Working with a Business Intelligence system provides enterprises with countless benefits, but it can also present some security risks if data is not handled correctly. BI drives a company’s strategy, but it can also expose it to risk. There are many people that want a company’s data: competitors, investors (not current, but those seeking investments), customers, vendors, and more. A company’s data exposes its weaknesses and faults, and its business. It does not mean that the previously mentioned people are after a company’s data and will try to steal it. But there are people out there that steal data on a regular basis, from many companies, and then put it on the marketplace and offer it to the people interested in it, like competitors. It is important to be aware that the BI environment is not free of thieves trying to steal data and exposing organizations.
BI data is really easy to steal. It is a lot of data and nobody really knows when a theft has taken place. This is, until it lands in the wrong hands and the company is tangled in a leak or breach that can harm the business in a significant way. In many cases, an organization’s data is not theirs to share; think about the banking world, or the healthcare world, where the data belongs to customers or patients. If their data is stolen, an organization’s credibility is destroyed. And this is the least of problems, considering that in some cases it could escalate to lawsuits and worse. On the other hand, there are internal risks too. Manipulating data incorrectly can adversely affect an organization if their business assumptions are based on incorrect data. This can lead to unsuccessful business practices, defeating the whole purpose of Business Intelligence.
Access to View and Analyze
When talking about BI, it is critical to define who has access to your data. Let’s assume that the core component in a BI system is a dashboard. Security 101 of the dashboard is: who can see the folder? Do you manage the availability of the folder list and its contents to users? Once you have that, who can see that a dashboard even exists? For example, if you have a salaries review dashboard, do you want everybody to be able to see it? Probably not.
And once you define that, who can open the dashboard? Beyond that, who can analyze the data? Who can share the data and who can they share the data with? There are layers upon layers of security questions that you need to address. Your BI solution needs to give you the tools in order to address all of these questions. You need to have different levels of security mechanisms for each one of the things previously mentioned.
In the screenshot, you can see the different security levels that you can have. For example, you can give administrative privileges over a folder or dashboard to very few people. Write privileges allow a user to insert, modify, or delete information. They should also be given to very few people. Read privileges allow a user to open a dashboard and see what is in it. Hidden means that the user will not even be able to see that a folder or dashboard exists. And deny means that even if the folder was shared with permission, the data underneath it cannot be seen by the user. These five privileges are a must-have in your BI system. They can be given on a per user basis or per role basis. It is important that you define these privileges as soon as possible.
Mobile Business Intelligence is becoming very prevalent, but it is also very dangerous from a security perspective. It is like taking your desk and leaving it outside in a nearby park. The issue is that as dangerous as it is, the market and all your users are moving to a mobile environment. This makes security must harder. The most notable users of mobile are your top management and your young employees, so it is not something that you can neglect or brush away.
There are a few precautions you can take. The first is a double log in. Log into the device, log into the device system, with different log in permissions. Another precaution is changing passwords often. Requiring a change of password often is key to ensuring proper security in all environments, especially in a mobile environment. The BI system should never have data on devices. This is critical, because devices are easily stolen or lost. Once a device is stolen, whatever is on it is exposed. There are some systems that do a remote erase of the device, but most competent thieves know how to block it. It is very easy to block a remote erase, so do not rely on this as a security measure. And finally, exercise autolog out when the device is not connected. And if users are reconnecting the device, they should have to re log in.
Centralization vs Federation
An important question regarding security is whether to have a centralized or a federated BI environment. There are many technologies based on federated deployment. What does this mean? It means that you install the program on your PC and you can work with it on your own. But it is irrelevant for an organizational structure. If you want a BI system to be relevant for your organization, it must be centralized. If it is federated, it means you need to install it on different desktops, each one has its own silos and are disconnected. Then when a user gives access to another user or emails data, the data gets leaked because security measures were only installed on that specific desktop. So each person is a silo and a potential leak. From a security perspective, a federated BI system is a big threat.
A centralized system is one where everything is managed in a unified fashion from a web application and not from desktop tools. It maintains one version of the truth. Security and governance are holistic from a specific point of control. This allows you to give power to many users while still managing the system in a secure manner.
If seen from a security perspective, federated BI does not really have security. Because if each person needs to manage his own security privileges, it is very easy to breach the security. There is no audit, there is no responsible entity for security, and you are relying on each user’s discretion of security. That is not real security. You should never employ such security mechanisms. Security must always be centralized. It must always rely on the rules we talked about before, there is someone owning the security of the system and setting ownership to different elements and view capabilities to others.
The person or team responsible for security must make sure that the software is always up-to-date. Otherwise, the security enhancements that the vendor has put in place are not being used.
Centralized Data Security for Self-Service BI
Another element of security in BI is data security. This goes beyond dashboard and access security. This is security on the data elements themselves. If two people see the same dashboard, but have different data privileges, they will see different data. For example, a VP of sales can distribute a sales dashboard to all his sales people. But each sales person will only be able to see the data related to their region. The ability to define these data element privileges is a must have in order to automate the discovery process.
Without data security, you cannot allow users to have self-service. Because they could access data that they should not. You cannot do aggregations, because when you do data security you do not only give access to data, you also set what is the data granularity in which users can work. You do not only give access to a specific dataset or specific members of this data, you also define what they can do there. Can they drill down to see levels below that? Are specific members hidden? And what are the specific tools that they can use once they drill down? Without this, your security is really fuzzy. If you have simple data and you are not concerned that is ok. But if you are really concerned about security, you must employ data security.
Access to Raw Data
In Business Intelligence you do not give access to the operational systems. You give access to a data warehouse or a cube or areas in which the BI system operates. If you give access to the raw data, you create an enormous security risk. Users should never have access to raw data. Access to raw data bypasses the whole concept of data security, it allows users to manipulate the data and disrupt BI in the whole organization. Theft is really easy if you have access to the raw data. It gives full access to an entire data set.
You are probably thinking: who would do that? Think about writebacks, a writeback is a simplistic solution that allows users to do simulations, but by doing that, they are destroying the integrity of the data source. The way to do simulations is to run them on the BI software level and not at the data level. Allowing writebacks puts you at huge risk, remember that. Recovery from such manipulation is almost impossible.
User Initiated Breaches
The hardest form of security breaches are user initiated breaches. These are beaches done by your employees, using the tools that you have given them. It happens when they want to expose another person to the data. For example, I see something on my screen and I want to look at it further so I move it to excel and then I email it to a colleague of mine, who finds it interesting and thinks “Oh I have a colleague in another company that will find this really interesting” and forwards it to his friend. Bang, huge security breach.
So on top of having a centralized BI system, with data security and no access to raw data, you should educate your users on how to keep the data secure and explain to them how to work with it. Dissuade them from using Excels or other desktop tools. Always use the web based, centralized BI tool and make sure to give them self-service capabilities. Otherwise they will move back to Excel. Excel is a really easy tool, so if you do not provide your users with a good centralized BI tool that gives them the self-service capabilities they need, they will always move back to Excel. And this opens the possibility for a user initiated breach.
Another important thing is to persuade users to do linked forwarding of the dashboards. So that the person that receives it, receives a link to the dashboard rather than an attached Word, Excel, PDF, etc. When you attach the data you are creating a potential security breach, you are forwarding a data set that has no data security on it. When you do linked forwarding, the person that receives it goes into the BI system that is centralized, that has data security, that does not give them access to the raw data, but gives them the data they can see according to their security privileges. User initiated breaches are the hardest to solve because it is not enough to use a secure BI system to avoid them, you also need to educate your users.
Centralized BI is a must, but the right tool is necessary to solve the pains of analysts, business users, and administrators alike.
Necto’s value proposition matches the perfect user experience with a unique architecture that is centralized, secure, and governed, that can be deployed easily and fast. Necto provides dashboards, analytics, KPI monitoring and data mashups. But being centralized, it also provides users with state of the art in BI.
Panorama enhanced data analytics with automated advanced analytics:
- Providing the most comprehensive analytical toolkit in the market.
- Only Necto has the unique ability to find insights automatically, that come from the centralized system, according to security access.
- With automated alerts when anomalies or exceptions occur.
Necto is the only solution with an embedded collaborative experience. Thanks to its centralized architecture and suggestive engine, it allows users to:
- Easily share and message in the tool to keep track of discussions and analysis between colleagues.
- See automated suggestions on who to collaborate with in every matter happening.
- Enrich the analysis with annotations on specific data cells, other will be able to see only with security access.
The solution is not only a top brand providing the best in analytics, but it is also tailored to the needs of the whole organization:
- Necto provides the easiest development of dashboards.
- Data is presented in beautiful dashboards with infographics that are in the business’s context.
- Is ready with a full SDK and JS Hooks.
Necto provides state of the art BI, in a secure self-service system, which is centralized.