TIBCO Spotfire® Cloud Enterprise Frequently Asked Questions
By:
Last updated:
2:22am Nov 01, 2018
Table of Contents

General Product Information

What is TIBCO Spotfire® Cloud Enterprise ?

TIBCO Spotfire Cloud Enterprise is our Platform-as-a-Service (PaaS) solution inclusive of the latest platform version. Each private, single-tenant instance is hosted on AWS and managed by TIBCO.

Who's it for?

Companies with tens, hundreds and thousands of users who need the full Spotfire Platform, but want us to manage their environment.

What's included in TIBCO Spotfire Cloud Enterprise?

TIBCO Spotfire Cloud Enterprise is a full Spotfire environment as a service in the cloud where TIBCO takes care of all of these things: 

  • Installation, Configuration and Deployment
  • Backup and Disaster Recovery
  • General Maintenance
  • Upgrades and Hotfixes
  • Monitoring

Is Spotfire Cloud Enterprise a IaaS, PaaS or SaaS solution?

Spotfire Cloud Enterprise is Software-as-a-Service for enterprise customers. We create, deploy and manage a single-tenant, highly private and secure environment per customer. We utilize Amazon Web Services as our Infrastructure-as-a-Service environment. We stand up Cloud Enterprise environments in the region closest to the majority of the customer's user base. Read more about Amazon’s Regional Data Centers.

How is TIBCO Spotfire's Cloud Operations team structured and distributed?

We have a globally distributed Cloud Operations team with a broad range of IT knowledge and experience. Our Cloud Operations team adopts the ITIL (Information Technology Infrastructure Library) best practices as a standard part of their operation.

How is TIBCO Spotfire Cloud Enterprise architected?

  • All Spotfire-related applications are in a private subnet. It is not possible to make inbound/outbound connections to/from these instances directly. All inbound level access is controlled through the load balancer and outbound connections are controlled by the NAT instance, each found in the public subnet.

  • The environment comes pre-configured with SSL and we can also work with the customer to configure SSL for a custom domain name provided by them. 

  • A Virtual Private Gateway back to the customer’s data center is optionally available and has the benefit of allowing the customer to access local systems (e.g. Active Directory, in the event their directory is not exposed externally by some other means). If the customer chooses this option, they will need a supported gateway device. Review Amazon’s Virtual Private Cloud FAQs for more information.

Data Access & Connectivity

What systems and technical requirements are needed to connect a customer's on-premises data to Spotfire Cloud Enterprise?

Our preferred solution is to use our cloud offering’s built-in capabilities to establish a persistent IPsec tunnel between the Spotfire cloud and the customer’s network. This essentially allows the Spotfire server to communicate with customer infrastructure as if they were all on the same corporate network together. To set this up, the customer would need to have a compatible gateway device.

Supported Hardware

  • Preferred: Cisco ASA, Cisco PIX, Juniper JunOS models, Juniper ScreenOS models

  • Validated: Cisco 1800, Fortigate (2010 or newer,) Watchguard Firebox (2010 or newer,) Sonicwall

  • Any device that supports IKE1 or IKE2, AES128/256 or 3DES, and SHA1 or MD5 should be workable on a best-effort basis. PSG time may be required to complete this work on behalf of the customer.

Supported Cloud Endpoints

  • Cloud IPsec endpoints are significantly less mature and customers have fewer options (and are less likely to already have one in place, as well.) Because of this, we have worked directly with one of the leading vendors in cloud connectivity solutions to develop a recommended endpoint solution that we fully support – CohseiveFT VNS3 3.04+. This is what we’re using in both of our connected environments currently and it works very well.

  • We can likely support any solution that supports iptables NAT functionality and IKE1 or IKE2, AES128/256 or 3DES, and SHA1 or MD5 on a best-effort basis (OpenSwan on a Linux NAT instance, for example). This may involve significant effort if the customer is not proficient with the technology. PSG time will be required to complete this work on behalf of the customer.

  • Note that at this time the Amazon Virtual Private Gateway implementation is not sufficiently mature and we don’t support IPsec tunneling to a customer environment via an AWS VPG.

Who can access Cloud Enterprise data and for what purpose?

Spotfire Cloud Enterprise environments are highly secure, single tenant environments with complete isolation from other tenants. TIBCO Spotfire® Cloud Enterprise is a role- and user-based platform with the highest level of data and role security. The customer administrator is responsible for user account creation, role management and security assignments, so is in control of which users are given access to what data and how. Our Spotfire Cloud Operations team is responsible for creating, deployment, maintaining and upgrading the Cloud Enterprise environment, so has Cloud Operations administrative privileges on the system.

User Directory and Authentication

Is possible to use LDAP for authentication?

Yes, Spotfire Cloud Enterprise can be configured to use a customer provided user directory service instead of the built in user directory. If the user directory is not exposed externally a virtual private gateway can be used as described under data access and connectivity. 

Data Centers

Where geographically is Cloud Enterprise data stored?

Our Cloud Enterprise solutions are hosted on AWS; the customer chooses what data center we host in – we recommend strongly they make this decision based on where the largest volume of users reside.

Can TIBCO Spotfire serve customers who require that certain data be stored physically in a specific country (e.g., Switzerland) or a specific data center? How does TIBCO Spotfire ensure that the data is not stored (or cached) in other locations?

Yes, we can meet this requirement today as long as our Amazon Web Services provider offers a data center in the region or country that the customer desires to be hosted in. We currently host a customer's environment in the data center located in closest proximity to their largest number of users.

Data Security

What systems do you have in place to prevent illegal access to Spotfire Cloud Enterprise environments?

All applications are deployed in an Amazon Virtual Private Cloud. The load balancer is securely accessible over port 443. All other applications are in a private subnet and no access is allowed. For additional security, we can configure your single-tenant environment so that it is only accessible from your corporate network.

What's your policy for notifying customers of a security breach and your time frame for doing so?

Yes, we would notify all customers of a security breach as soon as we were aware that a breach had occurred and that the breach had applied to the individual customer’s system. We have never experienced this situation to date.

What security certifications are in place for TIBCO Spotfire Cloud Enterprise.

TIBCO Spotfire Cloud Enterprise is certified according to ISO 27001. 

Has TIBCO Spotfire opted into the US-EU Safe Harbor process?

TIBCO and all Spotfire Cloud products are independently TRUSTe certified (including EU Safe Harbor Framework, Privacy Certification and Trusted Cloud: http://www.tibco.com/company/privacy)

Does TIBCO Spotfire comply with EU Directive 95/46/EC on the protection of personal data?

Yes, we do comply with this Directive.

How does TIBCO Spotfire handle the archiving, retention or (automated) deletion of corporate data?

Our policy is to archive a customer’s configuration settings and Spotfire analyses (dxp files) for 60 days after a contract expires for the express purpose of having that environment ready should the customer decide to renew their services. 60 days after a contract has lapsed or been terminated, the customer’s Spotfire Cloud environment, configuration settings and Spotfire analyses (dxp) files will be destroyed by Spotfire and will not be recoverable should the customer decide to renew with us at a later time.

What is TIBCO Spotfire's Cloud Enterprise Disaster Recovery plan?

TIBCO Spotfire Cloud Enterprise is deployed via Amazon Web Services. The disaster recovery plan leverages the Amazon Web Services APIs to create periodic backups of the full stack. Under normal conditions, the environment can be fully restored within hours.

What network communications hardware and bandwidth provisions does TIBCO Spotfire use?

We use Amazon EC2 instances that are categorized as having high networking performance. See http://aws.amazon.com/ec2/instance-types/ for more information.

Encryption

How is the data secured on Cloud Enterprise environments?

Spotfire Cloud Enterprise works with a customer’s own data stores and we don't force customers to bring their data into a separate or new data warehouse within their Spotfire Cloud Enterprise environment. Their data can stay on-premises or in the cloud as it exists today. All data is encrypted while in-transit within the Spotfire cloud itself, and we work with the customer to establish encryption on the connection between the Spotfire cloud and the customer’s data stores.

Is embedded data stored in the Spotfire Cloud environment?

Yes. If a user decides to save an analysis file with embedded data, this data is stored within the Spotfire Cloud environment.

Environment Redundancy

What type of environment redundancy or backup is available?

We have a disaster recovery plan in place.

Staging Environments

Do customers receive a test or staging environment as part of our standard implementation?

We deliver a single production environment to Spotfire Cloud Enterprise customers today. Should the customer need a separate staging environment, they are welcome to purchase additional Spotfire Cloud Enterprise subscriptions.

SLAs

Do we currently offer an SLA to Cloud Enterprise customers?

SLA's can be found in the TIBCO Service level guide. See section 2 for uptime SLA's and how we measure them. Our uptime according to this measure was 99.9% in 2017 and 2018. 

Customer references

What refences do you have for this solution?

Riteway Foods is decided to use Spotfire Cloud Enterprise after a thorough evalution of other competing solutions. See customer story for more details. 

Migration from on premises to Cloud

Is Spotfire Cloud Enterprise compatible with local Spotfire installations? 

Yes, Analysis files created with local Spotfire installations can be opened in Spotfire Cloud Enterprise. 

How do we move analysis files with embedded data from a local Spotfire installation to Spotfire Cloud Enterprise? 

There is no automated way to migrate a large amount of files from a local Spotfire Installation to Spotfire Cloud Enterprise. However the following manual process is recomended for moving a few important files with embedded data from the local installation to Spotfire Cloud Enterprise.  

  1. Use Spotfire Analyst connected to your local Spotfire Server
  2. Open the file from the library
  3. Save the file to your local disk
  4. Repeat 2 until you have ever file you want to store on your local disk. 
  5. Switch to using Spotfire Cloud Analyst connected to your Spotfire Cloud Enterprise Server
  6. Open the file saved in step 3
  7. Save the file to the Spotfire Cloud Enterprise Library
  8. Repeat from 6 until you have published all files to the Spotfire Cloud Enterprise library.

How do we move analysis files with linked data from a local Spotfire installation to Spotfire Cloud Enterprise? 

Analysis files with linked data can only be moved to Spotfire Cloud Enterprise if the linked data is accessible in the same way from the cloud environment as it was from the local installation. For cloud data sources like Google Analytics and Salesforce this usually works automatically. If data comes from Information Services or a data connector pointing to a local data center a Virtual Private Gateway can be configured to give the cloud environment access to local data. See above.