Security Management


Security features must be tested early during the first rollout. Security is often overlooked in BI applications or is given superficial attention. Keep in mind that the data in the BI target databases is the same data contained in the operational systems. The common argument that security is not an issue for BI applications because the data is aggregated and summarized holds true only if detailed data is not available through drill-down features. In that case, the security measures for the BI data do not need to be as stringent as the security measures imposed on the same operational source data. However, most BI target databases store a fair amount of detailed data in addition to the summaries. Therefore, the security measures may be relaxed for some of the data but not for all.

Security Measures for BI Applications

Organizations that have strong security umbrellas on their mainframes are more likely to pay attention to security measures for their BI applications on multi- tier platforms. Organizations that have very lax security policies for their mainframes are usually prone to treating security casually for their BI applications as well. These organizations may unwittingly expose themselves to security breaches, especially if they plan to deliver information from the BI target databases over the Web.

The following is an example of a security requirement that may need to be imposed on a BI application. Suppose an organization wants to give its distributors the ability to analyze their orders and shipments via a multidimensional BI application. To prevent a distributor from searching through other distributors ' sales data, there would have to be a mechanism for restricting each distributor's access to only the sales data pertaining to that particular distributor. In other words, some security lock is required to prevent access to the competitors ' sales data. This is not as straightforward as it sounds.

  • No off-the-shelf umbrella security solutions can impose this kind of security. This security requirement would have to be implemented through the various security features of the database management system (DBMS) and of the access and analysis tools used by the BI application.

  • The solution of imposing security at a table level may not be granular enough. However, one possible way to achieve this type of security is to partition the tables either physically or logically (through VIEWs). Partitioning will restrict access solely to the appropriate distributor as long as both the fact tables and the dimension tables are partitioned. Therefore, this method could become too cumbersome.

  • An alternative may be to enhance the meta data with definitions of data parameters, which could control access to the data. This form of security would be implemented with appropriate program logic to tell the meta data repository the distributor's identity, allowing the application to return the appropriate data for that distributor only. This type of security measure will be only as good as the program controlling it.

This example illustrates that the required security measures must be well considered and that the security features of the DBMS and of the access and analysis tools must be well understood and cross-tested. Complete reliance on one comprehensive security package that has the capability to implement any and all types of security measures is not a security solution because such a security package does not exist.

To get the security you need, you will most likely have to implement a number of different security measures, including purchased security packages. However, be sure to minimize the number of security packages you implement because one of two things may happen.

  1. Business people will be logging in through multiple security packages, using multiple logon identifiers (IDs) and multiple passwords that expire at different times. They will get frustrated very quickly if they have to go through different logon procedures and remember different IDs and passwords for each procedure. Complaints will run high.

  2. Business people will stop using the BI decision-support environment entirely because it is too cumbersome. You do not want this to happen.

A number of organizations avoid this problem by adopting a single-sign-on scheme, which keeps the frustration level to a minimum but still allows tracking of any security breaches, albeit in a less sophisticated way.

Security in a Multi-Tier Environment

Implementing security measures in a centralized environment is less complicated than in a multi-tier environment. In a centralized environment, all security measures can be implemented in one location because all the data is in one place. The goal of centralized security is "one entry point, one guard." It is much easier to guard a single door than multiple doors.

In a BI decision-support environment, keeping all the data in one central place is not always feasible or desirable. If data needs to be stored in a distributed fashion in a multi-tier environment, implementing security measures becomes much more complicated. The list below briefly describes the steps involved.

  1. Identify the end points in your network architecture and the paths connecting the end points. Draw a diagram of your physical architecture, similar to Figure 15.1.

    Figure 15.1. Example of a Physical Architecture Diagram

    graphics/15fig01.gif

  2. Determine the connectivity paths (from the entry points) used to get to the data. Draw a diagram with links and labels for the connectivity paths (Figure 15.2).

    Figure 15.2. Example of a Connectivity Path Diagram

    graphics/15fig02.gif

  3. Compare the paths with your existing security measures. You may already have some security packages installed, and some of them may be sufficient to guard a subset of the data. Draw a matrix for security gap analysis purposes (Figure 15.3).

    Figure 15.3. Example of a Security Gap Analysis Matrix

    graphics/15fig03.gif

The security gap analysis matrix will help you identify where security is still needed and what type of security is needed. Keep in mind the following points:

  • Password security may be the least expensive to implement, but it can be easily violated.

  • DBMS security is the most important component of the security solution and should override all other security measures that may contradict the data access authority granted by the DBMS.

  • Encryption is not that prevalent in BI decision-support environments because of the complicated encryption and decryption algorithms. Encryption and decryption processes also degrade performance considerably. However, with the frequent use of the Internet as an access and delivery mechanism, encryption should be seriously considered to protect the organization from costly security breaches.

Security for Internet Access

The Internet enables distribution of information worldwide, and the BI decision-support environment provides easy access to organizational data. Combining the two capabilities appears to be a giant leap forward for engaging in e-commerce. However, carefully consider the implications of combining these technologies before you decide to take the risk of potentially exposing sensitive organizational data (Figure 15.4).

Figure 15.4. Security Considerations for Internet Access

graphics/15fig04.gif

Many product vendors are enabling Web access to databases in general, and some vendors are allowing access to BI target databases in particular. This complicates the concerns for:

  • The security of the BI decision-support environment in general

  • The security issues associated with allowing Web access to the organization's data

The bottom line on security is that you need to define your security requirements early in order to have time to consider and weigh all factors. If you opt to display the data on the Web, spend extra time and money on authentication and authorization of internal staff and external customers. If you are transmitting sensitive data to and from external customers, consider investing in encryption and decryption software.

  • Authentication is the process of identifying a person, usually based on a logon ID and password. This process is meant to ensure that the person is who he or she claims to be.

  • Authorization is the process of granting or denying a person access to a resource, such as an application or a Web page. In security software, authentication is distinct from authorization, and most security packages implement a two-step authentication and authorization process.

  • Encryption is the "translation" of data into a secret code. It is the most effective way to achieve data security. To read an encrypted file, you must have access to a secret key or password that enables you to decrypt it. Unencrypted data is usually referred to as plain text, while encrypted data is usually referred to as cipher text.



Business Intelligence Roadmap
Business Intelligence Roadmap: The Complete Project Lifecycle for Decision-Support Applications
ISBN: 0201784203
EAN: 2147483647
Year: 2003
Pages: 202

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net