Securing Business Intelligence Data

Mark Leon   Today’s Top Stories    or  Other Business Intelligence Stories  

Driving BI Value with Data Integration: Overcoming the Thorniest Challenges Survey: Business Intelligence Maturity and the Quest for Better Performance BI @ The Speed of Business Computerworld Custom Publishing: Bright City Lights Sign up to receive Security Resource Alerts

April 14, 2003 (Computerworld) -- It's no secret that in a back room in the typical Fortune 500 company, there's a team of analytical wizards running sophisticated queries that mine for gems such as data about the company's best customers -- those top 20% of clients that produce 80% of the company's profits. These jewels can be a business's most valuable intellectual property, which makes them very valuable to competitors.

What's to prevent that data set from walking out the door or falling into the wrong hands?

Sometimes, not much. Many companies lack the internal controls to prevent that information from leaking. The problem is that business-intelligence data is as hard to protect as it is important.

"Securing your business-intelligence information and systems is often an afterthought at best," says Cate Quirk, an analyst at AMR Research Inc. in Boston.

Michael Rasmussen, an analyst at Giga Information Group Inc. in Cambridge, Mass., agrees. "Have most IT shops really thought through the security issues around BI?" asks Rasmussen. "The answer is no."

It Can Be a Business
Owens & Minor Inc. had to think about it. Business intelligence is big business at the Reston, Va.-based medical supplies distributor. A $4 billion company, Owens & Minor counts some of the nation's largest health care organizations among its customers. In late 1996, it started mining data internally using business-intelligence software from Business Objects SA, whose U.S. headquarters is in San Jose.

"From the beginning, we were aware of security issues around this information," says Don Stoller, senior director of information systems at Owens & Minor. "For example, a sales executive in Dallas should only have access to analyses from his region."

Dean Abbott, principal at Abbott Consulting in San Diego, adds, "Don't give access to anyone who doesn't have a definite need." It is always possible that someone who has legitimate access will abuse that trust, but analysts say you can minimize that potential by strictly limiting access to only those who need it.

To guard against such a breach, Owens & Minor used role-level security functions in the Business Objects application that clearly define who has access to which data. "This meant we had to build a separate security table in our Oracle database," says Stoller.

A few years later, when the company wanted to open its systems to suppliers and customers, security became even more important. In 1998, Owens & Minor moved quickly to take advantage of Web-intelligence software from Business Objects that's designed to Web-enable business-intelligence systems.

The result was Wisdom, a portal that lets Owens & Minor's suppliers and customers access their own transactional data and generate sophisticated analyses and reports from it.

"In [business-to-business transactions], security is key," says Stoller. "We had to make absolutely sure that Johnson & Johnson, for example, could not see any of 3M's information. This meant we had to set up specific customer and supplier security tables, and we had to maintain new, secured universes in Business Objects."

Wisdom was such a success that Owens & Minor decided to go into the intelligence business with the launch of Wisdom2 in the spring of 2000. "We capture data out of a hospital's materials management system and load it into our data warehouse," Stoller explains. A hospital can then make full use of its business-intelligence software to mine and analyze purchasing data. Owens & Minor receives a licensing and maintenance fee for the service.

Administration Nightmare
Layers of security and encryption imply a considerable amount of systems administration overhead. Both Quirk and Rasmussen say that's the main reason security concerns about business intelligence are often swept under the carpet. The issues of authentication (identifying the user) and authorization (what things the user is allowed to do) must be addressed, usually across different applications, Rasmussen says, adding, "Systems administration can be a real nightmare."

"We are going through some of this," says David Merager, director of Web services and corporate applications at Vivendi Universal Games Inc. in Los Angeles. "Our business intelligence needs more security attention."

Vivendi generates business-intelligence reports from two systems: an Oracle-based general ledger database on Unix, and a data entry application for budgets on a Microsoft SQL Server database. The heart of the business-intelligence system consists of Microsoft's OLAP application and software from Comshare Inc. in Ann Arbor, Mich., that provides the Web-based front end for the analytics. "Our budget teams use these reports to do real-time analyses," says Merager.

Rodger Sayles, manager of data warehousing at Vivendi, says one way to secure such a system would be to assign roles to all users within the Microsoft application. Roles determine precisely what a user is allowed to see and do and are usually managed within a directory. If your computing architecture is amenable to a single, centralized directory that supports roles, this may be an attractive solution.

"The problem is that once you have over 40 distinct roles, you run into performance issues, and we have identified about 70 roles," Sayles explains.

He says there's a way around this difficulty. "I think we are going to use a combination of portals and roles. A user would sign on through a particular portal, which would effectively place the user in a role category. This reduces the burden on the application," says Sayles.

Keep It Simple
Dave Stack, manager of corporate financial planning at RSA Security Inc. in Bedford, Mass., employs a similar strategy using some of the same software from Comshare. RSA's business-intelligence applications produce forecasting, budgeting and product reports.

He says good planning has also helped keep systems administration headaches to a minimum. "Comshare gives you about nine types of users," says Stack, "and that is plenty for us."

What makes this small number of profiles possible, he explains, is a good design that uses a hierarchy of four security levels. "These, together with security features in our Microsoft SQL Server database, make it easy for us to create cross-functional roles," says Stack.

But Stack says things would have been a lot more difficult if he had started deploying business intelligence without having a good security plan in place first.

John Schramm, manager of strategic security architecture and engineering at FleetBoston Financial Corp., says a good place to start planning is with a classification system that defines different levels of security for different types of information.

"In order to protect data," says Schramm, "you need to know what the rules are. Our classification system enables us to set the rules that we need to design security around information."

Schramm worked with consultants at Greenwich Technology Partners Inc. in White Plains, N.Y., to define four security levels: highly confidential, which defines data with trade secrets or wire-transfer information; confidential, such as transactional data and credit card numbers; confidential informational, defined as nontransactional data such as customer lists; and company-restricted data like job postings and phone directories.

Security systems, Schramm explains, can include field-level encryption, transport-level security such as Secure Sockets Layer and Secure Copy Protocol, and authentication and authorization. "Combinations of these kick in at different levels in our classification hierarchy," says Schramm.

FleetBoston is a large, distributed enterprise, which makes classification even more important. "We try to maintain these standards across our various lines of business," say Schramm. "They are all different, and one of my primary responsibilities is to integrate them in a secure manner. I need to know what data the different lines of business need."

Complex Profiling
Most companies have thought through network and software security issues, which is why they don't come up that often in discussions about business-intelligence security.

When it comes to such data, the security concerns are more about policies. "It is always possible for someone within the company to abuse security privileges," says Rasmussen. "But the best defense against this and most other breaches is to make sure you have good, strong policies in place -- things like authentication and authorization."

Schramm agrees. "The big challenge is in determining the data elements that define the user of a particular [business-intelligence] system. These profiles are a real challenge. As just one example, you may have employees who are also customers.

"You need to know who the actors are," says Schramm.

Leon is a freelance writer in San Francisco. Contact him at mrleon@usfca.edu.

Mining for Gems

Stories in this report:

• Editor's Note: Mining for Gems
  
• The Story So Far: Business Intelligence
  
• The Forescat is Clear
  
• Unexpected Insights from Data Mining
  
• Opinion: Trust, But Verify Your Data Gatekeepers
  
• Real-time Data: Too Much of a Good Thing?
  
• The Almanac: Data Management
  
• Securing Business Intelligence Data
  
• QuickStudy: Data Models
  
• How Your Career Can Thrive as a Data Architect
  
• The Next Chapter: The Future of Business Intelligence
  
• Management Dashboards Becoming Mainstream
  
• Open-source Database Buying Suggestions
  
• What Web Services Can Do for Business Intelligence
  

Print this Story

Send Us Feedback

E-mail this Story

Digg this Story

Slashdot this Story

Keys to the Kingdom Safe and Secure

"Enterprise search continues to lag behind commerical search because companies lack a "findability" strategy, says one researcher...." Read more... "It's IT Blogwatch: in which we all wonder how much we get paid and Glassdoor.com helps us out. Not to..." Read more... Read more Business Intelligence posts or See all Blogs

Lithuania: Attacks focused on hosting company Google bows to pressure, adds 'Privacy' link to home page Microsoft promises four patches next week More top stories...

Google gives away home-cooked Web application security scanner Expect iPhone, Fourth of July scams, security firm says Microsoft trumpets security additions in upcoming IE8

This old laptop: Revitalizing an aging notebook on the cheap All it takes is a couple hours and about $125 to breathe new life into an old laptop. Here's how. Bill Gates moves on Is Microsoft's Golden Age over? What are Gates' most memorable quotes? Find out in Computerworld's complete coverage of the end of the Bill Gates era at Microsoft. Five things you should never tell your boss There are some things your CIO definitely doesn't want to hear. Also don't miss the flipside, Five things you should always tell your boss. Hands-On: Firefox 3 fixes what's broke and keeps what's right With its latest version, Mozilla's browser continues to raise the bar for what Web browsers should be. Windows Vista A to Z Reviews, analyses, how-tos, visual tours, hot issues and predictions about Microsoft's new OS. More Continuing Coverage After 9/11: Homeland SecurityAsk a Premier 100 IT LeaderBlackBerry Legal BattleData Security BreachesElectronic VotingFirefoxH-1B VisasHP's Boardroom ScandalHandheld DevicesHurricane Katrina AftermathMicrosoft Legal IssuesMicrosoft's VistaOpen SourceRFID TechnologySCO's Linux FightSarbanes-Oxley ActSpamVoice Over IPWi-FiWindows Meta File VulnerabilityWindows XP Service Pack 3 IT Careers 2010 Four years from now, the IT field will be a vastly different place. Will you be ready? More Special Reports Premier 100 IT Leaders 2007 Best in Class2006 Computerworld Horizon Awards2006 Premier 100 IT Leaders2006 Salary Survey2007 Best Places to Work in IT2007 IT Forecast2007 Premier 100 IT Leaders40 Years of ComputerworldASPs, Take TwoBest Places to Work in IT 2003Best Places to Work in IT 2004Best Places to Work in IT 2005Best Places to Work in IT 2006Business Intelligence Home RunsBusiness Intelligence: Smarter BIBusiness Intelligence: The Future of BICRM Goes VerticalCRM: Sober CRMCareer Planning Guide 2005Careers: IT Profession 2010Computerworld Horizon Awards 2005Data Management: Mining for GemsData Management: Taming Data ChaosDevelopment: Hard-Workin' Web SitesDevelopment: New Tools New ChoicesDevelopment: The New World of Application DevelopmentDevelopment: The Web Services TsunamiDevelopment: Web Services HurdlesDisaster Recovery: Preparing for the WorstE-commerce Grows UpE-mail/Groupware: Big DecisionsFaces of Mobile ITForecast 2006Global MobileHardware: Multiple Cores, Multiple ChallengesHardware: On-Demand Un-HypedHardware: The Shape of Things to ComeHorizon Awards: 10 Cool Cutting Edge TechnologiesIT Management: Guide to Managing VendorsIT Management: Navigating Global ITIT Management: Recovery AheadIT Management: The Future of ITIT Management: The Resourceful Project ManagerInnovative Technology Awards 2004Management: Reinventing ITMicrosoft in TransitionMobile/Wireless Leaders and LaggardsMobile/Wireless: The Untethered WorkerMobile/Wireless: Tiny Gadgets, Huge CostsNetwork Management: Taking ControlNetworking: Turbulence Ahead!Networking: VoIP Goes MainstreamOperating Systems: In the Slow LaneOperating Systems: Linux Goes GlobalOperating Systems: Should You Nix Unix?Outsourcing: Offshore Buyer's GuideOutsourcing: Outsourcing DangersPremier 100 IT Leaders 2004 Best in ClassPremier 100 IT Leaders 2005 Best in ClassROI: Do the Math!Salary Survey 2003Salary Survey 2004Salary Survey 2005Security Action PlanSecurity: Compliance HeadachesSecurity: Proactive SecuritySecurity: Risk and RewardSecurity: Tips From Security ProsSouped-up SecurityStorage: Battling ComplexityStorage: Cheap & Secure Data StoresStorage: Stretching Your Storage DollarsStorage: The Lean Storage MachineStorage: The New Rules of StorageStorage: The Ultimate Backup GuideSupply Chain: Missing LinksSupply Chain: RFID Reality CheckThe Business of SecurityWeb 2.0 SecurityWireless: Wireless At Work All Zones Application Performance Zone Business Continuity Zone Data Center Management Zone Enterprise-Class Security Zone The File Data Management Zone Grid Computing on Windows Zone Security Management Zone ITIL Best Practices Zone The SAS Zone Storage Virtualization Zone Business Intelligence and Analytics Zone See your link here

Speeding the time to intelligence Get this Computerworld report free for a limited time, compliments of SAS. Time To Intelligence -- a concept defining how long it takes to get accurate and timely information into the hands of workers who need it most. Do it slower than your competitors and your company is toast. Do it faster, you scorch them. Business Intelligence is the key to optimizing Time To Intelligence, and success there is a combination of people, policies, and technology. Download this executive briefing  Why SaaS is Vital to Email and Web Security Why SaaS is Vital to Email and Web Security Download this webcast, free, compilments of Webroot Software Go to the webcast  Rapid application development, rapid results Download this special report now! (Source: Intersystems) All too many businesses suffer from IT infrastructures that are a hodge-podge of disconnected databases and applications. What's needed is the ability rapidly develop connected applications under a unified service-oriented architecture. InterSystems Ensemble integration environment and Cache database are effective tools in answering this need, delivering a rapid ROI. Download this white paper  White Papers Read up on the latest ideas and technologies from companies that sell hardware, software and services. Deploying Virtualized NetWare on Linux Whitepaper Toward More Flexible, Next-Generation Collaboration Solutions Driving Business Success Through Workgroup Choice and Flexibility View more whitepapers

• Keys to the Kingdom
• Safe and Secure

• Lithuania: Attacks focused on hosting company
• Google bows to pressure, adds 'Privacy' link to home page
• Microsoft promises four patches next week
• More top stories 

SAS Business and Analytics Zone No matter where your organization is on the path toward evolving your IT infrastructure, SAS can adapt to your situation to meet your long-term enterprise intelligence needs. We can help you drive intelligence evolution to the next level, while leveraging and extending the value of your existing IT investments. Learn more in the Business and Analytics Zone See All Zones

Intercept Spam & Viruses With MessageLabs MessageLabs is offering a complimentary 30 day trial of its managed Anti-virus and Anti-spam security solutions. MessageLabs guarantees complete protection against all know and unknown email threats. By providing 24 hour support, your business can increase productivity and decrease risk. Register for a complimentary trial and receive a free datasheet. Download this white paper now!

Since You Asked A weekly storage column from storage analyst, Steve Duplessie of the Enterprise Strategy Group Click here to read the latest column by Steve Duplessie