Double Barrier Protection per Environment
Invantive Cloud has a single environment per legal entity that has a subscription on Invantive products. There are little security restrictions within the environment; this is a by-design choice to avoid “security by obscurity” risks. For instance, a user can access all available databases. However, between environments there is a very strict separation of data and processing.
Users are associated with environments, as are databases.
To allow external access on top of the user list, delegation is available to allow access by third party users.
Data sets in caches in rest are encrypted with environment-specific keys. Some elements are encrypted additionally using user-specific keys. This encryption with environment-specific keys also applies to the credentials necessary to connect to the data source, for instance to refresh the data. For more details refer to Invantive Cloud Structure.
Since each environment uses a different set of keys, neither the database credentials nor the encrypted data sets can be decrypted using the keys of another environment. In combination with data separation in code using - but not limited to - so-called “Row Level Security” for users, this provides a double barrier against many data leak and data security risks.
Moving Databases between Environments
However, encryption using keys bound to the environment makes it also impossible to move databases between environments. The need for moving databases typically arises when users prefer to move data between the environments of two separate legal entities. This is typically related to large enterprises when a subscription must move from a group company to another company, as an environment is bound hard to a legal entity as signaled by Chamber of Commerce number. With Invantive Cloud, it is not possible to change the legal entity of an environment due to compliance and licensing reasons.
Moving databases (with or without users) between environments is a non-trivial operation. Many people choose to just remove the old database(s) from the old environment and create new ones in the new environment.
The following steps help you to execute the move as smoothly as possible. Always first test the procedure using a test database and acquire professional services when you feel uncertain about these steps, comprehension of the Invantive Cloud concepts or the ramifications of a failed or successfull move.
Execute the following steps to move a database between two Invantive Cloud environments:
- Gather log on credentials for the data containers or make people available that can enter those.
- The credentials can vary per data container and may include user name, password, TOTP-verification codes, server names, etc.
- Elements deemed not security sensitive (such as hostname) can be found in the connection string of a data container.
- Open a browser window logged on to the old Invantive Cloud environment.
- Use Incognito mode or a separate profile to log on to the new Invantive Cloud environment.
- Create a database with a Sample driver in the new environment.
- Copy & paste the firewall settings and other settings from the old environment to the database in the new environment. Do not press “Save”.
- Change the “Bridge URL Segment” of the old database to a different value by adding a postfix like “-old”.
- Save the database in the old environment with the changed “Bridge URL Segment”.
- Save the changed database settings in the new environment.
- One-by-one add the data containers from the old database also to the new database.
- Note that for Exact Online and Visma.net the data container allow only one instance of a combination of user and client ID. For these, the old data container must be removed before adding the data container to the new database.
- Make sure to test the new database and remove the old database.
Please note that on Power BI it is also possible to use Power BI-parameters to make Power BI rapports run across databases in multiple environments. Please read more on this topic in: