Overview over how information security is handled in the Convier platform and generally in the company. Convier Information Security Officer: Petter Chr. Bjelland (CTO): [email protected]
There are multiple levels of authentication and authorization in Convier:
The first level is firewall/network configuration. As Convier is installed within your infrastrcture, only clients within the internal network should be able to reach the server. The second level of security is user authentication and authorization with OIDC/OAuth. A client (App Registration in Azure) is created, which Convier uses for access control. Users and groups are granted access to this client. Users without access cannot reach the application or any projects. A user has to be assigned role Task.Read and/or Task.Manage in the App Registration to be able to access Convier. By default, only users with the Manage role can create projects in Convier.
Instance managers have the option to invalidate all authenticated sessions, forcing re-authentication and authorization. This may be relevant after an incident, for example after misconfiguration of access.
| Operation | Task.Read | Task.Manage |
|---|---|---|
| Access data | ✔ | ✔ |
| Manage project access if project owner | ✔ | ✔ |
| Mange changes to project configuration | ✔ | ✔ |
| Save config for everyone if project manager | ✔ | ✔ |
| Create project | ✔ | |
| Manage internal data sources (csv) | ✔ | ✔ |
| Manage external data sources (sql, api, etc.) | ✔ | |
| Invalidate user sessions (force re-authentication/authorization) | ✔ | |
| Access embedded Application Performance Monitoring | ✔ | |
| Access usage metrics | ✔ | |
| Manage config orchestration if enabled | ✔ | |
| Access instance installation wizard | ✔ | |
| Access environment variable changelog (no values) | ✔ |
Convier uses OIDC to authenticate and authorize users. An authenticated user will be assigned one cookie stored in its browser:
CONVIER_SESSION_ID: A randomly generated string, mapped to generated JWTs and refresh token server side. Refresh tokens are persisted in the internal Convier database, encrypted using with a random IV and key from CONFIG_B64_ENCRYPTION_KEY. Tokens can be revoked by admin users.The cookie is stored with flags Secure, HttpOnly and SameSite=Lax.
Within a project, users have the role of Read, Manage, or Own. Users with the Own role control who has access to the project.
Projects can be shared with app roles (most commonly Task.Read) and individual users, including those who have not logged in yet (though they still need to pass the first level to gain access). Users are assigned a role in the project.
It’s also possible to create new App Roles in the OIDC client and grant access to projects based on these. Users must then be assigned the App Role, for example through the Application Registration page in the Azure Portal, to gain access.
Difference between Read and Manage in a project:
Manage users can create configurations for other users within the project.Read users can make changes for themselves and propose changes but cannot save changes for others.It is possible to share projects with users who haven’t logged in yet, but not with users who don’t have access to the application. Access to the application is controlled through your existing AD and access control/SSO.
Similar to projects, individual data sources within a project, like databases or APIs, may be associated with a role. If a required role is specificed, users without the role will be prevented from seeing, connecting to, or retrieving data from the source. In addition to preventing access to the source, Convier makes a best effort to remove any metadata about the source from the configuration available to the user. Metadata that is removed includes the names of the fields loaded from the source, how it is presented, and how it is reported on.
Note: The data model configured from a restricted data source will be visible to all users who have access to the project. The data model contains type name (like “Customer”), icon and fields (like “Name”). This information is not removed as it would break configuration functionality. If the data model itself is considered too sensitive to be visible, a separate project should be created for the data source.
Convier supports encrypted communication with both client and data sources. How TLS is implemented on client-server communication depends on the installation pattern that is used. Convier can boot with a PKCS12 export (e.g. Let’s Encrypt) directly, or behind a proxy that handles encryption, e.g. Azure App Service.
Convier stores project configuration, including data source credentials, in a database. Credentials are never sent to the frontend application. This database can be configured to be stored in an external database server, but by default it is stored in a SQLite database persisted locally next to the service. The contents of the configuration is by default encrypted with AES256, but a different encryption method may be configured. The symmetric AES256 key is provided to the service as an environment variable, either in the .env file next to docker-compose.yml, or through the configuration of the Azure App Service.
The encryption key in environment variable CONFIG_B64_ENCRYPTION_KEYcan be changed by following the following steps:
JDBC_CONNECTION_STRING)openssl rand -base64 32 Make a copy of this keyCONFIG_B64_ENCRYPTION_KEY_ROLLINGRoll encryption key that has appearedCONFIG_B64_ENCRYPTION_KEYCONFIG_B64_ENCRYPTION_KEY_ROLLING (normal changes will be blocked while set)Other sensitive information Convier needs to operate includes the secret for the OIDC client used for authentication. This secret, as well as other OIDC configuration is provided to the service as environment variables, either in the .env file next to docker-compose.yml, or through the configuration of the Azure App Service.
Our Software Development Life Cycle (SDLC) is designed to provide both high development speed and secure deployments. It also enables customers to anticipate and test future releases by setting up development. We actively use internal and external static code analysis, dependency analysis, unit and integration tests to ensure the security and correctness of our software. All changes that are shipped to customers are first reviewed by at least two Convier employees.
When issues (security or functional) in the software are identified, they are assigned a priority between P0 and P3: