected
Snow Analytics bases its data handling and protection standards on application threat modeling from the Open Web Application Security Project (OWASP).
Phase-by-phase flow details
Now it's time to look at each phase of the Snow Analytics data flow.
The numbers in the diagram above correspond to the list below.
SUS sends customer Snow License Manager (SLM) usage data to Azure Blob Storage.
The customer SLM data is now in Blob Storage.
At this point, an Azure function app reads the Azure Key Vault for an access token.
The function app moves the customer data to a protected Blob Storage.
Next, the Azure Data Factory moves the data into SQL Server.
The Data Factory calls a function app to resize the Azure Analysis Services data partition.
The Data Factory then calls an Azure Logic App to process Analysis Services.
And finally, data is served from a service through the Snow Analytics web app via a Power BI embedded capacity.
Security threat measures
The following table documents the controls that Snow Software has put in place to handle likely threats:
Threat type | Examples | Controls in place to combat threats |
|---|---|---|
Spoofing | Inject bad data Impersonate a customer and view customer data | HTTPS Controls within the customer's own security policy |
Tampering | Remove data Inject bad data Delete the entire database Delete the Azure subscription | Authentication Azure admin accounts require MFA SQL data warehouse is backed up |
Repudiation | This means illegal operation in a system that cannot trace the operation, such as: Customers continually upload new data, which is constantly overwritten. | Not applicable |
Information disclosure | This means read information in transit or without access, such as:
| Authentication HTTPS |
Denial of service | DDoS attack | MS defenses |
Elevation of privilege | Steal administration credentials (3 accounts) | Azure admin accounts require MFA |
Summary
The key takeaways from this document are as follows:
Snow Analytics is a cloud-based subscription service for displaying BI dashboards that deliver actionable insight for organization decision makers who use a Snow Software solution.
Organizations using Snow Analytics send usage data from their Snow solution beyond their firewall to Snow Analytics.
Third-party perimeter security test results were conducted by a world-leading provider. The results: No critical or high-level issues were identified, and all remaining items were fully remediated.
The phase-by-phase data flow is encapsulated in the following diagram:
For any other questions related to Snow Analytics security, please contact your Snow Software representative.