Cluvio Security & Privacy Overview

Architecture and Hosting

Cluvio is a software-as-a-service platform for data analytics. This document outlines the security architecture of Cluvio as well as topics related to the security of database connections and your data.

The Cluvio platform is deployed and runs in 2 separate locations on Amazon Web Services in the eu-central-1 (Frankfurt, Germany) and us-west-2 (Oregon, US) AWS regions. Cluvio utilizes 3rd party services, such as Recurly (billing), Braintree (credit card processing), Elev.io (in-app help), Sendgrid (email), PagerDuty (alerting) or Sentry, Pingdom and NewRelic (monitoring).

Cluvio leverages a set of best-practices that guarantee system security and data privacy:

  • A service-oriented architecture where each service only has limited permissions according to its role.
  • Multi-layered approach to system security and data access.
  • Encryption of data at rest and in transit, even within private networks.
  • Auditing of all operations, i.e. all changes can be attributed to a user account.
  • Continuous monitoring of the infrastructure both from inside and outside.

Here is a basic overview of the Cluvio architecture, showing its role as a mediator for data access and visualisation.

Database connection security

To be able to run queries that power the analytical reports, Cluvio needs read-access to your database or data warehouse. To access the data securely, Cluvio supports many approaches that evolved over the years of increasing use and acceptance of Cloud BI tools. These approaches cover both connections to cloud hosted databases like AWS RDS, Redshift, Snowflake, BigQuery or Microsoft Azure, as well as connections to databases installed on your own servers on cloud providers or dedicated hardware behind a firewall. Concretely, data access with Cluvio can be secured as follows:

  • Configuring your firewall to allow inbound access from Cluvio-owned, trusted IP addresses and database specific port numbers.
  • Using transport-layer security (TLS) for database connections, if supported by the database.
  • Proxying database access through an SSH tunnel that trusts a Cluvio-owned public key. Since only Cluvio owns the corresponding private key, only Cluvio can establish connections through your SSH server.
  • Use of Cluvio-specific read-only users in the database to control precisely what operations can be performed with Cluvio.
  • Use of an open-source Cluvio Agent that establishes encrypted connections to Cluvio from within your secured network, thus requiring no changes to your inbound firewall rules. A popular and modern alternative to an SSH tunnel, a Cluvio Agent even enables easy and secure access to databases on your local computer - ideal for experimentation or using Cluvio for ad-hoc data analysis without a dedicated remote database.

More details can be found in the Cluvio Documentation.

How Cluvio uses data in your database

Cluvio analytics are based on SQL and as such do not perform other operations on the database than running specific SQL queries for retrieving database metadata and running SQL queries on request of an authenticated and authorized user in order to to fetch the data that underlies the analytical reports.

The results of the database schema queries are stored as metadata as long as the originating data source exists. The results of the report query executions are stored in a transient cache within a secured Cluvio private network for up to 24 hours, after which all the data are automatically purged and no copies of it are retained.

In more detail, the queries that Cluvio performs against your database are as follows:

  • On initial connection to your database, Cluvio runs SQL queries to determine metadata about the database (version, time zone, number of connections allowed) and the schema of the database (e.g. schemas, tables and columns). The schema information is refreshed every 24 hours so that it is kept up to date.
  • On running a query in the query editor by an authorised user, the SQL is executed against the database. The exact SQL query executed can be seen the Results tab in the query editor.
  • For existing reports on a dashboard, the corresponding query is executed against the database whenever one of the following conditions applies:
    • The report is manually refreshed (i.e. the user hits Refresh on a report or the entire dashboard.
    • The dashboard is accessed and the source data for a report are not present in the Cluvio cache.
    • The dashboard parameters are changed and the results for that specific combination of parameters is not in the Cluvio cache.
  • For SQL alerts, the query associated with the alert is executed according to the configured schedule.
  • For custom filters on a query, the query is executed to refresh the values according to the schedule configured for the filter.

Data security

Any data that is either related to your account or a result of one of the analytical queries is protected in transit and at rest.

Data in transit

In transit security refers to security of the data as it is transmitted between the Cluvio services and the end user’s computer. All Cluvio communication is performed with transport-layer security (TLS/HTTPS). The Cluvio API is not accessible via unencrypted HTTP connections and clients requesting such connections are immediately redirected to secure transport protocols. Furthermore, all API operations that contain account information or data require user authentication and authorisation.

Data at rest

Cluvio stores all account data in a database that is encrypted at rest and all backups of the data are encrypted as well. User passwords are stored as salted, cryptographic hashes to prevent recovery and abuse even in the case of a compromised database. Database connection passwords or authorization strings are stored with 256-bit symmetric encryption.

Access security

All Cluvio APIs that provide access to the account data require authentication via email and password. The result of successful authentication is a time-constrained session and an access token that authorizes API access in the context of that session. The following measures are taken to prevent abuse and facilitate recovery:

  • A minimum length requirement for user passwords of at least 8 characters.
  • Email confirmation is required for any new user account or changes to a user's email address.
  • Accounts are locked after a certain number of failed login attempts, requiring unlocking through a link that is sent to the account's email address.
  • A password reset can be performed through a link that is sent to an account's registered email address.

Auditing

Cluvio audits all changes made by a user in the context of an organization. This includes logging in or out (with IP address), running queries and creating, changing or deleting reports, dashboards or any other objects. The audit logs can be provided to account admins on request.

Monitoring

Cluvio employs a wide range of monitoring services that guarantee the uptime of the Cluvio platform and allow us to respond quickly to any operational problems. This includes:

  • API availability monitoring
  • Server log monitoring
  • Server components and services availability monitoring
  • Browser error monitoring

The summary of the Cluvio platform status, as well as historical incidents, can be viewed at any time at http://status.cluvio.com.

Data retention & physical media

Data retention

Cluvio never stores results of your analytical queries other than in the context of transient caching of results (kept for up to 24 hours and purged afterwards). Account data are stored as part of a database backup in encrypted form. These backups are kept for a limited time (usually at most 30 days).

Physical media

All physical storage devices of Cluvio are on AWS. Amazon AWS employs the Guidelines for Media Sanitization (NIST 800-88 or DoD 5220.22-M) where all physical devices are destroyed within Amazon premises without leaving these locations. A detailed description can be found in the AWS Security Whitepaper on page 8, section “Storage Device Decommissioning”.

Certifications & Compliance

Cluvio successfully completed a AWS Foundational Technical Review that is regularly re-evaluated. Amazon AWS itself complies with some of the most demanding certifications, namely:

  • Sarbanes-Oxley (SOX) compliance
  • ISO 27001 Certification
  • PCI DSS Level I Certification
  • HIPAA compliant architecture
  • SOC1 Audit, SOC2, SOC3
  • FISMA MediumATO
  • Service Health Dashboard

For an up-to-date list of certifications and compliance audit reports, please see https://aws.amazon.com/compliance.

Responsible Disclosure Policy

If you are a security expert or researcher and you believe that you have found a security issue in Cluvio, we encourage you to notify us at security@cluvio.com. Please make a good faith effort to protect our users' privacy and data. We look forward to working with you to resolve the issue as soon as possible and will award bug bounties if applicable.