Insights

Jaspersoft: A multi-layered approach to data security

Jaspersoft provides data security with a multi-layered approach

Gone are the days when reporting and analytics were only confined to back-end operations. Today, many organizations embed analytics in customer-facing applications. While this may offer convenience and efficiency, it poses a huge security risk that organizations should be aware of. Reports and embedded analytics may sometimes contain sensitive information, such as customer personal information, business secrets, and financial information. If this data were to fall into the wrong hands, organizations could face serious security and legal consequences. It is therefore imperative for organizations to control the data that different types of individuals can see or access. In short, organizations must prioritize security when leveraging reporting tools.

Why security is important for reports and embedded analytics

The sensitivity of the data typically contained in reports is one of the biggest reasons why security should be an essential element in reporting tools. Without strong security, this data is at risk of:

  • Data breaches: One of the biggest threats that organizations (large and small) should prepare for is malicious actors looking to steal data. Attackers can use stolen data in various ways, such as selling it on the Dark Web or using it to extort money from the affected organization.   

  • Non-compliance: Industry standards, such as HIPAA, PCI DSS, and GDPR, set requirements for businesses in their respective sectors on how they should handle data. If attackers or unauthorized individuals access organizational data, you risk non-compliance, which usually attracts fines or penalties.

  • Loss of customer trust: Your customers expect you to protect their sensitive data. If you can’t do that, they’ll have trouble trusting your services or products. This can scare away existing and potential customers.

  • Legal issues: Data breaches and non-compliance can lead to lawsuits from affected customers. Legal proceedings are usually expensive and cause financial strain on your organization. 

Jaspersoft’s security architecture

Jaspersoft is a reporting tool created with security in mind. Its architecture follows a multi-layered security model that includes several security practices discussed below:

Users, roles, and resource permissions 

Jaspersoft leverages roles and user accounts to enforce access control through authentication and authorization. Further, to protect your reports, data, and dashboards from insider threats, Jaspersoft allows you to put in place protocols for differentiating between users and administrators. 

Admins have more access and action rights than normal users. They monitor server activity and can access sensitive resources like database connections. They can also manage other users and define their roles. User roles determine the permissions that users have. Therefore, a user can only access the resources that admins allow them to.

Menus and pages

User roles dictate the menus and pages that different users can see. For instance, only administrators can access the Manage menu, which lets individuals with admin roles add or delete users and define their roles. With Jaspersoft, you can modify access to these pages and menus. 

Organizations

Organizations also have users and administrators. However, these two groups are restricted to just accessing resources within that organization. For instance, while administrators may have more privileges than users, they can’t see or access resources, including users and roles, from other organizations. JasperReports Server efficiently achieves this by separating organizations, even if configured together. 

Authentication

This security practice restricts access to reports by leveraging user identification. It works by first defining user accounts to give them a unique identity. These user accounts are then secured with passwords. On Jaspersoft, the data about users and their permissions lives in a private database that only administrators can access through the administrator pages. 

External authentication

JasperReports Server uses the Spring Security framework, which supports integration with enterprise authentication mechanisms, such as:

  • Single Sign-On (SSO) via CAS (JA-SIG Central Authentication Service)

  • Java Authentication and Authorization Service (JAAS)

  • Anonymous Access

  • LDAP (used for Novell eDirectory and Microsoft Active Directory)

Password policies

Password policies help to maintain the integrity of passwords. With Jaspersoft, you can leverage several policies, including:

  • Password expiration: This policy forces users to regularly change their passwords. It lets you set a duration for which users can use their passwords to access their accounts and reports. After the set time, a user can’t log in until they change their password. Worth noting is that Jaspersoft doesn’t enforce password expiration by default — you must enable it. 

  • Strong patterns: Jaspersoft also allows you to enforce strong passwords for user accounts. This essentially requires users to create passwords that are hard to guess by setting specific parameters, such as a minimum word count or the use of special characters, numbers, and letters (both uppercase and lowercase). Similar to the password expiration option, you must enable strong patterns because the default pattern on Jaspersoft accepts any password, including an empty one.

Application security

As a system administrator, you know all this too well — hackers are always looking for opportunities to hack servers for data breaches or complete system takeovers. Jaspersoft lets you protect your report data from these attackers through several mechanisms and tools, including:

  • Input validation: This security practice secures your reporting data from SQL injection and cross-site scripting (XSS).

  • Encryption: Jaspersoft allows you to obfuscate passwords stored in the configuration files. These passwords include those that provide access to the sample databases and JasperReports Server's internal database. This way, even if unauthorized individuals access the configuration files, they can’t see or use them to gain elevated access.

  • Cross-site request forgery (CSRF) prevention: To prevent CSRF attacks, Jaspersoft leverages the latest update of OWASP’s CSRFGuard. This helps in verifying that every request, such as PUT, POST, and DELETE, submits a valid token. When an unauthorized user uses an invalid token, the server doesn’t reply and instead logs an error.

Why trust Jaspersoft for report security?

Jaspersoft’s security architecture speaks for itself. Our numbers prove that businesses recognize our commitment to security. Jaspersoft records an average of over 80,000 downloads every month. Moreover, our reporting solution has been in the game for two decades and is one of the most deployed embedded reporting solutions in the world.

Want to give Jaspersoft a free try for 30 days to see if it meets your security requirements? Sign up today.

Try Jaspersoft for free for 30 days

Efficiently design, embed, and distribute reports and dashboards at scale with Jaspersoft.

Related Resources

NEW!

Monthly Live Demos with Q&A

Hosted by our Solutions Engineers every third Wednesday of the month

Register now

Secure Access Simplified: Implementing OAuth Integration in JasperReports Server

This webinar demonstrates how JasperReports Server leverages OAuth 2.0 integration to bolster both security and user experience, walking you through the configuration process to enable secure and seamless authentication and authorization for your users.

 On-demand webinar (41:23)

Fortifying Your Data: Mastering Domain Security Files in JasperReports Server

This webinar offers a deep dive into managing domain security files in JasperReports Server, showing how to define precise row- and column-level access rules that protect sensitive information by user and role.

 On-demand webinar (49:26)

Ready to give it a spin?

Start your 30-day trial now.