Spreadsheets Seen As Security Hole

BI tools also often overlooked in corporate efforts to protect data

In the wake of multiple high-profile laptop thefts and data breaches, some IT shops are launching new initiatives to ensure that sensitive corporate data stored in spreadsheets and business intelligence tools remains secure.

The security efforts are taking on a new urgency as more workers gain access to BI tools and spreadsheets used for BI functions.

Several recent incidents — including the inadvertent exposure of sensitive data for about 5,000 customers by Verizon Wireless that was disclosed last week, and the theft of a laptop from the U.S. Department of Veterans Affairs that contained personal information from some 26 million veterans — involved unsecured spreadsheets.

Users and analysts said that spreadsheets are often the most common method used to analyze corporate data and are increasingly used as a front-end to more advanced BI systems. However, in most cases the ubiquitous application and the more traditional BI tools have not yet received the same security scrutiny as transactional systems and Web applications, they said.

Mayur Raichura, director of information services at The Long & Foster Cos., met last week with various executives, including the company's chief financial officer and controller, to kick off an IT security initiative that will place a heavy emphasis on securing BI data.

"There is a tremendous amount of BI data that seems to be in the hands of a lot more employees than [there was] five years ago," Raichura said. "The average user outside of IT doesn't have a clear understanding of the implications of what they do in terms of downloading data."

In addition, the Fairfax, Va.-based real estate company has historically had "no policies on how this data is given to [employees] and what they do with it once they are given it," he added.

At the meeting, Raichura and his fellow executives decided to hire a corporate chief security officer, assess the security of each internally developed and packaged application at the company, and create a set of corporate security standards during this year and into 2007, Raichura said.

Six weeks ago, Long & Foster began implementing a system to warn users about downloading salary and financial-incentive information to spreadsheets on desktops and laptops, he added. The new system issues a pop-up warning to users each time they attempt to download sensitive data into an unsecured spreadsheet on desktop and laptop systems, Raichura said.

He acknowledged that the new policy does not prevent any of the company's 2,500 employees from inputting data from paper-based BI reports into an Excel spreadsheet.

"We are just beginning to bring control over [data from printed reports]," he said. "That is the one area I know we need to be very good at."

The new emphasis on security by Long & Foster IT and financial officials has been supported by a "fantastic awareness" of the issue by executives outside of IT, which was brought about mostly by recent high-profile data breaches, Raichura added.

A year ago, Long & Foster itself was the victim of the theft of a laptop from inside one of its buildings. Although the data on the machine — requirements for a new BI system, written in Microsoft Word — does not appear to have been misused, the theft prompted the company to establish a policy requiring all employees to take their laptops home every day.

The policy, which Raichura acknowledges may seem counterintuitive, aims to promote a sense of responsibility among users, prompting them to "guard the laptop like it is personal property."

Few Are Vigilant

Bill Hostmann, an analyst at Gartner Inc., said that while many organizations go to great lengths to secure transactional systems and Web applications, many more "do almost nothing, or a very limited amount," to protect data housed in BI applications and spreadsheets.

"[Users] may have [sensitive] data on their PC in a spreadsheet, Access database or on an unprotected/shared workgroup server," Hostmann said. "It's often the company's most sensitive data, too."

Michael Hader, director of IT at Odom's Tennessee Pride Sausage Inc., said his company is tackling BI security at the desktop log-in function and with a tool that limits the changes that users can make to spreadsheets.

The Madison, Tenn.-based company uses Microsoft's Active Directory to ensure the security of its BI reports and spreadsheets. It is building portals, customized for partners and customers, that use directory services to determine which reports or spreadsheets can be accessed by specific external users. The portal was built using BI tools from Actuate Corp. in South San Francisco, Calif.

"Unless the report exists in their Actuate portal, they won't even know it exists, period," Hader said. "We even deploy spreadsheets in that manner — that can be our first line of defense on a spreadsheet."

Preventing Access

In addition, Odom's Tennessee Pride uses the Actuate Spreadsheet Application Platform development tool to prevent users from changing cells within a spreadsheet, he said. The tool also lets the company prevent users from directly accessing the database to try to build reports, he said.

The company plans to create an additional layer of security in a few months by using Actuate's new Actuate 9 enterprise reporting suite, which is scheduled to ship later this year, Hader added. The tool will allow the company to fine-tune spreadsheet security so that users will be limited to which portions of a spreadsheet they can see, based upon their roles in the company.

Mark Lack, planning and financial analysis manager at Mueller Inc. in Ballinger, Texas, said his company in May expanded its BI security efforts by integrating its Cognos 8 tools from Ottawa-based Cognos Inc. with its Active Directory services, using a link included in the Cognos tool set. Lack said Active Directory is used to maintain corporate security policies.

Until May, the manufacturer of steel buildings and metal roofing was using the native BI security included in the previous version of the Cognos BI suite, he said.

"[Now] you have the locked, tight security of our ERP system that people can't get into," Lack said. "[The Cognos native] security was used to assign accessibility to different aspects of the software versus to lock down and secure and keep people out of the system. By using [Active Directory services], you can pass through the different levels of security into the BI system and then make the assignments from there."

The move to update the BI security capabilities was prompted in part by plans to significantly boost the number of Mueller users who can access the Cognos software, Lack said. Today, he said, 75 users can access the BI tools. By the end of the year, the system will be rolled out to 200 more users.

In addition, Active Directory eliminates the need for users to have multiple passwords, he said, noting that some users tape their passwords to their laptops because they can't remember them all.

Downloading Danger

The problem of downloaded spreadsheets on laptops is "a big threat that hasn't received a lot of attention from BI vendors," said Wayne Eckerson, director of research at The Data Warehousing Institute in Seattle.

Ironically, Eckerson added, BI vendors have spent millions of dollars converting PC-based tools to the Web, only to be forced by customer demand to return at least partially to the desktop to provide strong Office and Excel integration.

"I guess [vendors] can elect to turn off Excel interfaces, but only at the risk of alienating users," Eckerson said. "It's a real conundrum."

Despite the warnings, not all companies are scrambling to secure spreadsheets.

Grant Felsing, decision support manager at lawn mower engine manufacturer Briggs & Stratton Corp. in Wauwatosa, Wis., noted that most of the BI data stored on desktop spreadsheets at the company would be of little use to unauthorized users. The company does not store personal information in the application; it stores mostly internal manufacturing data, he said.

However, he added, "I think we have the same vague concern as everyone that since Excel is the ultimate BI tool, there should be something stronger than desktop security protecting some of these assets."

Lack noted that while Mueller is improving the security of its Cognos BI tools, the company has no policies related to what employees can download into Excel, and it has no plans to address the issue. He said that users can always use e-mail or print out information if they want to distribute it without using a spreadsheet.

"Cutting people off from doing additional analysis is just an impediment to productivity," Lack said. "If people are trusted to have certain levels of information in our company, we trust them to have it."

Copyright © 2006 IDG Communications, Inc.

It’s time to break the ChatGPT habit
Shop Tech Products at Amazon