By Michael Jennings

Is your business intelligence environment ready for safe, reliable, scalable accessibility via the Internet? How are you addressing this challenge?

This article is the second portion of a two-part series, which examines some of the questions that need to be asked before making a BI access environment accessible to the Internet. These questions should be used in a feasibility assessment of a BI access environment, whether in existence or being evaluated for purchase, to determine possible risks. These questions are not all encompassing but when answered together they should provide a good sense of whether your BI access environment is ready for extranet deployment. This second set of questions focus on around the administration, security, reliability and scalability of the BI access environment deployed on the extranet.

7) Describe the levels of security available through the BI access product?

In this question, determination needs to be made whether the product's security access levels are sufficient to meet the business and administration needs of your company. For example, if the product will be deployed enterprise wide within your company, the ability to delegate some level of administration authority to selected users in various business groups or departments may be a requirement for the BI product. This type of administration delegation should be controlled by the central administrator or main super user. This main administrator should be capable of controlling the amount of administrative rights each group administrator has available to them. The group administrator should be capable of controlling access for users in their specific groups(s) or department(s) only.

Additionally, the BI access product should provide security access not only at a user or group level but also down to row level. Unlike user or group security that controls what content, reports or groups of reports, a user can see through the BI access product, row level security allows control of what data is presented through the same report for two different users. Typically this is accomplished through information stored in the security meta data layer of the BI product which is used customize the WHERE clause in the SQL that is generated to run the report for the specific user. The results, manager A & B run the same report option through the BI access product but through the use of row level security the information provided to each manager is specific to them because the data was filtered to meet their security profile.

8) What methods are available with the product to manage migration of projects, groups or reports, or single reports through development life cycles (development, quality assurance, user acceptance test, and production?

This next question addresses an area that is typically lacking in most BI products areas not just access tools, software source control. Has the vendor provided utilities products or methods for maintaining source control between your environments? Do any of the vendor's migration methods involve use of file transfer protocol (FTP); many companies are moving towards use secure copy (SCP) to replace FTP. What are the vendor's best practices for migration of entire builds, projects, group of reports or single reports through he development lifecycle? Can your firm's software source control product work with the product? Has the vendor considered migration of software source between environments or simply left this to the administrator to determine? These are just some of the considerations you should be looking at when reviewing the vendor's response to this question. Administration of software source control through a BI access tool can be very labor intensive and costly if it has not been addressed adequately for your needs by the product's vendor.

Another related question you should consider in the vendor's response, can multiple copies of the product be installed on the same server? This type of scenario is most typical when establishing your development and quality assurance (QA) environments. Budget constraints may require you to house both these environments on the same server. You need to make sure whether two copies of the product can be easily and successfully installed on the same server, not just the ability to separate development and QA environments. This distinction is important for when new releases or patches of the product are released. This will allow you to test the vendor's new software against development, or maybe another test environment, before committing to QA.

9) How does the BI access product support failover if an application server for the product goes down?

This question is optional depending on whether your business requirements dictate high availability due to criticality of the information, client business needs, or to meet other service level agreements. This question assumes your infrastructure is supporting redundant web servers, application servers, DBMS servers and possibly load balancers to support high availability (See figure 1). The vendor's response to this question will give you a fairly good indication of how well the product was designed for extranet deployment for mission critical information.

Figure 1

Some considerations you should be looking for in the vendor's response include the method for session re-establishment after failover to another application server. Does the user need to re-authenticate and start their session over from the beginning? How is session information (customizations, file saving, views, etc.) shared between the BI access product's application servers. In some company's installation, the administrator for network security may not accept the method of information sharing between application servers due to perceived risk in security. For example, UNIX application servers sometimes use a file sharing method called network file system/remote procedure call (NFS/RPC) to synchronize files/directories between servers. Many network administrators consider RPC a security risk in an extranet environment due to its perceived vulnerability to be hacked. If the vendor's solution for file sharing between application servers includes use of RPC and your company's polices restrict its use, alternative file sharing methods may need to be explored in order to deploy the product in your environment.

Finally, the BI access product may require installation of software on each of the web servers in order to facilitate failover. The functionality of the software installed on each of the web servers needs to be looked at from a security perspective to insure its meets your company's extranet polices. Also, review what, if any, persistent data is ever populated on the web servers for security or confidentially risk. Any data that is stored on the web servers should be considered compromised due to its close proximity to the Internet.

10) How does the BI access product support load balancing in an extranet environment?*

This question is also optional depending on whether your business needs require support of high scalability and performance. Considerations include if and then how the product supports balancing of request across multiple application servers during periods of increased traffic. The methods used for load balancing need to be reviewed for compatibility with your environment's security, communication, middleware, web server, and application server standards. Requirements for particular web server's applications (e.g., Apache, iPlanet, MS IIS) or application servers (e.g., BEA Weblogic, IBM WebSphere, ATG Dynamo) may make the product incompatible for your environment.

The BI access product may require installation of software on each of the web servers in order to facilitate load balancing. The functionality of the software installed on each of the web servers needs to be looked at from a security perspective to insure its meets your company's extranet polices.

11) What single points of failure exist with the BI access product when deployed for failover?

In this question, look for potential point of failures in deployment of the product that may not be covered under a failover implementation or may require a hardware solution such as clustering to prevent. Look an each component in the implementation for failover to make sure it is covered during a failover operation (e.g., proprietary DBMS, file system sharing, content directory, user personalization setting, etc.). The objective would be to have an automatic failover that is as seamless and undisruptive to the user as possible.

12) What data encryption methods are available through the product offering for authentication and component communication?

Response to this question will indicate the whether or not the BI access product was designed with intention of being deployed on an extranet. Typically BI access products support Secure Socket Layer (SSL) which is a common encryption protocol for transmitting confidential information across the Internet. Considerations for this question include whether the BI access product support encryption to user entitlement stores such as LDAP, NDS, ODBC, ADSI, NT, others). Beyond authentication, does the product support encryption of information between its components should also be determined to review any potential risks. Use of these twelve questions when evaluating a BI access product for extranet deployment can help you avoid many costly pitfalls and issues commonly encountered.

About the Author

Michael Jennings is an architect and manager specializing in business intelligence, enterprise performance management, and web based delivery strategies & architectures at Hewitt Associates. He has more than eighteen years of information technology experience in the manufacturing, telecommunications, insurance, and human resources industries. Michael speaks frequently on business intelligence issues at major data warehousing conferences and is an instructor of information technology at the University of Chicago's Graham School. He is a contributing author to the book "Building and Managing the Meta Data Repository" published by John Wiley & Sons.

Michael F. Jennings
Hewitt Associates LLC
100 Half Day Road, MS: 3OP-5S
Lincolnshire, IL 60069
(847) 295-5000
Fax: (847) 442-5353
Email: mjennings@igcom.net
mike.jennings@hewitt.com