Business Intelligence and Security
Business Intelligence is a relatively new term for the
next-generation of data warehousing. While data warehousing is
primarily concerned with the integration of vast amounts of data across
multiple business systems, Business Intelligence is concerned with how
to use that integrated data to make strategic business
decisions. Right away, security becomes a concern whenever
private corporate data is accessed. Stories of conspicuous
data leaks have been making news headlines for years.
Security has been such a strong focus at Microsoft that it is one of
the four pillars of Microsoft’s
Trustworthy Computing Initiative. How can an
information technology worker or developer balance the need for
security while at the same time empowering corporate employees with
critical data required to get their jobs done effectively and
efficiently?
Business Intelligence data is normally presented to users via
the corporate intranet or over e-mail. This allows IT workers
to take advantage of existing security infrastructures to assist them
in securing their Business Intelligence data. These existing
security frameworks, when combined with corporate policies against the
distribution of sensitive company information are usually enough to
relieve worried CIOs. Let’s take a quick look at
all of the participants in a secure BI data environment.
First and foremost in the Microsoft Business Intelligence
stack is Microsoft SQL Server. SQL Server 2005 has made great
progress at securing itself and the contents of its
databases. The security features of SQL Server include:
-
Surface area reduction – at installation,
typically unused components are disabled by default, reducing the
chances that viruses and hackers can take advantage of the system.
-
Native encryption – data can be encrypted inside
the database for added security without requiring external SSL
certificates.
-
Authentication – group policy manageable logins
and endpoint-based authentication.
-
Granular permissions – making the permissions
more granular allows SQL Server users to operate in a least privileged
environment while still having the security permissions to accomplish
their tasks.
-
User and schema separations – a divergence from
SQL Server 2000 where a database object’s schema name was the
same as the database user who owned it.
For more information on security in SQL Server, visit the SQL
Server Security overview at http://www.microsoft.com/sql/technologies/security/securityfeatures_1.mspx.
After SQL Server, in a web environment, IIS is the next
critical component. IIS is responsible for the transmission
of data across the wire and it is at this level that features such as
SSL encryption to secure communication between the web server and the
user and IPSec to secure communication between the web server and the
database. These types of IIS security features can improve
your organization’s security profile. For more
information about IIS security, visit the Microsoft TechNet Security
Guidance for IIS website at http://www.microsoft.com/technet/security/prodtech/IIS.mspx
Microsoft SharePoint Technologies are increasingly becoming
the presentation platform of choice when it comes to corporate
intranets. Among SharePoint’s greatest features is
the ability for non-technical individuals to provision and manage web
sites without involving an IT or Development department.
SharePoint 2007 offers some significant improvements in security over
older versions of SharePoint technologies. These new
improvements include an extremely flexible granular level of
permissions and a new security trimming feature that prevents
unauthorized individuals from even seeing secured data as an option on
a menu. SharePoint 2007 can work with either integrated
Active Directory authentication or Forms authentication to provide a
flexible security experience. For more information about
SharePoint 2007’s security features, take a look at this blog
entry from the Microsoft SharePoint team: http://blogs.msdn.com/sharepoint/archive/2006/04/07/570939.aspx.
ASP.Net 2.0 ships out of the box with some impressive security
features available to developers. Built in controls such as
the Login control and the LoginView controls help provide a similar
sort of security trimming experience on has in SharePoint.
The provider framework upon which the Membership and Roles
functionality is built enables developers to be highly flexible when it
comes to developing a web application with security in mind.
ASP.Net 2.0 automatically grants the ability configure and manage
security through a built-in web admin tool located at http://myserver/MyWebappName/WebAdmin.axd .
This web admin tool allows you to configure the three security groups:
Users, Roles, and Access Rules. MSDN Magazine published an
excellent article about security and ASP.NET 2.0: http://msdn.microsoft.com/msdnmag/issues/04/06/ASPNET20Security/
Windows Server 2003 and Active Directory are the foundations
upon which all of these pieces of software rest. Active
Directory is an evolutionary improvement from the old NT4 security
model in that it supports new concepts such as Access Control Lists
(and ACL inheritance), atomic permissions, right sets, and new levels
of administrative accounts. Windows Server 2003 also ships
with the Security Configuration Wizard which helps administrators
harden their servers by authoring, testing, and deploying security
policies that reduce attack surface areas. For an excellent
introduction to Windows security concepts, check out this article at http://windows.stanford.edu/Public/Security/ADSecurityOverview.htm.
Now that we’ve seen the major players in the
security discussion around Microsoft BI, let’s take a quick
look at the BI platform components. To date, all of the
Microsoft Business Intelligence products have been shipped with
Microsoft SQL Server as free add-on capabilities. SQL Server
2005 provides the excellent and stable transaction databases from which
SQL Server Analysis Services (SSAS) builds OLAP data cubes.
SQL Server Reporting Services (SSRS) generates and delivers reports
about the transactional and cubed data in a variety of
formats. Microsoft Business Scorecard Manager (BSM)
integrated into SharePoint to create read-at-a-glance reports of
company status. Recently Microsoft added to their already
formidable arsenal of BI tools with the acquisition of
ProClarity. ProClarity Analytics has long been a leader in
analyzing data, ad-hoc reporting, dashboards, and scorecards with an
extremely powerful GUI. While ProClarity is now a wholly
owned Microsoft subsidiary, it continues to operate its own website at www.proclarity.com.
The purchase of ProClarity and the development of the Business
Scorecard Manager 2005 product have positioned Microsoft to build a new
product, the Microsoft Office PerformancePoint Server 2007.
PerformancePoint Server is a completely new Business Intelligence
platform, providing planning, budgeting, forecasting, scorecarding, and
reporting capabilities to employees at all levels of the
organization. PerformancePoint Server takes advantage of SQL
Server Analysis Services, SharePoint, Microsoft Office Excel, and
ProClarity Analytics to create a comprehensive performance management
application. Learn more about this upcoming product at its
homepage: http://office.microsoft.com/en-au/FX101550371033.aspx
This article has taken a quick look at both the Microsoft
Business Intelligence offering as well as the security features offered
throughout the stack. While each of these topics and even
each of the platform components is individually worth of a book, it is
my hope that this article conveys the level of flexibility an IT
department has when it comes to securing sensitive corporate
data. In fact, it has been my hope to impress upon you that
in general no special efforts need to be taken to secure BI data above
and beyond those security efforts already taken to secure the platform
upon which the BI stack rests.
|
