Spreadsheets Seen As Security Hole

Companies moving to protect data in Excel and other BI tools

1 2 Page 2
Page 2 of 2

"Unless the report exists in their Actuate portal, they won't even know it exists, period," Hader said. "We even deploy spreadsheets in that manner -- that can be our first line of defense on a spreadsheet."

Preventing Access

In addition, Odom's Tennessee Pride uses the Actuate Spreadsheet Application Platform development tool to prevent users from changing cells within a spreadsheet, he said. The tool also lets the company prevent users from directly accessing the database to try to build reports, he said.

The company plans to create an additional layer of security in a few months by using Actuate's new Actuate 9 enterprise reporting suite, which is scheduled to ship later this year, Hader added. The tool will allow the company to fine-tune spreadsheet security so that users will be limited to which portions of a spreadsheet they can see, based upon their roles in the company.

Mark Lack, planning and financial analysis manager at Mueller Inc. in Ballinger, Texas, said his company in May expanded its BI security efforts by integrating its Cognos 8 tools from Ottawa-based Cognos Inc. with its Active Directory services, using a link included in the Cognos tool set. Lack said Active Directory is used to maintain corporate security policies.

Until May, the manufacturer of steel buildings and metal roofing was using the native BI security included in the previous version of the Cognos BI suite, he said.

"[Now] you have the locked- tight security of our ERP system that people can't get into," Lack said. "[The Cognos native] security was used to assign accessibility to different aspects of the software versus to lock down and secure and keep people out of the system. By using [Active Directory services], you can pass through the different levels of security into the BI system and then make the assignments from there."

The move to update the BI security capabilities was prompted in part by plans to significantly boost the number of Mueller users who can access the Cognos software, Lack said. Today, he said, 75 users can access the BI tools. By the end of the year, the system will be rolled out to 200 more users.

In addition, Active Directory eliminates the need for users to have multiple passwords, Lack said, noting that some users tape their passwords to their laptops because they can't remember them all.

Downloading Danger

The problem of downloaded spreadsheets on laptops is "a big threat that hasn't received a lot of attention from BI vendors," said Wayne Eckerson, director of research at The Data Warehousing Institute in Seattle.

Ironically, Eckerson added, BI vendors have spent millions of dollars converting PC-based tools to the Web, only to be forced by customer demand to return at least partially to the desktop to provide strong Office and Excel integration.

"I guess [vendors] can elect to turn off Excel interfaces, but only at the risk of alienating users," Eckerson said. "It's a real conundrum."

Despite the warnings, not all companies are scrambling to secure spreadsheets.

Grant Felsing, decision support manager at lawn mower engine manufacturer Briggs & Stratton Corp. in Wauwatosa, Wis., noted that most of the BI data stored on desktop spreadsheets at the company would be of little use to unauthorized users. The company does not store personal information in the application; it stores mostly internal manufacturing data, he said.

However, he added, "I think we have the same vague concern as everyone else that since Excel is the ultimate BI tool, there should be something stronger than desktop security protecting some of these assets."

Lack noted that although Mueller is improving the security of its Cognos BI tools, the company has no policies related to what employees can download into Excel, and it has no plans to address the issue. He said that users can always use e-mail or print out information if they want to distribute it without using a spreadsheet.

"Cutting people off from doing additional analysis is just an impediment to productivity," Lack said. "If people are trusted to have certain levels of information in our company, we trust them to have it."

Copyright © 2006 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon