[ISN] Securing Business Intelligence Data

From: InfoSec News (isnat_private)
Date: Tue Apr 15 2003 - 02:06:50 PDT

  • Next message: InfoSec News: "[ISN] Feds Mull IT Disclosure"

    Forwarded from: William Knowles <wkat_private>
    By Mark Leon
    APRIL 14, 2003
    It's no secret that in a back room in the typical Fortune 500 company,
    there's a team of analytical wizards running sophisticated queries
    that mine for gems such as data about the company's best customers --
    those top 20% of clients that produce 80% of the company's profits.  
    These jewels can be a business's most valuable intellectual property,
    which makes them very valuable to competitors.
    What's to prevent that data set from walking out the door or falling
    into the wrong hands?
    Sometimes, not much. Many companies lack the internal controls to
    prevent that information from leaking. The problem is that
    business-intelligence data is as hard to protect as it is important.
    "Securing your business-intelligence information and systems is often
    an afterthought at best," says Cate Quirk, an analyst at AMR Research
    Inc. in Boston.
    Michael Rasmussen, an analyst at Giga Information Group Inc. in
    Cambridge, Mass., agrees. "Have most IT shops really thought through
    the security issues around BI?" asks Rasmussen. "The answer is no."
    It Can Be a Business
    Owens & Minor Inc. had to think about it. Business intelligence is big
    business at the Reston, Va.-based medical supplies distributor. A $4
    billion company, Owens & Minor counts some of the nation's largest
    health care organizations among its customers. In late 1996, it
    started mining data internally using business-intelligence software
    from Business Objects SA, whose U.S. headquarters is in San Jose.
    "From the beginning, we were aware of security issues around this
    information," says Don Stoller, senior director of information systems
    at Owens & Minor. "For example, a sales executive in Dallas should
    only have access to analyses from his region."
    Dean Abbott, principal at Abbott Consulting in San Diego, adds, "Don't
    give access to anyone who doesn't have a definite need." It is always
    possible that someone who has legitimate access will abuse that trust,
    but analysts say you can minimize that potential by strictly limiting
    access to only those who need it.
    To guard against such a breach, Owens & Minor used role-level security
    functions in the Business Objects application that clearly define who
    has access to which data. "This meant we had to build a separate
    security table in our Oracle database," says Stoller.
    A few years later, when the company wanted to open its systems to
    suppliers and customers, security became even more important. In 1998,
    Owens & Minor moved quickly to take advantage of Web-intelligence
    software from Business Objects that's designed to Web-enable
    business-intelligence systems.
    The result was Wisdom, a portal that lets Owens & Minor's suppliers
    and customers access their own transactional data and generate
    sophisticated analyses and reports from it.
    "In [business-to-business transactions], security is key," says
    Stoller. "We had to make absolutely sure that Johnson & Johnson, for
    example, could not see any of 3M's information. This meant we had to
    set up specific customer and supplier security tables, and we had to
    maintain new, secured universes in Business Objects."
    Wisdom was such a success that Owens & Minor decided to go into the
    intelligence business with the launch of Wisdom2 in the spring of
    2000. "We capture data out of a hospital's materials management system
    and load it into our data warehouse," Stoller explains. A hospital can
    then make full use of its business-intelligence software to mine and
    analyze purchasing data. Owens & Minor receives a licensing and
    maintenance fee for the service.
    Administration Nightmare
    Layers of security and encryption imply a considerable amount of
    systems administration overhead. Both Quirk and Rasmussen say that's
    the main reason security concerns about business intelligence are
    often swept under the carpet. The issues of authentication
    (identifying the user) and authorization (what things the user is
    allowed to do) must be addressed, usually across different
    applications, Rasmussen says, adding, "Systems administration can be a
    real nightmare."
    "We are going through some of this," says David Merager, director of
    Web services and corporate applications at Vivendi Universal Games
    Inc. in Los Angeles. "Our business intelligence needs more security
    Vivendi generates business-intelligence reports from two systems: an
    Oracle-based general ledger database on Unix, and a data entry
    application for budgets on a Microsoft SQL Server database. The heart
    of the business-intelligence system consists of Microsoft's OLAP
    application and software from Comshare Inc. in Ann Arbor, Mich., that
    provides the Web-based front end for the analytics. "Our budget teams
    use these reports to do real-time analyses," says Merager.
    Rodger Sayles, manager of data warehousing at Vivendi, says one way to
    secure such a system would be to assign roles to all users within the
    Microsoft application. Roles determine precisely what a user is
    allowed to see and do and are usually managed within a directory. If
    your computing architecture is amenable to a single, centralized
    directory that supports roles, this may be an attractive solution.
    "The problem is that once you have over 40 distinct roles, you run
    into performance issues, and we have identified about 70 roles,"  
    Sayles explains.
    He says there's a way around this difficulty. "I think we are going to
    use a combination of portals and roles. A user would sign on through a
    particular portal, which would effectively place the user in a role
    category. This reduces the burden on the application," says Sayles.
    Keep It Simple
    Dave Stack, manager of corporate financial planning at RSA Security
    Inc. in Bedford, Mass., employs a similar strategy using some of the
    same software from Comshare. RSA's business-intelligence applications
    produce forecasting, budgeting and product reports.
    He says good planning has also helped keep systems administration
    headaches to a minimum. "Comshare gives you about nine types of
    users," says Stack, "and that is plenty for us."
    What makes this small number of profiles possible, he explains, is a
    good design that uses a hierarchy of four security levels. "These,
    together with security features in our Microsoft SQL Server database,
    make it easy for us to create cross-functional roles," says Stack.
    But Stack says things would have been a lot more difficult if he had
    started deploying business intelligence without having a good security
    plan in place first.
    John Schramm, manager of strategic security architecture and
    engineering at FleetBoston Financial Corp., says a good place to start
    planning is with a classification system that defines different levels
    of security for different types of information.
    "In order to protect data," says Schramm, "you need to know what the
    rules are. Our classification system enables us to set the rules that
    we need to design security around information."
    Schramm worked with consultants at Greenwich Technology Partners Inc.  
    in White Plains, N.Y., to define four security levels: highly
    confidential, which defines data with trade secrets or wire-transfer
    information; confidential, such as transactional data and credit card
    numbers; confidential informational, defined as nontransactional data
    such as customer lists; and company-restricted data like job postings
    and phone directories.
    Security systems, Schramm explains, can include field-level
    encryption, transport-level security such as Secure Sockets Layer and
    Secure Copy Protocol, and authentication and authorization.  
    "Combinations of these kick in at different levels in our
    classification hierarchy," says Schramm.
    FleetBoston is a large, distributed enterprise, which makes
    classification even more important. "We try to maintain these
    standards across our various lines of business," say Schramm. "They
    are all different, and one of my primary responsibilities is to
    integrate them in a secure manner. I need to know what data the
    different lines of business need."
    Complex Profiling
    Most companies have thought through network and software security
    issues, which is why they don't come up that often in discussions
    about business-intelligence security.
    When it comes to such data, the security concerns are more about
    policies. "It is always possible for someone within the company to
    abuse security privileges," says Rasmussen. "But the best defense
    against this and most other breaches is to make sure you have good,
    strong policies in place -- things like authentication and
    Schramm agrees. "The big challenge is in determining the data elements
    that define the user of a particular [business-intelligence] system.  
    These profiles are a real challenge. As just one example, you may have
    employees who are also customers.
    "You need to know who the actors are," says Schramm.
    Leon is a freelance writer in San Francisco. Contact him at
    "Communications without intelligence is noise;  Intelligence
    without communications is irrelevant." Gen Alfred. M. Gray, USMC
    C4I.org - Computer Security, & Intelligence - http://www.c4i.org
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Tue Apr 15 2003 - 17:48:01 PDT