Spreadsheets seen as security hole

Security efforts increase as more workers gain access to BI tools and spreadsheets

In the wake of multiple high-profile laptop thefts and data breaches, some IT shops are launching new initiatives to ensure that sensitive corporate data stored in spreadsheets and business intelligence tools remains secure.

The security efforts are taking on a new urgency as more workers gain access to BI tools and spreadsheets used for BI functions.

Several recent incidents -- including the inadvertent exposure of sensitive data for about 5,000 customers by Verizon Wireless that was disclosed last week, and the theft of a laptop from the U.S. Department of Veterans Affairs that contained personal information from some 26 million veterans -- involved unsecured spreadsheets.

Users and analysts said that spreadsheets are often the most common method used to analyze corporate data and are increasingly used as a front-end to more advanced BI systems. However, in most cases the ubiquitous application and the more traditional BI tools have not yet received the same security scrutiny as transactional systems and Web applications, they said.

Mayur Raichura, director of information services at Long & Foster, met last week with various executives, including the company's chief financial officer and controller, to kick off an IT security initiative that will place a heavy emphasis on securing BI data.

"There is a tremendous amount of BI data that seems to be in the hands of a lot more employees than [there was] five years ago," Raichura said. "The average user outside of IT doesn't have a clear understanding of the implications of what they do in terms of downloading data."

In addition, the real estate company has historically had "no policies on how this data is given to [employees] and what they do with it once they are given it," he added.

At the meeting, Raichura and his fellow executives decided to hire a corporate chief security officer, assess the security of each internally developed and packaged application at the company, and create a set of corporate security standards during this year and into 2007, Raichura said.

Six weeks ago, Long & Foster began implementing a system to warn users about downloading salary and financial-incentive information to spreadsheets on desktops and laptops, he added. The new system issues a pop-up warning to users each time they attempt to download sensitive data into an unsecured spreadsheet on desktop and laptop systems, Raichura said.

He acknowledged that the new policy does not prevent any of the company's 2,500 employees from inputting data from paper-based BI reports into an Excel spreadsheet.

"We are just beginning to bring control over [data from printed reports]," he said. "That is the one area I know we need to be very good at."

The new emphasis on security by Long & Foster IT and financial officials has been supported by a "fantastic awareness" of the issue by executives outside of IT, which was brought about mostly by recent high-profile data breaches, Raichura added.

A year ago, Long & Foster itself was the victim of the theft of a laptop from inside one of its buildings. Although the data on the machine -- requirements for a new BI system, written in Microsoft Word -- does not appear to have been misused, the theft prompted the company to establish a policy requiring all employees to take their laptops home every day.

The policy, which Raichura acknowledges may seem counterintuitive, aims to promote a sense of responsibility among users, prompting them to "guard the laptop like it is personal property."

Few are vigilant

Bill Hostmann, an analyst at Gartner, said that while many organizations go to great lengths to secure transactional systems and Web applications, many more "do almost nothing, or a very limited amount," to protect data housed in BI applications and spreadsheets.

"[Users] may have [sensitive] data on their PC in a spreadsheet, Access database or on an unprotected/shared workgroup server," Hostmann said. "It's often the company's most sensitive data, too."

Michael Hader, director of IT at Odom's Tennessee Pride Sausage, said his company is tackling BI security at the desktop log-in function and with a tool that limits the changes that users can make to spreadsheets.

The company uses Microsoft's Active Directory to ensure the security of its BI reports and spreadsheets. It is building portals, customized for partners and customers, that use directory services to determine which reports or spreadsheets can be accessed by specific external users. The portal was built using BI tools from Actuate.

"Unless the report exists in their Actuate portal, they won't even know it exists, period," Hader said. "We even deploy spreadsheets in that manner -- that can be our first line of defense on a spreadsheet."

Preventing access

In addition, Odom's Tennessee Pride uses the Actuate Spreadsheet Application Platform development tool to prevent users from changing cells within a spreadsheet, he said. The tool also lets the company prevent users from directly accessing the database to try to build reports, he said.

The company plans to create an additional layer of security in a few months by using Actuate's new Actuate 9 enterprise reporting suite, which is scheduled to ship later this year, Hader added. The tool will allow the company to fine-tune spreadsheet security so that users will be limited to which portions of a spreadsheet they can see, based upon their roles in the company.

Mark Lack, planning and financial analysis manager at Mueller, said his company in May expanded its BI security efforts by integrating its Cognos 8 tools from Ottawa-based Cognos with its Active Directory services, using a link included in the Cognos tool set. Lack said Active Directory is used to maintain corporate security policies.

Join the newsletter!

Error: Please check your email address.

More about ActuateBillCognosCognosExposureGartnerHISMicrosoftVerizonVerizon Wireless

Show Comments

Market Place