Securing Business Intelligence Data

[InfoSec News <isn () c4i org>]

Forwarded from: William Knowles <wk () c4i org>

http://www.computerworld.com/securitytopics/security/story/0,10801,80226,00.html

By Mark Leon
APRIL 14, 2003
Computerworld 

It's no secret that in a back room in the typical Fortune 500 company,
there's a team of analytical wizards running sophisticated queries
that mine for gems such as data about the company's best customers --
those top 20% of clients that produce 80% of the company's profits.  
These jewels can be a business's most valuable intellectual property,
which makes them very valuable to competitors.

What's to prevent that data set from walking out the door or falling
into the wrong hands?

Sometimes, not much. Many companies lack the internal controls to
prevent that information from leaking. The problem is that
business-intelligence data is as hard to protect as it is important.

"Securing your business-intelligence information and systems is often
an afterthought at best," says Cate Quirk, an analyst at AMR Research
Inc. in Boston.

Michael Rasmussen, an analyst at Giga Information Group Inc. in
Cambridge, Mass., agrees. "Have most IT shops really thought through
the security issues around BI?" asks Rasmussen. "The answer is no."


It Can Be a Business

Owens & Minor Inc. had to think about it. Business intelligence is big
business at the Reston, Va.-based medical supplies distributor. A $4
billion company, Owens & Minor counts some of the nation's largest
health care organizations among its customers. In late 1996, it
started mining data internally using business-intelligence software
from Business Objects SA, whose U.S. headquarters is in San Jose.

"From the beginning, we were aware of security issues around this
information," says Don Stoller, senior director of information systems
at Owens & Minor. "For example, a sales executive in Dallas should
only have access to analyses from his region."

Dean Abbott, principal at Abbott Consulting in San Diego, adds, "Don't
give access to anyone who doesn't have a definite need." It is always
possible that someone who has legitimate access will abuse that trust,
but analysts say you can minimize that potential by strictly limiting
access to only those who need it.

To guard against such a breach, Owens & Minor used role-level security
functions in the Business Objects application that clearly define who
has access to which data. "This meant we had to build a separate
security table in our Oracle database," says Stoller.

A few years later, when the company wanted to open its systems to
suppliers and customers, security became even more important. In 1998,
Owens & Minor moved quickly to take advantage of Web-intelligence
software from Business Objects that's designed to Web-enable
business-intelligence systems.

The result was Wisdom, a portal that lets Owens & Minor's suppliers
and customers access their own transactional data and generate
sophisticated analyses and reports from it.

"In [business-to-business transactions], security is key," says
Stoller. "We had to make absolutely sure that Johnson & Johnson, for
example, could not see any of 3M's information. This meant we had to
set up specific customer and supplier security tables, and we had to
maintain new, secured universes in Business Objects."

Wisdom was such a success that Owens & Minor decided to go into the
intelligence business with the launch of Wisdom2 in the spring of
2000. "We capture data out of a hospital's materials management system
and load it into our data warehouse," Stoller explains. A hospital can
then make full use of its business-intelligence software to mine and
analyze purchasing data. Owens & Minor receives a licensing and
maintenance fee for the service.


Administration Nightmare

Layers of security and encryption imply a considerable amount of
systems administration overhead. Both Quirk and Rasmussen say that's
the main reason security concerns about business intelligence are
often swept under the carpet. The issues of authentication
(identifying the user) and authorization (what things the user is
allowed to do) must be addressed, usually across different
applications, Rasmussen says, adding, "Systems administration can be a
real nightmare."

"We are going through some of this," says David Merager, director of
Web services and corporate applications at Vivendi Universal Games
Inc. in Los Angeles. "Our business intelligence needs more security
attention."

Vivendi generates business-intelligence reports from two systems: an
Oracle-based general ledger database on Unix, and a data entry
application for budgets on a Microsoft SQL Server database. The heart
of the business-intelligence system consists of Microsoft's OLAP
application and software from Comshare Inc. in Ann Arbor, Mich., that
provides the Web-based front end for the analytics. "Our budget teams
use these reports to do real-time analyses," says Merager.

Rodger Sayles, manager of data warehousing at Vivendi, says one way to
secure such a system would be to assign roles to all users within the
Microsoft application. Roles determine precisely what a user is
allowed to see and do and are usually managed within a directory. If
your computing architecture is amenable to a single, centralized
directory that supports roles, this may be an attractive solution.

"The problem is that once you have over 40 distinct roles, you run
into performance issues, and we have identified about 70 roles,"  
Sayles explains.

He says there's a way around this difficulty. "I think we are going to
use a combination of portals and roles. A user would sign on through a
particular portal, which would effectively place the user in a role
category. This reduces the burden on the application," says Sayles.


Keep It Simple

Dave Stack, manager of corporate financial planning at RSA Security
Inc. in Bedford, Mass., employs a similar strategy using some of the
same software from Comshare. RSA's business-intelligence applications
produce forecasting, budgeting and product reports.

He says good planning has also helped keep systems administration
headaches to a minimum. "Comshare gives you about nine types of
users," says Stack, "and that is plenty for us."

What makes this small number of profiles possible, he explains, is a
good design that uses a hierarchy of four security levels. "These,
together with security features in our Microsoft SQL Server database,
make it easy for us to create cross-functional roles," says Stack.

But Stack says things would have been a lot more difficult if he had
started deploying business intelligence without having a good security
plan in place first.

John Schramm, manager of strategic security architecture and
engineering at FleetBoston Financial Corp., says a good place to start
planning is with a classification system that defines different levels
of security for different types of information.

"In order to protect data," says Schramm, "you need to know what the
rules are. Our classification system enables us to set the rules that
we need to design security around information."

Schramm worked with consultants at Greenwich Technology Partners Inc.  
in White Plains, N.Y., to define four security levels: highly
confidential, which defines data with trade secrets or wire-transfer
information; confidential, such as transactional data and credit card
numbers; confidential informational, defined as nontransactional data
such as customer lists; and company-restricted data like job postings
and phone directories.

Security systems, Schramm explains, can include field-level
encryption, transport-level security such as Secure Sockets Layer and
Secure Copy Protocol, and authentication and authorization.  
"Combinations of these kick in at different levels in our
classification hierarchy," says Schramm.

FleetBoston is a large, distributed enterprise, which makes
classification even more important. "We try to maintain these
standards across our various lines of business," say Schramm. "They
are all different, and one of my primary responsibilities is to
integrate them in a secure manner. I need to know what data the
different lines of business need."

Complex Profiling

Most companies have thought through network and software security
issues, which is why they don't come up that often in discussions
about business-intelligence security.

When it comes to such data, the security concerns are more about
policies. "It is always possible for someone within the company to
abuse security privileges," says Rasmussen. "But the best defense
against this and most other breaches is to make sure you have good,
strong policies in place -- things like authentication and
authorization."

Schramm agrees. "The big challenge is in determining the data elements
that define the user of a particular [business-intelligence] system.  
These profiles are a real challenge. As just one example, you may have
employees who are also customers.

"You need to know who the actors are," says Schramm.


Leon is a freelance writer in San Francisco. Contact him at
mrleon () usfca edu.



*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.