Five Security Questions to ask about your BI Project
Security is often an afterthought on BI projects. The conventional thinking, as encouraged by BI vendors, is that the BI implementation will leverage the existing security infrastructure, be it LDAP, Active Directory Server, or otherwise. While that might be the case, thinking about security cannot end there. The following five questions need to asked, and answered, early on in any BI project:
- How will penetration testing be done?
- How are user IDs and passwords managed? (Single sign-on is the preferred answer.)
- What is the encryption policy? 128-bit SSL encryption is typical, but sensitive data might require more.
- Are the servers shared with other applications? Are the servers virtual servers? If so, what is in place to prevent data leaks, malicious or accidental?
- What is the backup and disaster recovery plan?
As BI moves outside the firewall, onto mobile devices, and perhaps running on servers hosted by a 3rd party, the questions around security need to be asked early, and if necessary, often.
Secure Business Intelligence Development
In order to build a secure business intelligence system, business intelligence developers need to be more security conscious as they go about creating data models, cubes, and reports. eWeek has an article titled 5 Steps to Secure Development, which outlines how to make security an integral part of the enterprise software development process. These lessons are equally applicable to Business Intelligence projects.
- Definition - Start thinking about security from the beginning of the project and build it into the project plan. Most BI vendors will have a security framework for preventing unintended access to data, but how well does it match up with existing business processes? Will the BI system will leverage the existing security infrastructure? Is there any custom coding required?
- Education - According to the article, there is lack of security training across the IT industry. Be sure that the team knows how to roll out secure applications, and how to establish appropriate responses to security breaches. Shutting everything down is effective, but such drastic actions will quickly undermine the confidence of end users.
- Equipment - An emphasis on security can risk slowing down a project, but having the right software tools can mitigate this risk. Look for analyzers and automated testing tools that have security testing features.
- Test, test, test - Testing must be expanded beyond functionality, performance and data validation. Security testing means studying potential failures to see they can be exploited. How a component or the systems fails is as important as preventing it from failing in the first place.
- Monitoring - As part of the roll-out, alerts and processes must be put in place to monitor for failures and suspicious activity. For example, being alerted to huge spikes in activity and abnormal amounts of data being downloaded by a single user or in a single location.
Most business intelligence vendors take security seriously, with published guidelines for implementing security and details about how their software handles various threats. Here are two examples from Cognos and Microsoft. However, despite these convincing assurances, the responsibility for a secure system ultimately lies with the project team.