Zebra BI Security Assessment

Date of publication: 29.05.2022

Company Name: Zebra BI d.d.

Company Service Name: Zebra BI visuals for Power BI

Company Service Description: Zebra BI is a Microsoft-certified add-in for Power BI, empowering users to create standardized and impactful dashboards that meet the IBCS® guidelines. This add-in makes it possible to establish best practice reports in a few clicks. Limited training, programming, or formulas are required.

Company's contact person: Maruša Govekar

Company's contact person email: sales@zebrabi.com

Company's contact person phone number: 00386 1 256 0 286 

Company's address - Pot za Brdom 104, 1000 Ljubljana, Slovenia

Zebra BI is an independent software vendor and we do not provide customized software or services. Our software is Microsoft certified, which ensures the highest security and privacy standards for cloud services. Since we're not a SaaS service but a 3rd party Power BI visual we're fully reliant on Microsoft's security policies. We regularly go through a Microsoft certification process which enforces the highest security standards and ensures our compliance in various different areas.

Microsoft Certified Power BI visuals are Power BI visuals in AppSource that meet the Microsoft Power BI team code requirements. These visuals are tested to verify that they don't access external services or resources, and that they follow secure coding patterns and guidelines. Zebra BI visuals comply with these standards.

You can find an in-depth description of what is included in the certification process in Microsoft Power BI Certificatification Requirements document

More information can be accessed in the Microsofts' official documentation here: https://docs.microsoft.com/en-us/power-bi/developer/visuals/power-bi-custom-visuals-certified.

Zebra BI's certification icon on Microsoft Appsource marks the certification.

1. Access Control

The client’s data resides in the Power BI platform. Zebra BI visuals only display the data, which it gets through the Power BI API calls. No data is stored within the visual and no data is sent outside of the Power BI platform, meaning Zebra BI does not make external API calls. Our add-in only communicates through Power BI infrastructure. 

Zebra BI receives data through Microsoft Power BI's public API service. We only process the data and can't modify or alter it in any way. Microsoft's custom visual certification also guarantees that we are not accessing external services or exposing the data outside of our visual.  

For more information please refer to the official Microsoft documentation on third party visuals that possess a certification badge: https://docs.microsoft.com/en-us/power-bi/developer/visuals/power-bi-custom-visuals-certified 

Zebra BI does not handle data access. Data access is done separately through Microsoft Power BI and completely handled by Microsoft. 

Zebra BI does not require log-in, rather it only works with the license key. Login is required through Microsoft Power BI. 

Zebra BI is an add-on to Microsoft Power BI therefore user entitlements and provisioning and/or user group memberships management is done directly via the Microsoft Power BI.  

If a customer uses shared/generic accounts for Power BI, then Zebra BI visuals will also be accessed through them. 

Zebra BI visuals do not monitor and manage access to Microsoft Power BI.  

1.1 Zebra BI Architecture

Our product is Microsoft certified, meaning we do not track or store any data. Power BI takes care of all such requirements. Each product update that we launch goes through re-certification process again (which delays our launch cycle for 3 weeks) making sure that we still comply with all of their security procedures and requirements.
 
You can read more about the architecture of third party Microsoft certified visuals here: https://docs.microsoft.com/en-us/power-bi/developer/visuals/power-bi-custom-visuals-certified
 
or here: https://zebrabi.com/zbi_blog/microsoft-approved-zebra-bi-visuals-for-power-bi-certified/.

Pentest report:  due to Zebra BI being a third-party visual for Microsoft Power BI we're completely in line with their Penetration testing processes. Based on the fact that there is already existing internal usage of Microsoft Power BI at RBI the same Penetration testing report is applicable.
Code scan report: this is performed and handled by Microsoft as a part of the certification process of each Microsoft Power BI visual.
List of external dependencies: Zebra BI is fully dependant on Microsoft CV API and MSFT tools. Upon request a list of applicable packages is available.

Zebra BI Data flow

How does change management work?  The Zebra BI developer team prepares an updated version with new features and bug fixes that get published on AppSource on a monthly basis.
For you, the updates are seamless and simple. Your reports get updated automatically the next time when you open them - this means you don't have to do anything to update your visuals.
Each of these updates and upgrades go through a recertification process with Microsoft, so from the security point of view, the visuals always comply with security standards.

What is ZebraBI written in? - Typescript.

How often does the license last for?  And therefore how often does the license key change? The provided license key is valid for one year. At a yearly anniversary if you decide to extend the subscription, you receive a new license key.

Code scan is part of the certification process and it is performed each time we launch a product update (on a monthly basis). Based on the fact that Zebra BI is running in a sandboxed environment within the Power BI and only visualizes the data it receives through Microsoft's Power BI Custom visuals API, there is currently no way for a user to inject HTML code into our visual, which significantly reduces the options for a security breach.

2. Risk Management 

Zebra BI internal QA process ensures all vulnerability scans are performed regularly at least once per month and all vulnerability points are reviewed before each product update. All product updates go through the Microsoft recertification process as well. 

No vendor management is in place. All product development, support, etc. is done in-house.  

All open vulnerabilities are addressed immediately and implemented in the version of Zebra BI visuals. Depending on the severity, the fix can be submitted to Microsoft immediately or waits until the next product update and product certification. 

3. Human Resources Security 

Zebra BI checks the background of all our employees and contractors and ensures that are done in compliance and within the scope of the applicable national and EU legislation. 

4. Security Policy 

Zebra BI has its security and privacy policies defined and available on the public URL: https://zebrabi.com/legal/?doc=privacy-policy. Zebra BI has strict internal information security risk management processes in place. The processes are regularly assessed, reviewed, and communicated to all employees on a monthly basis. 

We are not allowed to track any user information or user activity within the visuals. Since all the data is hosted by Microsoft Power BI, no one can access it without permission and Zebra BI visuals cannot share it outside of the Power BI platform. Even for troubleshooting purposes, Zebra BI employees cannot access customer’s data without someone sharing a report with us explicitly. 

5. Organization of Information Security 

Informational Security is handled by our Lead Software Developer, Rok Jesenšek (rok.jesensek@zebrabi.com). 

Nobody outside Zebra BI has access to customers’ data, access is managed only through the Power BI Admin Center.  

No third-party service vendors have access to Zebra BI.  

Zebra BI receives data through Microsoft Power BI's public API service. We only process the data and can't modify or alter it in any way. Microsoft's custom visual certification also guarantees that we are not accessing external services or exposing the data outside of our visual.  

For more information, please refer to the official Microsoft documentation on third-party visuals that possess a certification badge: https://docs.microsoft.com/en-us/power-bi/developer/visuals/power-bi-custom-visuals-certified. 

Zebra BI internal QA process ensures all vulnerability scans are performed regularly at least once per month and all vulnerability points are reviewed before each product update. All product updates go through Microsoft recertification process as well. 

Zebra BI does not review Microsoft's security policies. The only vulnerability assessment Microsoft is willing to share is a matter of public knowledge. 

Zebra BI is an independent software vendor and we do not provide customized software or services. Our software is Microsoft certified, which ensures the highest security and privacy standards for cloud services.

Since we're not a SaaS service but a 3rd party Power BI visual we're fully reliant on Microsoft's security policies. We regularly go through a Microsoft certification process which enforces the highest security standards and ensures our compliance in various different areas. You can find an in-depth description of what is included in the certification process in Microsoft Power BI Certificatification Requirements document

We have standard employment and health insurance according to local and EU legislation, but we do not have coverage for any risk, security or other types of infringement - which is usually required for professional services or custom development companies. 

Zebra BI does not offer Service Level Agreements. The scope and scale of support services is defined within our End User License Agreement, available in the following link: https://zebrabi.com/legal/?doc=eula 

6. Physical and Environmental Security 

Zebra BI visuals do not store or process any data (all the data is handled by the Power BI). Each time our visuals undergo Microsoft certification, a guarantee that we do not store any data is issued. (Microsoft certification) Furthermore, when processing and displaying the data at runtime, the visuals cannot share the data outside of the Power BI platform.  

Zebra BI has specifically designated and defined areas in the offices which are physically separated and secured because they might contain sensitive data.

Zebra BI has multi-layer access control and alarm systems in place limiting access to any unauthorized personnel. 

Zebra BI enforces a clear desk and clear screen policy for all employees and includes all relevant training as a part of each employee's onboarding. A strict "lock screen" policy is in place for all laptops ensuring a maximum allowed period of the 60s before re-login is required.

7. Network Security and Operations Management 

Zebra BI has multi-layer protection against malware in place ranging from antivirus protection on all computers, advanced firewalls, and threat detection systems. 

Zebra BI has all maintenance activity monitored and logged in Bitbucket. 

Zebra BI has in place a multi-layer DLP concept which is available upon request.

Due to the nature of Zebra BI being a third-party Power BI visual, Zebra BI does not have access to customer data and therefore cannot be used in any non-productive environments. Power BI takes care of all data security. 

Zebra BI is completely in line with Microsoft Power BI's Penetration testing processes. Based on the fact that there is already existing internal usage of Microsoft Power BI at your company, the same Penetration testing report is applicable. 

Zebra BI internal QA process ensures all vulnerability scans are performed regularly at least once per month and all vulnerability points are reviewed before each product update. All product updates go through Microsoft recertification process as well.

We do not receive security vulnerability advisories from organizations such as CERT. All open vulnerabilities are addressed immediately and implemented in the next version of Zebra BI visuals. Depending on the severity, the fix can be submitted to Microsoft immediately or waits until the next product update and product certification. 

8. Information Systems Acquisitions, Development, and Maintenance 

Our change program and product update certification process entail Microsoft team review of Zebra BI source code ensuring that Zebra BI visuals don't access external services or resources and that they follow secure coding patterns and guidelines.

More information can be accessed in the official documentation here: https://docs.microsoft.com/en-us/power-bi/developer/visuals/power-bi-custom-visuals-certified. 

Microsoft certification ensures secure coding development, training, code reviews, vulnerability scanning, using correct libraries, code versioning tools implemented, and source code check-up. 

Zebra BI operation system is dependent on Power BI. Our development team, however, needs to ensure that up-to-date libraries are used in order to pass Microsoft certification.  

Only our published product which can be found on AppSource is available for your use.

Development and testing are done on our own data, as we do not have access to any customer data.

To access our support, you can write to dedicated team of in-house specialists which is available for mail/on-call direct support Mon-Fri, between usual working hours in the CET time zone.  

Premium Support Services can be acquired with Enterprise licensing package (1000 users or more).

The premium support services include but are not limited to: 

  • Dedicated (named) account manager and dedicated (named) support engineer 
  • Access to the product preview (beta) program 
  • Ability to influence the Zebra BI product roadmap and strategy
  • Prioritized feature requests 
  • Proactive support services and guidance (i. e. advice in case of performance issues) 
  • Accelerated resolution of support requests and prioritized escalations 

9. Information Security Incident Management 

Zebra BI is an add-on to Microsoft Power BI, therefore we are fully dependent on Power BI SIEM solutions. 

In the case of failure, restarting or reloading the Power BI environment will restart all the processes. 

Zebra BI will notify customer without undue delay after verification of a security incident; continuously inform the customer of the measures we are taking or intend to take and use all reasonable efforts to avoid such
incidents.

All incidents are communicated to the end-user via official channels in the turnaround of 24 hours.

Official channels include but are not limited to: Zebra BI official website, LinkedIn and Twitter accounts as well as direct communication through email to the official Zebra BI account holder on the RBI side. 

END OF SECURITY ASSESSMENT