cancel
Showing results for 
Search instead for 
Did you mean: 
sahia
Sisense Team Member
Sisense Team Member

Sisense Cloud Security Action Plan

Recently, Sisense experienced a security incident that prompted us to take immediate steps to enhance the security measures for the impacted Cloud Customers. As part of our response, we are issuing this article to ensure that your systems remain secure. It is crucial that certain credentials and configurations are updated promptly.

In response to the incident, we are advising the impacted Cloud Customers to update the following components:

Firstly, user passwords need to be rotated to mitigate any potential risks stemming from the incident including your license credentials. Secondly, database credentials must be updated to fortify the security of your database infrastructure. Thirdly, a system secret used for signing all logins, including both UI and API accesses, requires rotation to uphold robust security standards.

While regular updates of these credentials and configurations are recommended as best practices, we are proactively assisting you in executing these specific actions following the recent security incident. This proactive approach aims to safeguard your data and maintain the integrity of your system.

Additionally, starting from version L2024.1, we will be implementing API token expirations. The expiration timing will align with cookie or session settings configured in Session Management, accessible under the Admin tab. This measure is intended to enhance security by automatically expiring API tokens based on session policies, thus reducing potential exposure.

Our dedicated Sisense Support team is available to assist you throughout this process. Whether you require guidance on running the recommended steps or have questions regarding security best practices, please do not hesitate to raise a ticket. We are committed to collaborating with you to ensure your system's security and operational continuity.

Together, we can fortify your system against evolving security threats and maintain a secure environment for your data and operations.

Note: The instructions below are only relevant to our MS Cloud deployments running Linux. For Windows, the configuration manager is unavailable, so the secret should be updated via the REST API.

Secret

This secret is used to sign cookies for each login, ensuring that all current sessions are logged out when it is modified. Rotating the key will invalidate all active sessions, including user logins and bearer tokens, thereby logging users out. If you are using API Tokens (also known as Bearer Tokens) within your embedded application, this change will disrupt authentication. Therefore, after changing this secret, please generate a new API Token and update your application accordingly.

The format of this secret is a GUID. You can generate one using the following link: GUID Generator.

There are two ways to update the secret: through the Configuration Manager or via the REST API.

1. Updating via REST API

  • Navigate to the Admin Tab.
  • Go to the REST API.
  • Select version 0.9.
  • Use the POST /settings/security endpoint.
  • Use the following example Payload with your generated GUID to update the secret

{ 

"secret": "c43a8ea1-f5ac-47d2-9bf4-980c6472106f"

}

 

Screenshot 2024-06-14 at 12.48.02 PM.png
2. Updating via Configuration Manager

  • Navigate to the Admin tab.
  • Go to Server & Hardware.
  • Select System Management.
  • Click Configuration.
  • Click the Sisense logo (top left) five times to access the extended menu.
  • Go to Base Configuration.
  • Select Security (you can also filter “secret” from the search on the top right corner).
  • Update the secret with the GUID you generated.

Step 1: Open the Configuration Manager

Screenshot 2024-06-14 at 12.49.47 PM.png


Step 2: Go into the Base Configuration to update the secret

Screenshot 2024-06-14 at 12.52.34 PM.png

Change Database Credentials

To ensure best practices following the recent security incident, we require all database credentials to be rotated. This measure is crucial to safeguard your database from potential threats. Please update your database credentials and then raise a ticket with Sisense support. We will assist you in updating the Elasticube and Live Models. To minimize downtime, we can collaborate with you to complete this process efficiently. Please note that there will be a temporary period of downtime after the database credentials are updated until they are fully integrated on Sisense’s end.

Change User Credentials

To ensure your system's security, it is essential to rotate the passwords of all users. This step may not apply if you are using Single Sign-On (SSO), as passwords are not stored on Sisense. However, even with SSO enabled, some users might still have native Sisense accounts with set passwords. Therefore, you could be in one of the following scenarios:

  • You are not using SSO and need to rotate all passwords.
  • You are using SSO with no native Sisense users
  • You are using SSO along with some native Sisense users.

Below, we will discuss the appropriate actions for each scenario.

1. SSO is not Enabled

For customers who do not utilize SSO, we have a script available upon request. This script connects to your application database (e.g., Sisense Mongo) to remove passwords for all users and clear any active sessions, effectively logging out all users from the system. Subsequently, users can access the login screen and initiate the password reset process using the "Forgot your password" option to set a new password.

 

Screenshot 2024-06-14 at 12.54.25 PM.png

2. SSO Enabled

If SSO is enabled and there are no native users present, there is no requirement to update any passwords as they are not stored on Sisense. Typically, the System Administrator will have a password set. If this applies to your scenario, you can log in as the System Administrator and update the password accordingly.

Screenshot 2024-06-14 at 12.55.28 PM.png

3. SSO enabled with Sisense Native users

If you have both SSO users and native Sisense users, the "Forgot your password" wizard cannot be utilized to prevent SSO users from setting passwords and bypassing SSO authentication.

To address this, we have a script that filters out only the Sisense native users and sends them a "Forgot Password" email to reset their password.

This script can only be executed by an admin user, or we can run it on your behalf. Please raise a ticket with us for assistance.

4. Other SSO configurations to update

If you are using SAML, please ensure you rotate the x.509 certificate for your SSO SAML identity provider.

For those using JWT, it is also necessary to rotate the SSO Shared Secret. This action will invalidate your SSO tokens, so please ensure you regenerate them after making this change. If you have hardcoded the secret in your workflow (which is not recommended), please update it accordingly. The SSO secret is a 64 bit alphanumeric key, you can use a Random Alphanumeric Generator to generate this shared secret. 

Additionally, please ensure you do not use the key mentioned above (security.secret) to maintain the security of your system.

Updating the SSO shared secret can be accomplished via the REST API and the Configuration Manager. Please refer to the instructions below for each method.

  1. Updating via REST API

  • Navigate to the Admin Tab.
  • Go to the REST API.
  • Select version 0.9.
  • Use the POST /settings/sso endpoint.
  • Use the following example Payload with your generated GUID to update the secret

{
  "sharedSecret": "oNNgHtcSZOGexMomyrbslzJpqcCNpuaB0ja05pfnHhLcyP6IYrNW3PRVGWixO6Pwh"
}

 

Screenshot 2024-06-14 at 12.58.22 PM.png

2. Updating via Configuration Manager

  • Navigate to the Admin tab.
  • Go to Server & Hardware.
  • Select System Management.
  • Click Configuration.
  • Click the Sisense logo (top left) five times to access the extended menu.
  • Go to Base Configuration.
  • Select Security (you can also filter “secret” from the search on the top right corner).
  • Update the secret with the GUID you generated.

License Password

When we set up your deployment, a license is generated for you. This license is used to activate your Sisense deployment. By default, the user credentials are used to generate the first user in the system i.e. the System Admin account. Please ensure you have updated your license password by logging into my.sisense.com and updating your password there. If you do not remember this password, please click on “Forgot Password” to get an email to reset your password.

Note: Some AI services also need your license password to connect to our services such as Quest and Warehouse. Once your license password has been updated, please log in to the UI as an Admin and update the license password there.

To update the password, please perform the steps below:

  • Navigate to the Admin tab.
  • Go to App Configuration
  • Select License Utilization
  • Insert the license credentials to update the new credentials

Screenshot 2024-06-14 at 1.00.39 PM.png
Appendix

Screenshot 2024-06-14 at 1.02.05 PM.png