The following article describes how data is secured

• In transit from Collector to Historian
• At rest in the Historian
• When accessed from the Historian

Security In Transit

Each Canary Collector is paired with a Store and Forward (SaF) service responsible for forwarding data to its destination, another SaF service paired with the Historian. A TLS connection through gRPC is made between the two SaF services where binary packets of data are transmitted.

Security At Rest

Once data arrives at the Historian, it is stored in hdb3 files within a DataSet. These files are proprietary and can only be read using Canary software. It is important to note that these files are not encrypted. If wishing to encrypt the data at rest, the volume on which the data resides must be encrypted.

Security When Data is Accessed

The Identity service acts as the gateway for clients wishing to access and consume data from the Historian. Whether connecting with Axiom, the Excel Add-in, the Read API, or the ODBC connector, all clients are routed through the Identity service where they must authenticate. The Identity service contains all of the access control lists for the various functions within the Canary system to determine if a user is authorized. In particular, the Views Access ACL controls who is able to read data from the Historian.

Furthermore, once access is provided, Tag Security can be enabled to control what data the user/group has access to. It may be that you want to limit what data is visible to the end user. See how to enable Tag Security.

Similar to SaF, data is encrypted with TLS when returning it to the client.