Qlik Community

QlikView Security & Governance

Discussion Board for collaboration on QlikView Security and Governance.

Announcements

Breathe easy -- you now have more time to plan your next steps with Qlik!
QlikView 11.2 Extended Support is now valid through December 31, 2020. Click here for more information.

andy
Contributor III

How to protect sensitive data?

Hi folks,

I'm building an app that holds sensitive data. No one except the end users should be able to view that data. Not the ones having access to the qvd or qvw files. Not me as the developer either. Then the qv-admins cannot be blamed if there is a leakage.

So the source data will be encrypted with a key, stay encrypted within the qvd. Then I guess the data has to remain encrypted in the qvw (or should I use sectionaccess but then I will get access as the developer or?) and when the user opens the app there is an inputfield to put the key which should decrypt the data. I've seen examples with decrypt-macros. Am I approaching this correctly? Possible with an enterprise tool like Qlikview?

/Andy

Andy

Tags (2)
10 Replies

Re: How to protect sensitive data?

Hi for Application point of view you can g with section access.

But Qvd level encryption is not supported.

Hope it helped.

Regards

ASHFAQ

MVP & Luminary
MVP & Luminary

Re: How to protect sensitive data?

Hi,

I think you cannot encrypt and decrypt data from QVD.  You can restrict the access in Qlikview files with Section access.  You can maintain two environments one for development and other for production, usually developers work on development environment and Qlikview administrator have access to Prod environment.

This way you can restrict, only Qlikview admin has full access to the files.

Regards,

Jagan.

Re: How to protect sensitive data?

Any user who can get a copy of the QVD data can read it either through QV Personal Edition or via third party QVD tools. QVDs are not a secure way of holding data.

Section access can restrict which users can view the data when using QlikView, but the developers will need access to the data to be able to develop and test the application.

The folders & files where the QVD data is held must be secured using AD file permissions so that access is only granted to the QlikView service account and developers when required. The developer permissions can be removed , or the developer account disabled when development is not taking place


MVP & Luminary
MVP & Luminary

Re: How to protect sensitive data?

No, that's not possible.


talk is cheap, supply exceeds demand
andy
Contributor III

Re: How to protect sensitive data?

Off course it is possible, everything is possible. You add a macro with

your favourite encryption algorithm, you can call the macro either from

script or from gui. If you don't know the answer, do not say it is

impossible.

I was just interesting in findings from people who have done this. Here is

an example

https://medium.com/@justin_skaggs/encryption-in-qlikview-54aedfba6f0e

Me as a developer do not need the true data to develop but can use testdata.

The qlikview administration can access the files so that is why the data

must be worthless to them, encrypted. Just like storage of passwords on any

website.

MVP & Luminary
MVP & Luminary

Re: How to protect sensitive data?

The developer has access to the load scripts where the encryption or decryption takes place. One of your requirements is that the developer has no access to the unencrypted data. Same for admins, but system admins will have access to the documents that contain the unencrypted data that are deployed on the qlikview server.

No one except the end users should be able to view that data.

That requirement cannot be met with Qlikview to the best of my knowledge.


talk is cheap, supply exceeds demand
andy
Contributor III

Re: How to protect sensitive data?

In all cases where encryption takes place the developers never have access

to the unencrypted data. Think of such a simple case as your password here

at qlik, no developer can read it out since you have the key to the

encryption. You can replace it but never retrieve it in clear text

In the scenario I think of the qlikview script fetches encrypted data which

only the end user knows the key to, stores the encrypted data in a qvd,

just as any data, then the qvw presents the encrypted data, just as any

data and the end-user can enter his key in an input variable and trig the

decrypt macro to get back the true data. I think that should be possible

and have to do a proof of concept

Cannot believe I'm the first one with that use case and Qlikview

bestofwest
Contributor II

Re: How to protect sensitive data?

You can use Hidden Script.

bestofwest
Contributor II

Re: How to protect sensitive data?

Of course you can Encrypt and Decrypt QVD.