Business Intelligence Security

Business Intelligence (BI) is an indispensable tool for most companies. Executives need BI to ensure that the right business strategies are followed. Marketers need BI to understand customer behavior and fine-tune product offerings in a fast-changing marketing. BI has become pervasive for decision-making at all levels.

Ironically, it’s this pervasiveness that has created security risks for companies that leverage BI. The centralized architecture of many BI solutions means that lots of potentially sensitive data is aggregated in one place and used by many people. If an attacker gains access he can steal vast quantities of data or alter information used by many different business units.

Security breaches can originate from internal sources as well. An employee leaving the company may take unlimited quantities of corporate data with him if he has access to it. The result can be a major “data leak” of sensitive operational financial and sales data, or even theft of intellectual property where results of market or clinical trials using BI are involved.

As with any information technology, there’s a fine balance between creating safeguards for corporate data and ease of use, which impacts the user’s ability to efficiently do his job. Let’s look at some of the trends in BI that impact security and techniques that can be applied.

The most rudimentary security technique to secure BI is to apply access controls to the data.

  • Users should only be granted access to data on an as-needed basis. Having access to the wrong data not only means potential security vulnerabilities, but can result in erroneous analysis results and wasted time – what happens if you analyze the results for someone else’s sales territory by mistake? Proper access controls would prevent this kind of scenario.
  • Should access controls be in the data warehouse or at the presentation/reporting layer? This is a question that’s been the subject of debate in the industry. However, it’s safe to say that it’s generally more difficult to maintain controls in the data warehouse over the long haul. Granting or denying access to users for specific tables, columns, and even rows of data requires a lot of DBA time. It’s much easier to manage the controls using presentation/reporting tools.  The only drawback to this strategy is if people use different presentation and reporting tools to access the same data, you’ll find yourself trying to manage security across different tools and the chance of making a mistake quickly grows.

Two closely related trends, the explosive growth in mobile devices and the adoption of Bring You Own Device (BYOD) in corporate IT are having a major impact on BI security.

  • Users are starting to expect mobile access to everything they have in their office, and companies are finding it more efficient for employees to provide their own devices, including laptops, mobile phones and tablets.
  • In a recent Gartner survey, 33% of companies said they plan to rollout mobile BI solutions in 2012. For a growing segment of users, mobile will be the exclusive way they consume BI.
  • All of this means that sensitive BI data will leave the safe confines of the corporate network, and personal and business data will end up intermixed on the same device.

Another major concern for mobile access is around lost and stolen devices.

  • Loss of sensitive data can be subject to data breach notification laws in many jurisdictions.
  • If a mobile device has offline capabilities (data is cached locally) the risk of data theft is very high. Policies need to be created and enforced for authentication of mobile devices, and BI applications should be architected to avoid retention of local data copies.
  • Data encryption should also be high on the priority list when mobile devices are involved.

To minimize the impact of data leaks, companies should consider de-identifying the data in the BI system wherever possible.

  • De-identification is an irreversible process that strips data of elements that represent personally identifiable information (PII), such as names, phone numbers, social security numbers, and credit card numbers. This is a very common process employed in health information systems where the privacy of protected health information (PHI) is mandated by HIPAA policy.
  • One technique for de-identifying BI data is tokenization. This process, popular in the credit card industry to achieve compliance with PCI standards, involves substituting sensitive data with tokens that reference the data in some other external database. This means that only the tokens are exposed to BI users, and additional privileges can be required to access the underlying data.

Of course, all of these techniques will be less effective unless implemented under a comprehensive security policy for BI. This security policy needs to encompass critical areas such as:

  • Data Classification – which BI data is deemed sensitive and what measures are required to protect it. There may be multiple levels of sensitivity and associated protection measures
  • User/role classification – what BI data users should be able to access based on their role or function in the organization
  • Entitlement standards – how BI applications are allowed to access data and perform specific functions
  • Data Transmission – where encryption is required and what levels are needed for user access, file transfer, etc.
  • Data storage – where data is allowed to be stored, how data is backed-up, what data retention polices apply

Many companies using BI, such as financial institutions, pharmaceuticals, and retailers, are subject to regulatory and industry compliance directives that affect BI security. A few examples are:

  • Sarbanes-Oxley (SOX), which is legislation designed to reduce fraud and conflicts of interest while increasing financial transparency. The part of SOX most relevant to BI is Section 404, which basically says that public companies must establish, maintain, document, and report on internal control over financial reporting. This translates into requirements for access controls, auditability, and data integrity for BI systems that manage financial information.
  • The Health Insurance Portability and Accountability Act (HIPAA), which governs uses and disclosures of an individual’s health data. Violation of HIPAA can result in civil and criminal penalties. For BI systems that process heath data from individuals, care must be taken to mask any data that would identify an individual (for example, in a wide-scale public health analysis or drug trial).
  • The Gramm-Leach-Bliley Act (GLBA), which applies to banks, securities firms, insurance companies, and other financial service providers. The primary BI focus of GLBA is around the data privacy provisions included in the legislation. These provisions essentially state that companies need to ensure the privacy and integrity of customer financial information by putting security processes, programs and safeguards in place.

GRT’s experts can help you create a secure BI solution with technologies that are appropriate to and cost-effective for your business. We have experience building solutions across a wide range of security-focused industries such as banking, insurance, and energy trading.

 

To learn more about how GRT can help you meet your goals, contact us.