Cogent DataHub V11 Security Enhancements Deep Dive

As briefly shared in our blog “Cogent DataHub V11 Features to Be Excited About”, Cogent DataHub has expanded its security configuration and options in the v11 release, offering even greater protection and flexibility of data sharing. In this blog we will explore DataHub V11’s comprehensive framework for managing access through custom configuration of Organizations, Users with multi-Factor authentication (MFA), Active Directory Integration, Security Principals, Roles and Permissions ensuring that only authorized individuals can perform specific actions or access a specific set of data.

Organizations: Internal vs Local

The Cogent DataHub security constructs are categorized by one of two Organizations as shown in the Configure Security UI below:

1. The Internal Organization: defined by the Datahub instance. It is a read-only standard structure that provides a foundational construct. While administrators cannot modify it, its construct is available for use when configuring Users, Principals and Roles with the Local organization.
   
2. The Local Organization: entirely configured and maintained by an administrator of the DataHub instance. Think of this as ‘your’ organization, where you have full control over creating and managing security constructs. 
   

Users: Securing Connections

A User in Cogent DataHub is an identity assigned to programs or devices, authorizing them to connect to the DataHub Instance for data access, or to persons seeking to configure the DataHub instance via its configuration interfaces. This ensures that only trusted entities can interact with your data and reduces the risk of unauthorized access. When adding Users, you have three main options:

1. Built-In Users: directly managed and authenticated by the DataHub instance. When a Built-in User logs in, their credentials are verified by the DataHub, requiring a unique username and valid password for each user.
   
2. Windows Local Machine Users: These users are authenticated by the machine running the DataHub. Although DataHub does not manage their credentials directly, it still assigns data and functional permissions to them, relying on Windows for authentication and credentials management. 
   
3. LDAP Domain Users: these users are proxy user accounts that are managed and authenticated by an external LDAP server (Active Directory for example). Through the Import Accounts dialog, you can connect to the LDAP server and set up these accounts within your DataHub Instance. 
   

Additionally, DataHub supports multi-factor authentication (MFA) to enhance security. As an administrator, you can now configure various authentication factors for each user, including options like adding a Time-Based One-Time Password Key (TOTP), ensuring a stronger, more secure login process.

These options provide added flexibility in how you manage and authenticate users, allowing you to choose the method that best suits your organization’s security needs.

Security Principals: Controlling Login Contexts

A Principal defines the login context for a specific user, based on two key factors:

1. IP Pattern: The connection source. This limits access to your DataHub instance from specific IP ranges.
2. Interface: The connection protocol (e.g., TCP, OPC, OPC UA, MQTT, Mirror, DDE) used to establish connections, ensuring secure communication channels for the specified protocol over a configured IP Pattern.

Note: IP Pattern 0.0.0.0/0 matches any IP address and is not recommended for production environments.

Permission: Regulating Access

Permissions control access to specific data and application functions within your DataHub, determining what users can or cannot do. By grouping permissions into Permission Sets, you can create customized collections of access rights, which can then be assigned to Roles and given to Users, ensuring that each user has the appropriate level of access. Permissions Sets also aid in scalability of management of user rights.

Roles: Grouping Permissions

A Role is a collection of Permission Sets that can be assigned to user’s Principals. This allows for streamlined management of access rights, ensuring that individuals have access to data and functions only necessary for their specified tasks.

In a previous blog on the new features in DataHub V11, we introduced a new key feature that becomes relevant here – the “Change Report” tab. You may notice the “Change Report” and “NewUserRole” indicators turned red, signaling that changes have been made. Any modifications in the security construct are highlighted in red, allowing you to track them comprehensively thought the Change Report before finalizing. This step ensures that all adjustments are transparent, minimizing the risk of unintended consequences or errors by providing a clear overview before changes are committed.

DataHub v11 is much more secure out of the box when compared with previous versions of DataHub, so please consider that the introduction of Principals and Roles will lead to changes in how remote connections to the DataHub function. For example: 

• In previous versions, basic remote connections did not require additional changes to the security of DataHub to gain access to all data.
• Now, as the administrator, you will need to adjust the default security setting to allow remote connections access to this data.
• Local connections incoming from the same computer as the DataHub will work without changing any security settings.

For example, with the default security construct, I can make a basic connection from a remote OPC UA Client (like UA Expert) to the Cogent DataHub OPC UA Server, but the client cannot subscribe to any data domains in the DataHub:

After making changes the 0.0.0.0/0 principal of the OPCUA Internal user to have “AllDataFullAccess” role, attempting the same connection will result a subscription to all data domains: 

Takeaway

Cogent DataHub V11’s security features offer a robust and adaptable system for managing access to your DataHub instance. With the ability to define Users, configure security Principals, and structure Permission Sets of permissions into Roles, you can create a secure environment that meets your specific requirements, with scalable management. Beyond strengthening security, DataHub V11 equips you with the essential tools to efficiently control and safeguard your data in today’s challenging digital landscape.

If you are just starting with DataHub or have been using it for years, we’re sure you will see the value that version 11 delivers. Be sure to check out our recent blog post on the enhanced user experience in DataHub V11.

Join us as we continue navigating the new features of Cogent DataHub V11. Next week we will continue the focus of security with a full walk-through of utilizing TOTP security with DataHub. Make sure you don’t miss out by subscribing to our blog.

Explore these enhancements firsthand by downloading the fully-functional free trial of DataHub version 11 today.

Existing users can easily upgrade their experience by requesting your license update here.

Stay tuned for more insights on how DataHub V11 can benefit your operations!