business intelligence security
TRANSCRIPT
Business Intelligence SecurityChristopher Holden H&H Technologies
May 2003
Introduction
Who am I?◆ Business Intelligence and Data Warehouse Architect
with 10+ years experience◆ Implemented full scale DW and BI solutions for both
private and public sectors in Canada, USA and UK.
What Will I Cover?◆ 40 minute presentation on the technical aspects of a BI
Security implementation◆ Identifies the major components◆ Addresses principles and considerations◆ Provides a process and some examples of
implementation code/processes 1
Vision Statement
To provide Business Intelligence with a comprehensive security facility, aligned with Corporate IM/IT directives, that will facilitate the confidentiality, integrity and availability of data.
2
Goal and Objectives Goal is to secure data in a consistent manner
regardless of technologies
Objectives include:◆ row and column level security◆ Maintain security once, propagate to the many
tools and subject areas◆ Flexible solution that adapts to any corporate or
system development methodology 3
Today’s Situation Current tools
◆ RDBMS including Oracle, SQLServer, Sybase, DB2◆ ETL products including Cognos DecisionStream, DataStage,
Informatica, Microsoft DTS◆ Business Intelligence tools such as Cognos Impromptu and
PowerPlay◆ Security directories including Active Directory Services, LDAP
Many Approaches in Use◆ security by project implementation (narrow scope for both
technology and subject matters)◆ security by product (narrow scope for technology)◆ Business Intelligence security is often developed in isolation of
network, database, web and application teams
4
Available Options1. Maintain Status Quo (Little or No Security)
◆ compromises sensitive information◆ no reuse of existing implementations
2. Create Project and/or Tool Solutions◆ duplication of work◆ increase maintenance efforts and costs◆ reduction in user-friendliness and ability◆ limited based on scope and capabilities of tools
3. Develop Comprehensive BI Security Solution◆ requires time, design and contentious requirements◆ provides flexibility, scalability, consistency◆ Reduces maintenance◆ increases ability to use best-of-breed products
5
Principles and Considerations Persons may be employees, contracted
persons, external partners or consumers Ability to secure data for organizations such as
IM/IT where they are:◆ service providers (deliver and maintain the
systems)◆ consumers (users) of the systems
Data access is tool independent Data access is defined in terms of inclusion not
exclusion6
Principles and Considerations - continued Order of Preference for Securing Data:
◆ via database security (at the source)◆ via application security◆ via network security (physical separation)
Privileges are used to define permissions to Development, Quality Assurance and Production data groups as discrete entities
The security facility itself will be maintained using the System Development Lifecycle. 7
Tool Mapping• Maps tool specificterminology toCorporate Securityglossary• Adapts tool securityimplementation toCorporate Standards
Security Model• Identifies terminologyand creates CorporateSecurity Glossary• Models security matrixand depicts objectrelationships
Framework• PIA• TRA• Mission Statement• Basic Principles
• Contains all:• users• access groups• data groups• privileges
• is the central, common,corporate security db
Security Matrix
Implementations• Subset of CorporateSecurity Matrix• Subject area specific• May be tool specific 8
Security Framework Provides the raison d'être Statements of Sensitivity describes data and
provides sensitivity and its confidentiality rating Privacy Impact Assessments state the impact to
an individual or organization if security is compromised (cost, legal, trust)
Threat Risk Assessments examine the threats and assign risks to both malicious and accidental actions as they relate to data, code, integrity and dissemination
9
Security Framework - continued SOS, PIA and TRAs are not intended to
provide the mechanisms of security They provide requirements in order to
develop a practical, scalable, cost-effective solution
SOS, PIA and TRAs are iterative, living documents
10
11
Tool Mapping• Maps tool specificterminology toCorporate Securityglossary• Adapts tool securityimplementation toCorporate Standards
Security Model• Identifies terminologyand creates CorporateSecurity Glossary• Models security matrixand depicts objectrelationships
Framework• PIA• TRA• Mission Statement• Basic Principles
• Contains all:• users• access groups• data groups• privileges
• is the central, common,corporate security db
Security Matrix
Implementations• Subset of CorporateSecurity Matrix• Subject area specific• May be tool specific
Security Model
12
Tool Mapping• Maps tool specificterminology toCorporate Securityglossary• Adapts tool securityimplementation toCorporate Standards
Security Model• Identifies terminologyand creates CorporateSecurity Glossary• Models security matrixand depicts objectrelationships
Framework• PIA• TRA• Mission Statement• Basic Principles
• Contains all:• users• access groups• data groups• privileges
• is the central, common,corporate security db
Security Matrix
Implementations• Subset of CorporateSecurity Matrix• Subject area specific• May be tool specific 13
Corporate Security Matrix Composed of 3 primary matrices (associations)
◆ between Person and Access Group◆ between Data Group and Data Element◆ between Access Group and Data Group
Living compilation that is updated as any combination of Persons, Data, or Access change
14
Creating the Corporate Security Matrix
15
Data Group Name Data Element Pay
roll
Sta
ffin
g S
ervi
ces
Pen
sion a
nd
Ben
efits
Lab
our R
elat
ion
s
Anal
ysis
& R
esea
rch
Fin
anc
ial S
ervic
es
Gen
era
l Man
agem
ent
Ad
min
stra
tive
Sup
por
t
Employee_Name Employee Number a a a a a a a a
Employee Name
Last Name
First NameMiddle Name
Employee_DOB Birth Date a a a x a a a a
AgeGender
Equity Aboriginal x x x x x x a x
DisabledVisible MinorityWoman
Employee_Address Primary Address a a a x a a a a
Home Address Line 1
Home Address Line 2
Home City
Home Postal Code
Home Province
Home Telephone
Mail Address Line 1
Mail Address Line 2
Mail City
Mail Postal Code
Mail ProvinceMail Telephone
Employee_Service Service Date a a a a a a a a
Continuous Years of ServiceHire Date
Sample Corporate Security MatricesAccess Group 1 Access Group 2 Access Group 3HumanResources PayrollHumanResources Staffing ServicesHumanResources PensionsBenefits PensionsHumanResources PensionsBenefits BenefitsIM/IT ProductionSupportIM/IT DevelopmentIM/IT SecuritySupportFinance PayrollFinance AR and APAccess Group User Name User ID
Payroll Smith, John smithjPayroll Jones, Paula jonespPayroll Kelly, Ronald kellyrStaffing Services Powell, Nathalie PowelnStaffing Services Barnaby, Tara barnatStaffing Services Frein, Kim freinkStaffing Services Perry, Frank perryfPensionBenefits Smith, John smithjPensionBenefits Thom, Jamie thomja
16
Tool Mapping• Maps tool specificterminology toCorporate Securityglossary• Adapts tool securityimplementation toCorporate Standards
Security Model• Identifies terminologyand creates CorporateSecurity Glossary• Models security matrixand depicts objectrelationships
Framework• PIA• TRA• Mission Statement• Basic Principles
• Contains all:• users• access groups• data groups• privileges
• is the central, common,corporate security db
Security Matrix
Implementations• Subset of CorporateSecurity Matrix• Subject area specific• May be tool specific 17
Tool (Product) Mappings
18
Corp. MatrixSecurity
Framework&
Model
CognosAccess
Manager
CognosImpromptu
Web Reports(IWR)
CognosTransformation
Services
CognosUpfront(Portal)
CognosPowerPlayEnterprise
Server
RDBMSOracle, Sybase
SQLServer, DB2,etc
ETLDecisionStream
DataStageInformatica
DTS, etc.Other BI
Hummingbird, BrioCrystal, Business
Objects, etc. Standards are imposedSynonyms and adaptations
Tool (Product) Mappings - continued Essentially the “ETL” portion of the security system The rules for:
◆ extracting persons, data and privileges from the Corporate Security Matrix
◆ transforming the data to fit the product’s security schema (e.g. how to define and group persons within access groups)
◆ loading of the data into the product’s specific security schema
Advantage of iterative development (one product at a time as resources become available)
19
Tool (Product) Mappings - Example CognosScript macro to load Cognos
AccessManager from Corporate Security Matrix◆ Add Users (full names, database logins, OS Signons)◆ Add UserClasses (user class hierarchies)◆ Add User to UserClasses (assign users to user classes)
Advantages?◆ One macro to update 3 environments (DEV, QA,
PRD)◆ Matrices now have 2 purposes - documentation
and data◆ Macro can be run periodically to keep security
system in-sync with Corporate Security Matrix20
8
Implementation Iterative
◆ one product at a time◆ one subject area or project at a time
Extract only relevant security objects from the Corporate Security Matrix (same concept as DataMarts)
Expect each product and project implementation to differ -- the Security Model and Framework is designed to provide guidelines and templates
Security Facility SDLC
22
Security (DEV Instance) Security (QA Instance) Security (PRD Instance)
CorporateSecurityMatrix
DEV, QA, PRDPrivileges
ToolMappings
ImplementationsDEV, QA, PRD
Privileges
Used by IM to test changes to code, structure,processes, etc. within Security System
Contains the PRODUCTIONsecurity measures for all environments including
DEV, QA and PRD
Contains the same code, structures and processes unless a system change is underway
Contains sample data (i.e. content is for testing purposes) Contains production data
CorporateSecurityMatrix
DEV, QA, PRDPrivileges
ToolMappings
ImplementationsDEV, QA, PRD
Privileges
CorporateSecurityMatrix
DEV, QA, PRDPrivileges
ToolMappings
ImplementationsDEV, QA, PRD
Privileges