Security
PowerTester security overview
PowerTester is a modern cloud application with security built into its core from the ground up. We are hosted on Microsoft Azure and follow the latest security best practices. We periodically engage with third party vendors to perform a security audit to ensure we are still up to date with best practices.
PowerTester is made up of various microservices that are on a private VNET with no public network access. PowerTester utilises Microsoft OAuth 2.0 technology to authenticate users onto the application and to Power BI.
We follow an in-memory data processing, and only persist the absolute necessary. You have full control over what is persisted and for how long. By default, PowerTester stores failed test case results, this is for ease of investigation. These results are stored for 6 months before being removed.
Power BI authentication
PowerTester utilises Microsoft OAuth 2.0 technology to establish a connection to Power BI. When a user authenticates a connection in PowerTester, the refresh token is persisted in the PowerTester platform. This token is stored in a secure key store backed by AES 256-bit encryption.
During the first authentication you must grant PowerTester access to read your reports, this privilege can be revoked at any time; and PowerTester will instantly lose access to your reports.
PowerTester also stores metadata regarding your reports, such as report name, unique Id and visualisation config. PowerTester only extracts data for the test cases you add, and only during a test run. PowerTester does not read any other data in your reports or Power BI workspaces.
Data source connection
PowerTester uses a secure connection to access your data source using the credentials you provide. These connection strings are kept strictly private and stored in a secure key store backed by AES 256-bit encryption.
For database connections, PowerTester executes the SQL you provide in the test case. We strongly recommend you create a database user specifically for PowerTester and grant it read only permission.
You can choose not to store connection strings in the PowerTester data store. By using the PowerTester APIs the connection string can be provided at runtime. These connection strings are kept in memory and never persisted in any data store.
PowerTester local agent
PowerTester has a local agent to connect to data sources behind a firewall, on-premise; or on a secure VNET. By installing the PowerTester local agent, the data source extraction is handled by the local agent, then the results send to the cloud PowerTester engine.
Asymmetric encryption is used to encrypt the result of the query so that only the PowerTester Engine is able to decrypt the query results. When the Gateway receives the query results from the source, it encrypts the data using a key generated on your machine before uploading the data to the PowerTester engine. The PowerTester engine uses a key that never leaves the Azure Key Vault to decrypt the data and perform the data comparison.
Once complete, and regardless of the outcome of the test, PowerTester deletes the encrypted data from the cloud storage.
Employee Access
PowerTester follows the DevOps best practice of using a policy of least privilege. This is done using Azure IAM roles. No PowerTester employees has access to your data source or Power BI reports.