Looker Hardening Guide
Google BI security for model access, embed secrets, and database connections
Overview
Looker (Google Cloud) provides business intelligence with LookML modeling and data exploration. REST API, embed secrets, and database connections access enterprise data warehouses. Compromised access exposes business metrics, customer analytics, and data warehouse credentials.
Intended Audience
- Security engineers managing BI platforms
- Looker administrators
- GRC professionals assessing analytics security
- Third-party risk managers evaluating Google Cloud integrations
Table of Contents
- Authentication & Access Controls
- Content Security
- Database Connection Security
- Monitoring & Detection
1. Authentication & Access Controls
1.1 Enforce SSO with MFA
Profile Level: L1 (Baseline) NIST 800-53: IA-2(1)
ClickOps Implementation
Step 1: Configure SAML SSO
- Navigate to: Admin → Authentication → SAML
- Configure SAML IdP
- Enable: Bypass login page
Step 2: Google OAuth
- Navigate to: Admin → Authentication → Google
- Enable Google OAuth
- Configure domain restrictions
1.2 Role-Based Access
Profile Level: L1 (Baseline) NIST 800-53: AC-3, AC-6
ClickOps Implementation
Step 1: Define Roles
| Role | Permissions |
|---|---|
| Admin | Full access |
| Developer | Model development |
| User | Explore and save |
| Viewer | View only |
Step 2: Configure Model Sets
- Navigate to: Admin → Roles
- Create custom roles
- Assign model/permission sets
2. Content Security
2.1 Configure Folder Permissions
Profile Level: L1 (Baseline) NIST 800-53: AC-3
Description
Control content access through folder hierarchy.
Rationale
Attack Scenario: Open folder permissions expose executive dashboards; shared folder access leaks competitive metrics.
ClickOps Implementation
Step 1: Folder Structure
Content Organization:
├── Shared (company-wide)
├── Group Folders (team-specific)
│ ├── Finance (restricted)
│ └── Marketing (team access)
└── Personal Folders (individual)
Step 2: Configure Access
- Navigate to: Browse → Folder → Manage Access
- Set appropriate permissions
- Limit “View” access default
2.2 Embed Security
Profile Level: L2 (Hardened) NIST 800-53: AC-21
Implementation
Step 1: Manage Embed Secrets
- Navigate to: Admin → Platform → Embed
- Rotate embed secrets
- Configure embed domain allowlist
Step 2: SSO Embed
- Use signed embed URLs
- Set short session lengths
- Implement user attributes
3. Database Connection Security
3.1 Secure Database Connections
Profile Level: L1 (Baseline) NIST 800-53: IA-5
ClickOps Implementation
Step 1: Connection Security
- Navigate to: Admin → Database → Connections
- Use SSL/TLS connections
- Configure service account with read-only
Step 2: PDT Credentials
- Limit PDT write permissions
- Use separate credentials
- Restrict temp schema access
3.2 Query Cost Controls
Profile Level: L2 (Hardened) NIST 800-53: CM-7
Implementation
Step 1: Configure Limits
- Navigate to: Admin → General → Query
- Set query timeout
- Configure row limits
4. Monitoring & Detection
4.1 System Activity
Profile Level: L1 (Baseline) NIST 800-53: AU-2, AU-3
ClickOps Implementation
Step 1: Access System Activity
- Navigate to: Admin → System Activity
- Review dashboards:
- User Activity
- Query Performance
- Content Usage
Detection Focus
-- Detect bulk query activity
SELECT user_id, COUNT(*) as query_count
FROM history
WHERE created_at > CURRENT_TIMESTAMP - INTERVAL '1 hour'
GROUP BY user_id
HAVING COUNT(*) > 100;
-- Detect unusual data access
SELECT user_id, look_id, dashboard_id
FROM history
WHERE source = 'api'
AND created_at > CURRENT_TIMESTAMP - INTERVAL '24 hours';
Appendix A: Edition Compatibility
| Control | Standard | Enterprise | Embed |
|---|---|---|---|
| SAML SSO | ✅ | ✅ | ✅ |
| Custom Roles | ✅ | ✅ | ✅ |
| System Activity | ✅ | ✅ | ✅ |
| SSO Embed | ❌ | ❌ | ✅ |
Changelog
| Date | Version | Maturity | Changes | Author |
|---|---|---|---|---|
| 2025-12-14 | 0.1.0 | draft | Initial Looker hardening guide | Claude Code (Opus 4.5) |