Business Intelligence and analytics systems need security for data and processes. Consider these critical points when developing and enhancing a BI or analytics project
Implementing security is very basic to any system, including business intelligence (BI) and analytics systems. Some basic questions to answer include:
- What type of security measures do we need? What needs to be secured?
- How are we securing the data? The applications? The tools?
- What type of data security measures do we have in place?
- Must the security measures include encryption and decryption, especially for a Web-enabled BI application?
- Are single-user authentication services of a Web portal part of this data warehouse / data mart or this BI application?
Organizations that have a strong security umbrella in their operational environment are more likely to pay attention to security measures for their business intelligence data. Organizations that are less security conscious for operational data may have challenges when deploying BI / analytics solutions. These organizations may unwittingly be exposing themselves to security breaches, especially if the plan is to deliver information through web-based communications or to external users.
Suppose an organization wanted to give its distributors the ability to analyze their orders and shipments via a multi-dimensional BI application. To prevent one distributor from searching through other distributors’ data, a mechanism would be needed to restrict the order and shipment information to only those pertaining to that particular distributor. In other words, some security lock is required to prevent access to the sales records of the distributor’s competitors. This is not as straightforward as it sounds, because:
- There are no off-the-shelf umbrella security solutions to impose this kind of security. This security requirement must be implemented through the various security features of the database and the BI tools used by the BI application.
- The solution of imposing security at a table level may not be granular enough. Although, one possible way to achieve this type of security is to partition the tables either physically or logically (through VIEWs). Partitioning will restrict access solely to the appropriate distributor as long as both the fact tables and the dimension tables are partitioned. Therefore, this method could become too cumbersome.
- An alternative may be to enhance the metadata with definitions of data parameters, which could control access to the data. This form of security would be implemented with appropriate program logic to tell the metadata repository “who the distributor is,” allowing the application to return the appropriate data for that distributor only. This type of security measure will only be as good as the program controlling it.
This example illustrates that the required security measures must be well analyzed, and that the security features of the database management system (DBMS) and of the BI tools must be thoroughly understood and cross-tested. Complete reliance on one comprehensive security package that has the capability to implement all types of security measures is not a security solution, because such a security package does not exist.
When are installing purchased security packages, be sure to minimize the number of security packages because one of two things may happen:
- Business people will log in through multiple security packages, using multiple logon IDs, and multiple passwords that expire at different times. They will get frustrated very quickly if they have to go through different logon procedures and remember different IDs and passwords for each procedure. Complaints will run high.
- Business people will stop using the BI / analytics solution entirely because it is too cumbersome.
Organizations avoid this problem by adopting a single-sign-on scheme, which keeps the frustration level to a minimum but still allows the organization to track any security breaches.
Centralized vs. Decentralized Security
The goal of centralized security is “one entry point — one guard.” It is much easier to guard a single door than multiple doors. In a centralized environment, all security measures can be implemented in one location because all the data is in one place. However, keeping all the data in one central place is not always feasible, or desirable.
- If data needs to be stored in a distributed fashion, implementing security measures becomes much more complicated. The steps involved are:
- Identify the endpoints in your network architecture and the paths connecting the endpoints.
- Determine the connectivity paths (from the entry points) to get to the data. Link and label the connectivity paths.
- Compare the paths with the existing security you have in place. You may already have some security packages installed, and some of them may be sufficient to guard a subset of the data. It may be useful to draw a matrix for security gap analysis purposes.
The security gap analysis matrix will help to identify where security is still needed and what type of security is needed. Keep in mind that:
- Password security may be the least expensive approach to implement, but it can be easily violated.
- Database security is the most important component of the security solution and should override all other security measures that may contradict the authority granted to the data in the DBMS.
- Encryption is not found in data warehouses / data marts due to the complicated encryption and decryption algorithms. Encryption and decryption processes also degrade performance considerably. However, with the frequent use of the Internet as an access and delivery mechanism, encryption should be considered seriously to protect the organization from costly security breaches for very sensitive data.
Security for Internet Access for BI / Analytics
The Internet enables distribution of information worldwide, and the data warehouse / data mart provides easy access to organizational data. Combining these two capabilities appears to be a giant leap forward for engaging in e-commerce. However, consider the implications of combining these technologies carefully before deciding to take the risk of potentially exposing sensitive organizational data.
Many organizations offer their external connections (customers, partners, vendors, etc.) access to their internal data for internet-based export to perform their own analysis. This complicates the concern for:
- Security of the internal databases that are used for BI/analytics
- Security issues associated with allowing internet access to the organization’s data
If the architecture includes transmitting the data over the Internet, spend extra time and money on authorization and authentication of internal staff and external customers. Moreover, consider investing in encryption and decryption software.
Authentication — is the process of identifying a person, usually based on a logon ID and password. This process is meant to ensure that the person is who he or she claims to be.
Authorization — is the process of granting or denying a person access to a resource, such as an application or a Web page. In security software, authentication is distinct from authorization; and most security packages implement a two-step authentication and authorization process.
Encryption — is the “translation” of data into a secret code. It is the most effective way to achieve data security. To read an encrypted file, one must have access to a secret key or password that enables the person to decrypt the data.
The basic points for security are to define security requirements early and completely to have time to consider and weigh all factors. Training in all aspects of data management, including effective data security, is essential for IT professionals and all user communities.
Asked why he robbed banks, Willie Sutton famously replied, Because that’s where the money is!” In the information age, organizations entrust their information to BI and analytics systems and the people who use them. It is essential that they be protected against the cyber-thieves who to try to steal from them.