Pillar 1 - Security
Dremio's security pillar is essential to ensuring that your data is secured properly when using Dremio to query your data lakehouse. The security components are especially important to architect and design your data platform. After your workloads are in production, you should review your security components on a regular basis to ensure compliance and eliminate threats.
Leverage Industry-standard Identity Providers and Authorization Systems
Dremio integrates with several leading Identity Providers and data authorization systems. For robust enterprise integration with corporate policies, it is essential to leverage those 3rd-party systems. We recommend systems that utilize multi-factor authentication methods and are connected to single sign-on (SSO) platforms.
Design for Least Privilege Access to Objects
When providing self-service access to your data lakehouse via Dremio’s semantic layer, access should only be granted to the data that is required for the role accessing the data.
Encrypt Access Credentials
Where possible, leverage Identity Providers such as Azure AD, OpenID, and Okta -- in conjunction with SCIM where applicable -- to ensure that you never need to share passwords with Dremio. SSO with Azure AD or OpenID is recommended where possible.
When LDAP integration is required, ensure you leverage the protocol with trusted, CA-signed certificates for secure communications with the LDAP provider.
If SSO is not available, Personal Access Tokens should be used for credentials.
Leverage Role Based Access Controls
Access to each space, folder, view, and table can be managed and regulated using roles. Roles are used to organize privileges at scale rather than managing privileges for each individual user. You can create roles to manage privileges for users with different job functions in your organization, such as “Analyst” and “Security_Admin” roles. Users who are members of a role gain all of the privileges granted to the role. Roles can also be nested (e.g., the users in the "UK" role can automatically be members of the "EMEA" role).
Access control protects the integrity of your data and simplifies the data architecture available to users based on their roles and responsibilities within your organization. Effective controls allow users to access data that is central to their work without regard for the complexities of where and how the data is physically stored and organized.