Do you see a lot of security holes in the BI projects that are currently under way?
We talk to clients all the time who show us a BI architecture plan, and they have no plans for security. It's like an afterthought. The same rigor that they apply to OLTP they do not think to apply to the BI world. Security tends to make its way into any IT discussion these days. Where does it factor into BI?
It's a substantial concern. One of our intentions in releasing that report is to alert people that [security] is to some extent being overlooked. In the whole scheme of things, enterprises do a good job these days with security in general but almost entirely in the OLTP [online transaction processing] world. People are worried about [the] security and availability of their operational systems, and we haven't seen that same level of diligence and focus carried over into BI and data warehousing.
But the risks are the same, if not even worse. You build a data warehouse, and it can be a complete view of the enterprise. That's a huge security issue. At least in the operational world, stuff is fragmented, so it would be hard for someone to steal a complete view. Our intent is to get the world thinking about security beyond OLTP and recognizing the risks in BI and data warehousing. Do you feel that there is a growing awareness of this need for BI security and that this could slow BI projects?
I don't think we would expect people to stop what they're doing and go back to shore things up, nor do I think this necessarily needs to be done. What we're saying is, as you go down this path toward BI, have a parallel track going where you're worrying about security. And follow this plan as you deploy more BI, whether it is new data warehouses or anything else. You have to have security baked into those efforts. What advice do you give people in building their BI framework?
It's not rocket science. You think about the same things that you do in a security policy in the OLTP world, such as who has access to the data, what are they doing to it, where is the data, and is it secure. I think all those things apply equally in the BI world; it's just harder to get your head around it. A lot of BI stuff that goes on tends to fly below the radar screen. You've got people downloading data and massaging it on the desktop where security is questionable. So the same principles apply, you just have to dig a bit deeper on the BI side to see exactly what the locations and usage of the data is. What's the most important element of an effective BI security strategy?
I think that it's a combination of things -- understanding where the data is, who is using it and how they are using it. The hardest part is really being sure that you understand who is touching the data and what they're doing with it, and getting some control of that. It's an environment where people are downloading things and altering things, and as you can imagine, this can all get out of control quickly. The 'who is doing what with the data' is the hardest portion of all that. Have BI software vendors recognized the need for increased security and are they offering solutions to the problem?
I think minimally at best. In the BI tools that you can buy on the market today, certainly there are security mechanisms built in, but there is little there that really allows an enterprise to most tightly control what is being done with the data. You're talking about a very dynamic environment that is much more soft and fuzzy than the OLTP world. Overall, the BI vendors have done a decent job of introducing security functionality, but it is not comprehensive enough yet. And that's only one piece of the puzzle. Controlling who has access to the tools and security in the tools is very useful, but there are holes that need to get filled. These holes are in the data acquisition process, in moving data to the warehouse, in the warehouse DBMS itself and where the data can be accessed and compromised.
I think the big challenge is this: BI and data warehousing are architectures. You're putting multiple tools together. ETL tools, DBMS, BI tools. None of those today play well together from a security perspective. There is no over-arching security mechanism.
FOR MORE INFORMATION: