BlogFebruary 4, 2020
Implementing Digital Security in Any Reporting Environment
- Connor Martinuzzi, Macharia Lamar
There are many different flavors of business intelligence tools available to us today. Likewise, there are many different ways to implement digital security in our dashboards, ensuring you know who is accessing your data and when. First, in our series of security blogs, we will focus on the Process, People, and Implementation methods you as the developer can use to effectively deploy and efficiently manage a least privilege digital security policy. Followed by a deeper dive into its implementation, we will explore how to best deploy security using some of the more popular business intelligence and data visualization tools like Tableau and Power BI. This is not intended to represent a full and exhaustive list of implementation methods, but to speak to those we have most often seen in action.
Regardless of the tool used, or how and where security is implemented, we must remember the following acronym: AARP
No, we are not talking about the great interest group AARP - whose mission it is “to empower people to choose how they live as they age.” Instead, we are talking about the four-step process that must be followed to effectively implement digital security within your environment:
- A - Authenticate the currently logged in user
- A - Access the resources the authorized user should see
- R - Reduce or filter the data down based on user access
- P - Present the result
Whether implemented at the project, dashboard, or row-level, this security model must be followed to ensure you know exactly who has access to what data, at all times.
You know exactly who has a key to your house, right? Likewise, you have a responsibility to know who has access to your data, how they got it, and the ability to remove/restrict it if necessary. This should be a shared responsibility among a trusted small team that understands your business and user reporting needs. That said, permissions to entitlements are most often set and controlled by a server administrator. As a non-admin developer, this can sometimes make it unnecessarily challenging to efficiently edit, update, and maintain the content you are responsible for, but not impossible when using functionality like User Functions, Data Source Filters, and User Filters.
After your organization determines what type of security policy to implement and designates who will be doing the work, you need to establish where effective permissions will be established. Understanding your user’s role and access needs will best prepare you to design the right solution. Understanding their site role determines their effective capabilities (read, filter, publish, etc.), you can then control what entitlements (data) your users get access to using the previously mentioned user filters, data source filters, or user functions.
Things to always consider:
- Your Time and Patience - How much time do you have to manage security? How many tools or screens will you need to touch to make changes? Can you use your company’s existing access control systems (AD, LDAP, etc.) to help manage access? Do you have the time to edit each of your dashboards when a change is requested?
- Recommendation - The most centralized approach would be to use role-based AD groups in which you would add/remove users based on approved requests. These groups would then be given access within your BI tool. As such, the rule of thumb - assign access to groups, not users.
- The Cost – What is the impact of each layer of security you put in place? Does it cost you more time to manage? Will it introduce latency in your dashboards? Does it make your environment and security administratively heavy?
- Recommendation - Similar to Newton’s third law, for every checkpoint we put in place, there potentially becomes an equal and opposite pain-point for the user. Determine if the benefits outweigh the risks, time, and resources required to manage it. You should perform a cost-benefit analysis by testing and re-testing each considered method.
- Audit – Can you with confidence prove compliance? How much time can you afford to spend proving your security policy is effectively being implemented and managed?
- Recommendation – Document your security policy. Where possible, plug into your organization's existing access control processes. Periodically pen-test (try to break it). Establish a periodic access review period (60, 90, 120 days etc.) This will help prevent access sprawl and aging (gaining membership to groups that are not needed or that create conflicting effective rights or retaining access to data that is no longer needed to do your job.)
So, there you have it. We have provided a high-level overview of the Process, People and methods of Implementing a strong digital security policy within your environment. Remember this:
Access control should be second only to data quality!
Regardless of the method used or the tool employed, this one statement validates everything you have read thus far. If not already, this should become your department's new operational mantra.
Be on the lookout for our second installment, where we will dive deeper into securing your data while using one of the more popular BI tools to date, Tableau, followed by a best practice using Power BI.