Data Connect Security
Data Connect operates as a shared responsibility model. With this model, you supply the physical or virtual compute resources, and Tableau hosts and manages the Data Connect Kubernetes cluster on those resources. Tableau reduces the overhead of administration by remotely managing, monitoring, and maintaining the Kubernetes cluster. With the ability to perform remedial actions to enable continuous availability, Tableau eliminates the need to monitor traffic and connection status. In addition, to reduce latency and lower network congestion, Data Connect allows you to determine the data center, edge locations and environments that best meet your requirements for performance. In this model, Tableau is responsible for operating the Data Connect service securely and you are responsible for managing the infrastructure and networking layers.
Security designs
Data Connect applies the following security designs:
-
The Data Connect service is a control plane service and does not have access to your data. The underlying component for Data Connect service is Tableau Bridge.
-
To facilitate secure data transfer, Data Connect uses Tableau Bridge which leverages secure web sockets to establish persistent connections with Tableau Cloud.
-
The Data Connect service does not interact with database credentials or database access. Database credentials are securely stored on Tableau Cloud and are passed on to the Tableau Bridge client that is selected to perform the refresh. Tableau Bridge clients are hosted on the Data Connect agent.
-
All communication is initiated from behind your firewall and therefore does not require any additional explicit inbound firewall rules to manage exceptions.
Tableau Bridge is the underlying component in the Data Connect agent. Among other operations, Bridge is responsible for accessing your data and establishing secure web socket connections with Tableau Cloud. See Bridge Windows Security.
Architecture
-
Tableau Cloud → orchestration service
-
Kubernetes cluster → orchestration service
-
Kubernetes cluster → container
-
Tableau user → Tableau Cloud
-
Data Connect agent (container) → Tableau Cloud
-
Data Connect agent (container) → your database
Security Layers
There are three layers to the Data Connect solution. The application that is installed in your infrastructure, the orchestration layer that is used to deploy and manage application(s) and the supporting network and hardware infrastructure.
-
Application layer: Database authentication, sending data to Tableau Cloud, and networking considerations, see Bridge Windows Security.
-
Orchestration layer: See the section, Container orchestration, below.
-
Infrastructure layer: In the Data Connect shared responsibility model, the security of the infrastructure itself will be your responsibility. Security details about how the Data Connect orchestration layer interacts with your infrastructure are covered in the sections below.
Service configuration
During the configuration of Data Connect, you will be responsible for configuring and initiating the service from within you network. This process provides the correct level of access and specifies which Data Access nodes to integrate with your Tableau Cloud site. For details describing service configuration for Data Connect, see Step 2: Set Up Your Cluster.
On initialization of the Data Connect solution, the following takes place:
-
Data Connect node health is validated.
-
A secure connection is established with the orchestration provider service over port 443.
-
Kubernetes operations software is downloaded and installed onto the computer. This software allows Tableau to remotely deploy and manage Data Connect.
-
Data Connect node information is queried over the secure connection to maintain the health of the service.
Your data is never transferred over the orchestration connection.
Tableau Cloud communication
All communication from your infrastructure to Tableau Cloud is initiated from behind your firewall. You do not have to manage additional exceptions.
For more information about Data Connect communication and your infrastructure configurations, see Networking specifications.
Tableau Cloud authentication
Authentication and authorization of the Tableau Bridge clients deployed by Data Connect to Tableau Cloud is achieved with Personal Access Tokens (PATs). Before deploying Data Connect, you will need to create PATs in the Tableau Cloud administrative console. You will then configure Data Connect service to use those tokens for authentication from your Data Connect agent to Tableau Cloud.
Database authentication
You can find more details about Authentication in Bridge Windows Security.
In the context of database authentication, it's important to understand that Data Connect only supports Bridge refresh schedules and does not support Bridge legacy schedules.
Container orchestration
The orchestration layer is exclusively a control layer and does not have access to the data layer and therefore does not interact with customer data. The only aspect of Data Connect that interacts with the data layer is the application installed on your infrastructure. This application is the Data Connect agent, a service which runs the Tableau Bridge client.
Security FAQ
What code is provisioned onto containers?
In addition to software required for Kubernetes operations (kops), Tableau Bridge for Linux for Containers is deployed. You must provision database drivers when you create the base image.
How can I manage detected vulnerabilities on the software deployed by Data Connect?
You supply all of the software deployed by Data Connect through the base image. To change the software deployed, you supply a new base image. The image will then be deployed to all Data Connect nodes in that pool.
What level of computer access does Data Connect require?
Data Connect requires administrative level access to your infrastructure. This access allows Tableau to update and maintain the service.