Page 1 of 1
Isn't TM1 Vulnerable due to file structure?
Posted: Wed Apr 17, 2013 9:59 am
by TM1KS
Hi Everyone,
I've worked on Cognos Planning for a year and recently have started working on TM1.
One major difference I found in TM1 is that it doesn't use a database at all and everything stored in a folder on drive.
However, this also brings to my mind that it is very vulnerable as anybody can edit/see/ extract information from those files.
I tried searching a thread on this topic using keywords, however could not find one.
Please direct me to one in case there's one.
Re: Isn't TM1 Vulnerable due to file structure?
Posted: Wed Apr 17, 2013 10:09 am
by Alan Kirk
TM1KS wrote:
I've worked on Cognos Planning for a year and recently have started working on TM1.
One major difference I found in TM1 is that it doesn't use a database at all and everything stored in a folder on drive.
As opposed to the way that files for Oracle, SQL Server, DB2, MySQL and so forth are stored in folders on a drive?
TM1KS wrote:However, this also brings to my mind that it is very vulnerable as anybody can edit/see/ extract information from those files.
Have you tried reading the numbers out of a binary .cub file, then? Good luck with that. I'm sure it's possible to do if you throw enough hacking time at it (or just load the cubes into a local server), but there's a more fundamental reason why you (as an end user or hacker) shouldn't be able to do that.
And that reason is this; just as with database files you are
supposed to secure the folders that contain the TM1 server's data files using the operating system's security so that "anybody" doesn't have access to them. Only the administrators should. There is no need at all for end users to have access to the data files (or even the folders containing them), nor should they.
There is no system on earth,
none, that is impervious to hacking if someone can access the source data files and is prepared to spend the time on doing it. TM1 is no different to any other system in that respect, nor is it any different to any other system in that the way to prevent that is to limit / prevent access to those files in the first place.
Re: Isn't TM1 Vulnerable due to file structure?
Posted: Wed Apr 17, 2013 10:34 am
by cgaunt
There are many large corporations that use TM1 for storing data, some of which is considered as sensitive. In partnership with a good IT department, in every case I have seen it fulfils all the audit requirements for security compliance. I think you can take some significant comfort from this that TM1 will meet safety standards.
Given Alan's comments (and caveat that no system is 100% secure) on securing the underlying file structure and a sensibly built application security model, TM1 data can be considered as safe.
Re: Isn't TM1 Vulnerable due to file structure?
Posted: Wed Apr 17, 2013 10:37 am
by TM1KS
Alan Kirk wrote:TM1KS wrote:
I've worked on Cognos Planning for a year and recently have started working on TM1.
One major difference I found in TM1 is that it doesn't use a database at all and everything stored in a folder on drive.
As opposed to the way that files for Oracle, SQL Server, DB2, MySQL and so forth are stored in folders on a drive?
Well, did not come to my mind. Alan, do you mean to say that it is just as vulnerable as the files from Oracle/ SQL Server, DB2, MySQL and so forth had there been this database level ?
Re: Isn't TM1 Vulnerable due to file structure?
Posted: Wed Apr 17, 2013 10:53 am
by Alan Kirk
TM1KS wrote:Alan Kirk wrote:TM1KS wrote:
I've worked on Cognos Planning for a year and recently have started working on TM1.
One major difference I found in TM1 is that it doesn't use a database at all and everything stored in a folder on drive.
As opposed to the way that files for Oracle, SQL Server, DB2, MySQL and so forth are stored in folders on a drive?
Well, did not come to my mind. Alan, do you mean to say that it is just as vulnerable as the files from Oracle/ SQL Server, DB2, MySQL and so forth had there been this database level ?
It's well into the evening here and I've had a long and generally pretty bleeding awful day so it's possible that my powers of comprehension aren't what they should be... but I'm afraid that I don't understand that question.
What I was saying was that
all client / server data management systems, whether it be TM1 or any other system, write to files on a disk to do permanent storage of their data. And with all of those systems, the client is never supposed to interact directly with the files. Only the server application is supposed to read from or write to the files. The client software is supposed to send commands to the server software to manipulate the
data, never the files. The data files are supposed to be locked away in secured folders where no normal end user can see them, access them or even be aware of their existence. It's the same for pretty much any client / server management system you'd care to name.
Re: Isn't TM1 Vulnerable due to file structure?
Posted: Wed Apr 17, 2013 11:21 am
by hbell
Alan .............. I don't disagree with the general point that TM1 is as secure as any other system. However, is it not the case that all users need write access to the TM1 data directory so that their views can be stored? I'm not sure that these are done in the name of the Service Account. On a related topic (and at the risk of thread hi-jacking), our initial reviews of 10.1.1 seem to show that the (otherwise useful) feature of being able to create new server instance through the Admin Console, appears flawed in that it creates the instance under the account of the user rather than a Service Account.
hugh
Re: Isn't TM1 Vulnerable due to file structure?
Posted: Wed Apr 17, 2013 11:34 am
by tomok
hbell wrote:However, is it not the case that all users need write access to the TM1 data directory so that their views can be stored?
No, they do not.
hbell wrote:On a related topic (and at the risk of thread hi-jacking), our initial reviews of 10.1.1 seem to show that the (otherwise useful) feature of being able to create new server instance through the Admin Console, appears flawed in that it creates the instance under the account of the user rather than a Service Account.
It just requires a second step where you go into Windows Control Panel and modify the account. Pretty simple.
Re: Isn't TM1 Vulnerable due to file structure?
Posted: Wed Apr 17, 2013 11:36 am
by lotsaram
hbell wrote:However, is it not the case that all users need write access to the TM1 data directory so that their views can be stored? I'm not sure that these are done in the name of the Service Account.
Hi Hugh - No! All the writing to <user>}vues and <user>}subs directories are done by the service account. Users don't need and should never have access to the data directory.
Re: Isn't TM1 Vulnerable due to file structure?
Posted: Wed Apr 17, 2013 11:38 am
by Alan Kirk
hbell wrote:Alan .............. I don't disagree with the general point that TM1 is as secure as any other system. However, is it not the case that all users need write access to the TM1 data directory so that their views can be stored? I'm not sure that these are done in the name of the Service Account.
No! Emphatically, absolutely,
NO! It is the
server application that saves the view definitions, not the individual clients. The individual clients simply tell the server application what the definition of the views that they need to save is, and the server application handles writing those definitions to disk. When the user logs on it is the server application, not the client, which reads the client's view definitions. The view definitions are passed back from the server application to the client via the client software that they are using, be it Client, Architect, Perspectives, Web, EV or some custom thing whipped up with the API.
It is the account that the
server application is running under which needs permission to read and write to the data directory, not the accounts of the end users. The server application
always stands between the clients and the data directories.
I'm not sure whether it's clear enough on the subject (I don't explicitly cover the issue of data files) but this:
http://www.youtube.com/watch?v=yYHHbk8qITA
tries to explain how client/server applications work. The client does
not work with the system data files.
Re: Isn't TM1 Vulnerable due to file structure?
Posted: Wed Apr 17, 2013 12:58 pm
by cgaunt
Hello Hugh,
With "No!" resounding in your ears, I think it would be churlish of me to do the same, even though we know each other well. If you permit me to be assumptive, we did once tackle a similar issue together where users needed some permission to the underlying files, but it was a TM1WEB folder issue, not data directory.
Regards to you and the team.
Re: Isn't TM1 Vulnerable due to file structure?
Posted: Wed Apr 17, 2013 9:07 pm
by Alan Kirk
cgaunt wrote:If you permit me to be assumptive, we did once tackle a similar issue together where users needed some permission to the underlying files, but it was a TM1WEB folder issue, not data directory.
For clarity, there may also be situations where there are folders into which end users can place input data files for upload by TI. Similarly there may be situations where there are folders which receive exports that have been created by TI. In both cases both the end user and the TM1 server application (or, more technically, the account that it's running under) will have read/write access to those folders.
However, those folders should again be separate and distinct from the system data folders, even if they exist on the same server box.
Re: Isn't TM1 Vulnerable due to file structure?
Posted: Thu Apr 18, 2013 4:24 am
by George Regateiro
cgaunt wrote:Hello Hugh,
With "No!" resounding in your ears, I think it would be churlish of me to do the same, even though we know each other well. If you permit me to be assumptive, we did once tackle a similar issue together where users needed some permission to the underlying files, but it was a TM1WEB folder issue, not data directory.
Regards to you and the team.
Even the TM1Web issue you speak of was not really a risk since if you configured the web application correctly to not allow browsing and the other standard web permissions you were not really opening yourself to much risk. Since it did not require you to make it a share drive there are only a couple methods of access
1) The TM1Web Application which is controlled by what the aspx pages are programmed to do
2) Have physical access to the server. Which is easily mitigated by a decent it admin
Re: Isn't TM1 Vulnerable due to file structure?
Posted: Tue Apr 30, 2013 8:49 am
by hbell
Thanks everyone for the correction on views - feeling suitably sheepish
hugh