Business Intelligence Security

Business Intelligence SecurityChristopher Holden H&H Technologies

May 2003

Introduction

Who am I?◆ Business Intelligence and Data Warehouse Architect

with 10+ years experience◆ Implemented full scale DW and BI solutions for both

private and public sectors in Canada, USA and UK.

What Will I Cover?◆ 40 minute presentation on the technical aspects of a BI

Security implementation◆ Identifies the major components◆ Addresses principles and considerations◆ Provides a process and some examples of

implementation code/processes 1

Vision Statement

To provide Business Intelligence with a comprehensive security facility, aligned with Corporate IM/IT directives, that will facilitate the confidentiality, integrity and availability of data.

2

Goal and Objectives Goal is to secure data in a consistent manner

regardless of technologies

Objectives include:◆ row and column level security◆ Maintain security once, propagate to the many

tools and subject areas◆ Flexible solution that adapts to any corporate or

system development methodology 3

Today’s Situation Current tools

◆ RDBMS including Oracle, SQLServer, Sybase, DB2◆ ETL products including Cognos DecisionStream, DataStage,

Informatica, Microsoft DTS◆ Business Intelligence tools such as Cognos Impromptu and

PowerPlay◆ Security directories including Active Directory Services, LDAP

Many Approaches in Use◆ security by project implementation (narrow scope for both

technology and subject matters)◆ security by product (narrow scope for technology)◆ Business Intelligence security is often developed in isolation of

network, database, web and application teams

4

Available Options1. Maintain Status Quo (Little or No Security)

◆ compromises sensitive information◆ no reuse of existing implementations

2. Create Project and/or Tool Solutions◆ duplication of work◆ increase maintenance efforts and costs◆ reduction in user-friendliness and ability◆ limited based on scope and capabilities of tools

3. Develop Comprehensive BI Security Solution◆ requires time, design and contentious requirements◆ provides flexibility, scalability, consistency◆ Reduces maintenance◆ increases ability to use best-of-breed products

5

Principles and Considerations Persons may be employees, contracted

persons, external partners or consumers Ability to secure data for organizations such as

IM/IT where they are:◆ service providers (deliver and maintain the

systems)◆ consumers (users) of the systems

Data access is tool independent Data access is defined in terms of inclusion not

exclusion6

Principles and Considerations - continued Order of Preference for Securing Data:

◆ via database security (at the source)◆ via application security◆ via network security (physical separation)

Privileges are used to define permissions to Development, Quality Assurance and Production data groups as discrete entities

The security facility itself will be maintained using the System Development Lifecycle. 7

Tool Mapping• Maps tool specificterminology toCorporate Securityglossary• Adapts tool securityimplementation toCorporate Standards

Security Model• Identifies terminologyand creates CorporateSecurity Glossary• Models security matrixand depicts objectrelationships

Framework• PIA• TRA• Mission Statement• Basic Principles

• Contains all:• users• access groups• data groups• privileges

• is the central, common,corporate security db

Security Matrix

Implementations• Subset of CorporateSecurity Matrix• Subject area specific• May be tool specific 8

Security Framework Provides the raison d'être Statements of Sensitivity describes data and

provides sensitivity and its confidentiality rating Privacy Impact Assessments state the impact to

an individual or organization if security is compromised (cost, legal, trust)

Threat Risk Assessments examine the threats and assign risks to both malicious and accidental actions as they relate to data, code, integrity and dissemination

9

Security Framework - continued SOS, PIA and TRAs are not intended to

provide the mechanisms of security They provide requirements in order to

develop a practical, scalable, cost-effective solution

SOS, PIA and TRAs are iterative, living documents

10

11






Security Matrix

Implementations• Subset of CorporateSecurity Matrix• Subject area specific• May be tool specific

Security Model

12






Security Matrix


Corporate Security Matrix Composed of 3 primary matrices (associations)

◆ between Person and Access Group◆ between Data Group and Data Element◆ between Access Group and Data Group

Living compilation that is updated as any combination of Persons, Data, or Access change

14

Creating the Corporate Security Matrix

15

Data Group Name Data Element Pay

roll

Sta

ffin

g S

ervi

ces

Pen

sion a

nd

Ben

efits

Lab

our R

elat

ion

s

Anal

ysis

& R

esea

rch

Fin

anc

ial S

ervic

es

Gen

era

l Man

agem

ent

Ad

min

stra

tive

Sup

por

t

Employee_Name Employee Number a a a a a a a a

Employee Name

Last Name

First NameMiddle Name

Employee_DOB Birth Date a a a x a a a a

AgeGender

Equity Aboriginal x x x x x x a x

DisabledVisible MinorityWoman

Employee_Address Primary Address a a a x a a a a

Home Address Line 1

Home Address Line 2

Home City

Home Postal Code

Home Province

Home Telephone

Mail Address Line 1

Mail Address Line 2

Mail City

Mail Postal Code

Mail ProvinceMail Telephone

Employee_Service Service Date a a a a a a a a

Continuous Years of ServiceHire Date

Sample Corporate Security MatricesAccess Group 1 Access Group 2 Access Group 3HumanResources PayrollHumanResources Staffing ServicesHumanResources PensionsBenefits PensionsHumanResources PensionsBenefits BenefitsIM/IT ProductionSupportIM/IT DevelopmentIM/IT SecuritySupportFinance PayrollFinance AR and APAccess Group User Name User ID

Payroll Smith, John smithjPayroll Jones, Paula jonespPayroll Kelly, Ronald kellyrStaffing Services Powell, Nathalie PowelnStaffing Services Barnaby, Tara barnatStaffing Services Frein, Kim freinkStaffing Services Perry, Frank perryfPensionBenefits Smith, John smithjPensionBenefits Thom, Jamie thomja

16






Security Matrix


Tool (Product) Mappings

18

Corp. MatrixSecurity

Framework&

Model

CognosAccess

Manager

CognosImpromptu

Web Reports(IWR)

CognosTransformation

Services

CognosUpfront(Portal)

CognosPowerPlayEnterprise

Server

RDBMSOracle, Sybase

SQLServer, DB2,etc

ETLDecisionStream

DataStageInformatica

DTS, etc.Other BI

Hummingbird, BrioCrystal, Business

Objects, etc. Standards are imposedSynonyms and adaptations

Tool (Product) Mappings - continued Essentially the “ETL” portion of the security system The rules for:

◆ extracting persons, data and privileges from the Corporate Security Matrix

◆ transforming the data to fit the product’s security schema (e.g. how to define and group persons within access groups)

◆ loading of the data into the product’s specific security schema

Advantage of iterative development (one product at a time as resources become available)

19

Tool (Product) Mappings - Example CognosScript macro to load Cognos

AccessManager from Corporate Security Matrix◆ Add Users (full names, database logins, OS Signons)◆ Add UserClasses (user class hierarchies)◆ Add User to UserClasses (assign users to user classes)

Advantages?◆ One macro to update 3 environments (DEV, QA,

PRD)◆ Matrices now have 2 purposes - documentation

and data◆ Macro can be run periodically to keep security

system in-sync with Corporate Security Matrix20

8

Implementation Iterative

◆ one product at a time◆ one subject area or project at a time

Extract only relevant security objects from the Corporate Security Matrix (same concept as DataMarts)

Expect each product and project implementation to differ -- the Security Model and Framework is designed to provide guidelines and templates

Questions?

21

Christopher HoldenH&H [email protected]

Security Facility SDLC

22

Security (DEV Instance) Security (QA Instance) Security (PRD Instance)

CorporateSecurityMatrix

DEV, QA, PRDPrivileges

ToolMappings

ImplementationsDEV, QA, PRD

Privileges

Used by IM to test changes to code, structure,processes, etc. within Security System

Contains the PRODUCTIONsecurity measures for all environments including

DEV, QA and PRD

Contains the same code, structures and processes unless a system change is underway

Contains sample data (i.e. content is for testing purposes) Contains production data



ToolMappings


Privileges



ToolMappings


Privileges

Business Intelligence Security

Technology