Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Business Intelligence Security Christopher Holden H&H Technologies May 2003
Introduction <ul><li>Who am I? </li></ul><ul><ul><li>Business Intelligence and Data Warehouse Architect with 10+ years exp...
Vision Statement <ul><li>To provide Business Intelligence with a comprehensive security facility, aligned with Corporate I...
Goal and Objectives <ul><li>Goal is to secure data in a consistent manner regardless of technologies </li></ul><ul><li>Obj...
Today’s Situation <ul><li>Current tools  </li></ul><ul><ul><li>RDBMS including Oracle, SQLServer, Sybase, DB2 </li></ul></...
Available Options <ul><li>1. Maintain Status Quo (Little or No Security) </li></ul><ul><ul><li>compromises sensitive infor...
Principles and Considerations <ul><li>Persons may be employees, contracted persons, external partners or consumers </li></...
Principles and Considerations - continued <ul><li>Order of Preference for Securing Data: </li></ul><ul><ul><li>via databas...
8 Why What When Who How (General) How (Specific) How Much How Often
Security Framework <ul><li>Provides the raison d'être </li></ul><ul><li>Statements of Sensitivity describes data and provi...
Security Framework - continued <ul><li>SOS, PIA and TRAs are not intended to provide the mechanisms of security </li></ul>...
11
Security Model 12
13
Corporate Security Matrix <ul><li>Composed of 3 primary matrices (associations) </li></ul><ul><ul><li>between  Person  and...
Creating the Corporate Security Matrix 15
Sample Corporate Security Matrices 16
17
Tool (Product) Mappings 18
Tool (Product) Mappings - continued <ul><li>Essentially the “ETL” portion of the security system </li></ul><ul><li>The rul...
Tool (Product) Mappings - Example <ul><li>CognosScript macro to load Cognos AccessManager from Corporate Security Matrix <...
Implementation <ul><li>Iterative </li></ul><ul><ul><li>one product at a time </li></ul></ul><ul><ul><li>one subject area o...
Questions? 21 Christopher Holden H&H Technologies [email_address]
Security Facility SDLC 22
Upcoming SlideShare
Loading in …5
×

Business Intelligence Security

1,176 views

Published on

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

Business Intelligence Security

  1. 1. Business Intelligence Security Christopher Holden H&H Technologies May 2003
  2. 2. Introduction <ul><li>Who am I? </li></ul><ul><ul><li>Business Intelligence and Data Warehouse Architect with 10+ years experience </li></ul></ul><ul><ul><li>Implemented full scale DW and BI solutions for both private and public sectors in Canada, USA and UK. </li></ul></ul><ul><li>What Will I Cover? </li></ul><ul><ul><li>40 minute presentation on the technical aspects of a BI Security implementation </li></ul></ul><ul><ul><li>Identifies the major components </li></ul></ul><ul><ul><li>Addresses principles and considerations </li></ul></ul><ul><ul><li>Provides a process and some examples of implementation code/processes </li></ul></ul>1
  3. 3. Vision Statement <ul><li>To provide Business Intelligence with a comprehensive security facility, aligned with Corporate IM/IT directives, that will facilitate the confidentiality, integrity and availability of data. </li></ul>2
  4. 4. Goal and Objectives <ul><li>Goal is to secure data in a consistent manner regardless of technologies </li></ul><ul><li>Objectives include: </li></ul><ul><ul><li>row and column level security </li></ul></ul><ul><ul><li>Maintain security once, propagate to the many tools and subject areas </li></ul></ul><ul><ul><li>Flexible solution that adapts to any corporate or system development methodology </li></ul></ul>3
  5. 5. Today’s Situation <ul><li>Current tools </li></ul><ul><ul><li>RDBMS including Oracle, SQLServer, Sybase, DB2 </li></ul></ul><ul><ul><li>ETL products including Cognos DecisionStream, DataStage, Informatica, Microsoft DTS </li></ul></ul><ul><ul><li>Business Intelligence tools such as Cognos Impromptu and PowerPlay </li></ul></ul><ul><ul><li>Security directories including Active Directory Services, LDAP </li></ul></ul><ul><li>Many Approaches in Use </li></ul><ul><ul><li>security by project implementation (narrow scope for both technology and subject matters) </li></ul></ul><ul><ul><li>security by product (narrow scope for technology) </li></ul></ul><ul><ul><li>Business Intelligence security is often developed in isolation of network, database, web and application teams </li></ul></ul>4
  6. 6. Available Options <ul><li>1. Maintain Status Quo (Little or No Security) </li></ul><ul><ul><li>compromises sensitive information </li></ul></ul><ul><ul><li>no reuse of existing implementations </li></ul></ul><ul><li>2. Create Project and/or Tool Solutions </li></ul><ul><ul><li>duplication of work </li></ul></ul><ul><ul><li>increase maintenance efforts and costs </li></ul></ul><ul><ul><li>reduction in user-friendliness and ability </li></ul></ul><ul><ul><li>limited based on scope and capabilities of tools </li></ul></ul><ul><li>3. Develop Comprehensive BI Security Solution </li></ul><ul><ul><li>requires time, design and contentious requirements </li></ul></ul><ul><ul><li>provides flexibility, scalability, consistency </li></ul></ul><ul><ul><li>Reduces maintenance </li></ul></ul><ul><ul><li>increases ability to use best-of-breed products </li></ul></ul>5
  7. 7. Principles and Considerations <ul><li>Persons may be employees, contracted persons, external partners or consumers </li></ul><ul><li>Ability to secure data for organizations such as IM/IT where they are: </li></ul><ul><ul><li>service providers (deliver and maintain the systems) </li></ul></ul><ul><ul><li>consumers (users) of the systems </li></ul></ul><ul><li>Data access is tool independent </li></ul><ul><li>Data access is defined in terms of inclusion not exclusion </li></ul>6
  8. 8. Principles and Considerations - continued <ul><li>Order of Preference for Securing Data: </li></ul><ul><ul><li>via database security (at the source) </li></ul></ul><ul><ul><li>via application security </li></ul></ul><ul><ul><li>via network security (physical separation) </li></ul></ul><ul><li>Privileges are used to define permissions to Development , Quality Assurance and Production data groups as discrete entities </li></ul><ul><li>The security facility itself will be maintained using the System Development Lifecycle. </li></ul>7
  9. 9. 8 Why What When Who How (General) How (Specific) How Much How Often
  10. 10. Security Framework <ul><li>Provides the raison d'être </li></ul><ul><li>Statements of Sensitivity describes data and provides sensitivity and its confidentiality rating </li></ul><ul><li>Privacy Impact Assessments state the impact to an individual or organization if security is compromised (cost, legal, trust) </li></ul><ul><li>Threat Risk Assessments examine the threats and assign risks to both malicious and accidental actions as they relate to data, code, integrity and dissemination </li></ul>9
  11. 11. Security Framework - continued <ul><li>SOS, PIA and TRAs are not intended to provide the mechanisms of security </li></ul><ul><li>They provide requirements in order to develop a practical, scalable, cost-effective solution </li></ul><ul><li>SOS, PIA and TRAs are iterative, living documents </li></ul>10
  12. 12. 11
  13. 13. Security Model 12
  14. 14. 13
  15. 15. Corporate Security Matrix <ul><li>Composed of 3 primary matrices (associations) </li></ul><ul><ul><li>between Person and Access Group </li></ul></ul><ul><ul><li>between Data Group and Data Element </li></ul></ul><ul><ul><li>between Access Group and Data Group </li></ul></ul><ul><li>Living compilation that is updated as any combination of Persons, Data, or Access change </li></ul>14
  16. 16. Creating the Corporate Security Matrix 15
  17. 17. Sample Corporate Security Matrices 16
  18. 18. 17
  19. 19. Tool (Product) Mappings 18
  20. 20. Tool (Product) Mappings - continued <ul><li>Essentially the “ETL” portion of the security system </li></ul><ul><li>The rules for: </li></ul><ul><ul><li>extracting persons, data and privileges from the Corporate Security Matrix </li></ul></ul><ul><ul><li>transforming the data to fit the product’s security schema (e.g. how to define and group persons within access groups) </li></ul></ul><ul><ul><li>loading of the data into the product’s specific security schema </li></ul></ul><ul><li>Advantage of iterative development (one product at a time as resources become available) </li></ul>19
  21. 21. Tool (Product) Mappings - Example <ul><li>CognosScript macro to load Cognos AccessManager from Corporate Security Matrix </li></ul><ul><ul><li>Add Users (full names, database logins, OS Signons) </li></ul></ul><ul><ul><li>Add UserClasses (user class hierarchies) </li></ul></ul><ul><ul><li>Add User to UserClasses (assign users to user classes) </li></ul></ul><ul><li>Advantages? </li></ul><ul><ul><li>One macro to update 3 environments (DEV, QA, PRD) </li></ul></ul><ul><ul><li>Matrices now have 2 purposes - documentation and data </li></ul></ul><ul><ul><li>Macro can be run periodically to keep security system in-sync with Corporate Security Matrix </li></ul></ul>20
  22. 22. Implementation <ul><li>Iterative </li></ul><ul><ul><li>one product at a time </li></ul></ul><ul><ul><li>one subject area or project at a time </li></ul></ul><ul><li>Extract only relevant security objects from the Corporate Security Matrix (same concept as DataMarts) </li></ul><ul><li>Expect each product and project implementation to differ -- the Security Model and Framework is designed to provide guidelines and templates </li></ul>8
  23. 23. Questions? 21 Christopher Holden H&H Technologies [email_address]
  24. 24. Security Facility SDLC 22

×