Introduction

When the Bold BI server is installed on one machine and the database is hosted on a separate server, it is crucial to implement a robust security model that addresses both data-in-transit protection and access control. Below are best practices to enhance the security of your Bold BI deployment.

1. Network Security

• Private Network / VPC Peering: Place the Bold BI server and the database server in the same secure network segment (e.g., same VPC, VLAN, or subnet). Avoid exposing the database directly to the public internet.
• Firewall Rules: Restrict database access so that only the Bold BI server’s IP address can connect. Block all other inbound traffic.
• VPN / SSH Tunneling (if remote): If the BI server and database are in different networks, use a VPN or SSH tunnel instead of direct public connections.
• For more details, please refer documentation:
  Network Security
  How to configure IP Whitelisting

2. Encryption

• TLS/SSL for Database Connections: Enforce encrypted connections (e.g., sslmode=require in PostgreSQL, Encrypt=True in SQL Server). This ensures that data-in-transit cannot be intercepted.
• Bold BI Server HTTPS: Ensure that the Bold BI server is only accessible via HTTPS with a valid TLS certificate.
• For more details, please refer documentation:
  Transport Layer Security
  Configuring Additional Parameters for Bold BI® PostgreSQL Connector

3. Authentication & Access Control

• Least Privilege DB Accounts: Create a dedicated database user for the Bold BI server with the minimum required permissions (e.g., read-only for reporting, no DDL rights).
• Strong Authentication: Use strong passwords or, if supported, certificate-based or Kerberos authentication.
• Rotation & Secrets Management: Store database credentials securely and rotate them regularly.

4. Monitoring & Auditing

• Audit Logs: Enable database logging to monitor queries from the Bold BI server account.
• Alerting: Set alerts for unusual access patterns (e.g., large data exports outside reporting hours).
• Bold BI Server Logs: Bold BI provides audit and query logs that help administrators monitor user activities and data-query performance. Administrators can track which users accessed specific dashboards or datasets and review related query metrics for accountability.
• For more details, please refer documentation:
  Audit Logs
  How to get user audit logs in Bold BI®
  Tools for Monitoring and Improving Dashboard Performance and Query Execution

5. Server Hardening

• Patch Management: Keep both Bold BI and database servers up to date with security patches.
• OS & DB Hardening: Disable unused ports/services, enforce strong OS-level authentication, and apply CIS hardening benchmarks if available.
• Segregation of Duties: Keep Bold BI server administration and database administration roles separate.

6. Optional Enhancements

• Row-Level Security (RLS): The Bold BI tool supports RLS, allowing for user-specific access control at the data layer using RLS.
• Data Masking / Tokenization: Mask sensitive fields (PII, PHI) before they leave the database when possible.
• WAF & IDS/IPS: Add a Web Application Firewall (for the Bold BI server) and Intrusion Detection/Prevention for the network segment.
• For more details, please refer documentation:
  Row-Level Security(RLS)

By following these best practices, you can significantly enhance the security of your Bold BI server and its access to a database hosted on a different server.

Additional References

• Bold BI Documentation