It's no secret that in a back room in the typical enterprise, there's a team of analytical wizards running sophisticated queries that mine for gems such as data about the company's best customers -- those top 20 percent of clients that produce 80 percent of the company's profits. These jewels can be a business's most valuable intellectual property, which makes them very valuable to competitors.
What's to prevent that data set from walking out the door or falling into the wrong hands?
Sometimes, not much. Many companies lack the internal controls to prevent that information from leaking. The problem is that business-intelligence data is as hard to protect as it is important.
"Securing your business-intelligence information and systems is often an afterthought at best," says Cate Quirk, an analyst at AMR Research.
Michael Rasmussen, an analyst at Giga Information Group, agrees. "Have most IT shops really thought through the security issues around BI?" asks Rasmussen. "The answer is no."
It Can Be a Business
Owens & Minor had to think about it. Business intelligence is big business at the US medical supplies distributor. A US$4 billion company, Owens & Minor counts some of the nation's largest health care organizations among its customers. In late 1996, it started mining data internally using business-intelligence software from Business Objects.
"From the beginning, we were aware of security issues around this information," says Don Stoller, senior director of information systems at Owens & Minor. "For example, a sales executive in Dallas should only have access to analyses from his region."
Dean Abbott, principal at Abbott Consulting, adds, "Don't give access to anyone who doesn't have a definite need." It is always possible that someone who has legitimate access will abuse that trust, but analysts say you can minimize that potential by strictly limiting access to only those who need it.
To guard against such a breach, Owens & Minor used role-level security functions in the Business Objects application that clearly define who has access to which data. "This meant we had to build a separate security table in our Oracle database," says Stoller.
A few years later, when the company wanted to open its systems to suppliers and customers, security became even more important. In 1998, Owens & Minor moved quickly to take advantage of Web-intelligence software from Business Objects that's designed to Web-enable business-intelligence systems.
The result was Wisdom, a portal that lets Owens & Minor's suppliers and customers access their own transactional data and generate sophisticated analyses and reports from it.
"In [(business-to-business transactions), security is key," says Stoller. "We had to make absolutely sure that Johnson & Johnson, for example, could not see any of 3M's information. This meant we had to set up specific customer and supplier security tables, and we had to maintain new, secured universes in Business Objects."
Wisdom was such a success that Owens & Minor decided to go into the intelligence business with the launch of Wisdom2 in the spring of 2000. "We capture data out of a hospital's materials management system and load it into our data warehouse," Stoller explains. A hospital can then make full use of its business-intelligence software to mine and analyze purchasing data. Owens & Minor receives a licensing and maintenance fee for the service.
Layers of security and encryption imply a considerable amount of systems administration overhead. Both Quirk and Rasmussen say that's the main reason security concerns about business intelligence are often swept under the carpet. The issues of authentication (identifying the user) and authorization (what things the user is allowed to do) must be addressed, usually across different applications, Rasmussen says, adding, "Systems administration can be a real nightmare."
"We are going through some of this," says David Merager, director of Web services and corporate applications at Vivendi Universal Games in Los Angeles. "Our business intelligence needs more security attention."
Vivendi generates business-intelligence reports from two systems: an Oracle-based general ledger database on Unix, and a data entry application for budgets on a Microsoft SQL Server database. The heart of the business-intelligence system consists of Microsoft's OLAP application and software from Comshare, that provides the Web-based front end for the analytics. "Our budget teams use these reports to do real-time analyses," says Merager.
Rodger Sayles, manager of data warehousing at Vivendi, says one way to secure such a system would be to assign roles to all users within the Microsoft application. Roles determine precisely what a user is allowed to see and do and are usually managed within a directory. If your computing architecture is amenable to a single, centralized directory that supports roles, this may be an attractive solution.
"The problem is that once you have over 40 distinct roles, you run into performance issues, and we have identified about 70 roles," Sayles explains.
He says there's a way around this difficulty. "I think we are going to use a combination of portals and roles. A user would sign on through a particular portal, which would effectively place the user in a role category. This reduces the burden on the application," says Sayles.
Keep It Simple
Dave Stack, manager of corporate financial planning at RSA Security, employs a similar strategy using some of the same software from Comshare. RSA's business-intelligence applications produce forecasting, budgeting and product reports.
He says good planning has also helped keep systems administration headaches to a minimum. "Comshare gives you about nine types of users," says Stack, "and that is plenty for us."
What makes this small number of profiles possible, he explains, is a good design that uses a hierarchy of four security levels. "These, together with security features in our Microsoft SQL Server database, make it easy for us to create cross-functional roles," says Stack.
But Stack says things would have been a lot more difficult if he had started deploying business intelligence without having a good security plan in place first.
John Schramm, manager of strategic security architecture and engineering at FleetBoston Financial, says a good place to start planning is with a classification system that defines different levels of security for different types of information.
"In order to protect data," says Schramm, "you need to know what the rules are. Our classification system enables us to set the rules that we need to design security around information."
Schramm worked with consultants at Greenwich Technology Partners, to define four security levels: highly confidential, which defines data with trade secrets or wire-transfer information; confidential, such as transactional data and credit card numbers; confidential informational, defined as nontransactional data such as customer lists; and company-restricted data like job postings and phone directories.
Security systems, Schramm explains, can include field-level encryption, transport-level security such as Secure Sockets Layer and Secure Copy Protocol, and authentication and authorization. "Combinations of these kick in at different levels in our classification hierarchy," says Schramm.
FleetBoston is a large, distributed enterprise, which makes classification even more important. "We try to maintain these standards across our various lines of business," say Schramm. "They are all different, and one of my primary responsibilities is to integrate them in a secure manner. I need to know what data the different lines of business need."
Most companies have thought through network and software security issues, which is why they don't come up that often in discussions about business-intelligence security.
When it comes to such data, the security concerns are more about policies. "It is always possible for someone within the company to abuse security privileges," says Rasmussen. "But the best defense against this and most other breaches is to make sure you have good, strong policies in place -- things like authentication and authorization."
Schramm agrees. "The big challenge is in determining the data elements that define the user of a particular (business-intelligence) system. These profiles are a real challenge. As just one example, you may have employees who are also customers.
"You need to know who the actors are," says Schramm.
Safe and Secure
-- Build in security, such as multilevel access controls, at the outset -- not as an afterthought.
-- If you have distributed systems with no obvious central directory, consider either a homegrown or a commercial identity management system.
-- Don't include information in business-intelligence reports that isn't strictly necessary. At FleetBoston, for example, reports typically don't contain customer identifications.
-- Role-level management is a good idea, but try to devise a security hierarchy first. This can help drastically reduce the number of roles you have to deal with.
-- Don't think that business-intelligence security is about building a bigger moat or perimeter security. It requires internal policies that specify who can see what.
-- Mark Leon