Category / Section
Best Practices for Securing Bold BI Server and Access to Database on a Different Server
Published:
Introduction
When the Bold BI server is installed on one machine and the database is hosted on a separate server, it is crucial to implement a robust security model that addresses both data-in-transit protection and access control. Below are best practices to enhance the security of your Bold BI deployment.
1. Network Security
- Private Network / VPC Peering: Place the Bold BI server and the database server in the same secure network segment (e.g., same VPC, VLAN, or subnet). Avoid exposing the database directly to the public internet.
- Firewall Rules: Restrict database access so that only the Bold BI server’s IP address can connect. Block all other inbound traffic.
- VPN / SSH Tunneling (if remote): If the BI server and database are in different networks, use a VPN or SSH tunnel instead of direct public connections.
- For more details, please refer documentation:
Network Security
How to configure IP Whitelisting
2. Encryption
- TLS/SSL for Database Connections: Enforce encrypted connections (e.g.,
sslmode=require
in PostgreSQL,Encrypt=True
in SQL Server). This ensures that data-in-transit cannot be intercepted. - Bold BI Server HTTPS: Ensure that the Bold BI server is only accessible via HTTPS with a valid TLS certificate.
- For more details, please refer documentation:
Transport Layer Security
Configuring Additional Parameters for Bold BI® PostgreSQL Connector
3. Authentication & Access Control
- Least Privilege DB Accounts: Create a dedicated database user for the Bold BI server with the minimum required permissions (e.g., read-only for reporting, no DDL rights).
- Strong Authentication: Use strong passwords or, if supported, certificate-based or Kerberos authentication.
- Rotation & Secrets Management: Store database credentials securely and rotate them regularly.
4. Monitoring & Auditing
- Audit Logs: Enable database logging to monitor queries from the Bold BI server account.
- Alerting: Set alerts for unusual access patterns (e.g., large data exports outside reporting hours).
- Bold BI Server Logs: Bold BI provides audit and query logs that help administrators monitor user activities and data-query performance. Administrators can track which users accessed specific dashboards or datasets and review related query metrics for accountability.
- For more details, please refer documentation:
Audit Logs
How to get user audit logs in Bold BI®
Tools for Monitoring and Improving Dashboard Performance and Query Execution
5. Server Hardening
- Patch Management: Keep both Bold BI and database servers up to date with security patches.
- OS & DB Hardening: Disable unused ports/services, enforce strong OS-level authentication, and apply CIS hardening benchmarks if available.
- Segregation of Duties: Keep Bold BI server administration and database administration roles separate.
6. Optional Enhancements
- Row-Level Security (RLS): The Bold BI tool supports RLS, allowing for user-specific access control at the data layer using RLS.
- Data Masking / Tokenization: Mask sensitive fields (PII, PHI) before they leave the database when possible.
- WAF & IDS/IPS: Add a Web Application Firewall (for the Bold BI server) and Intrusion Detection/Prevention for the network segment.
- For more details, please refer documentation:
Row-Level Security(RLS)
By following these best practices, you can significantly enhance the security of your Bold BI server and its access to a database hosted on a different server.