Security is a big deal for organizations of any size, and when it comes to most line-of-business applications, an organization's management, users, technical staff and other employees are all aware of the need for security. Strangely, though, many organizations' attention to security details wavers when it comes to their
Part of the problem is that BI systems aren't always in day-to-day use by every employee, so they're easy to de-prioritize. They don't focus on "live" data like customer orders, which makes them easier to put on the back burner. BI systems' data can also seem less crucial, because when you're using the system, you're often looking at high-level aggregate information rather than individual, detailed transactions. But the fact remains that BI systems contain powerful information about your company, its activities and its plans for the future. That data should be protected just as much as the day-to-day data you're already protecting.
The difficulty in securing BI systems comes from the fact that they consist of many different layers or tiers. They start with the day-to-day transactional data produced by the various systems and applications you use. That data is most often secured primarily by front-end client software rather than in the back-end data repository, so you should secure the back end to ensure that your BI systems' extraction processes have sufficient permission to read the data when they need to.
For more on business intelligence
What every SMB should know about business intelligence
Should SMBs focus on self-service business intelligence?
SQL Server business intelligence meets the cloud
Speaking of those extraction processes, you'll find that they often create many different intermediate data files as they work, and those files should also be properly secured. Wherever the data finally ends up -- in a data mart or data warehouse, perhaps -- it should also be secured to prevent accidental or inappropriate disclosure.
There's also the BI system's front end, with its dashboards, drill-down views, analysis models, reports, scorecards and other data. That should all be properly secured so that only authorized individuals have access. Your organization should adopt policies regarding any hard copies produced from that data as well. It makes very little sense to secure the computer systems when printouts are left lust lying about the office for anyone to make off with.
Be sure to look at every element of BI functionality within your organization. For example, you may have users relying on Excel PivotTable or PowerPivot projects, which could be stored on their laptops. What if that laptop is stolen? Much of the underlying data might be unavailable without a connection to your corporate network, but a great deal of data may also persist locally, especially in PivotTables that import data into Excel in order to work with it.
Where else are the results of your BI efforts published? SharePoint Server is one common place for publishing PowerPivot projects, reports, dashboards and so on -- so you'll need to look into securing that system as well, along with its back-end data in a SQL Server database. Follow the data flow; think about where data starts, what touches it and where it ultimately ends up.
Make all those points part of your comprehensive security plan. State, in plain English, your organization's security goals. What is the main objective of protecting your data? What are you protecting against? What's the potential damage if something were to be leaked? What categories of data do you have? Some may need to be secured, while others are less sensitive. Clearly stating your goals is the best way to begin. That way, you can apply the appropriate technical measures to meet those goals throughout the various pieces of your BI systems.
This was first published in September 2012