This week, I was reading an excellent piece here
about the cyclical nature if the Business Intelligence/Analytics industry (BI).
The assertion here is that priority tends to swing between periods of high
business-driven enablement and IT-driven governance. The former tends to be brought on by advances
in technology, and the latter by external events, regulation, and
necessity. We are currently at the apex
of an enablement cycle at the expense of governance. One casualty of lax
governance is often cyber security.
Recently, we have seen a rash of high-profile data breaches.
One of these was the large scale theft of data from the health insurer Anthem. This
one was notable as it was the result of a vulnerable data warehouse where
sensitive data was left unencrypted.
Those of us who practice BI and Data Warehousing
professionally have a paradox to deal with. We have always been evaluated on
our ability to make more data available to more users on more devices with the
least effort to support business decisions. In the process, we tend to create
‘one-stop shopping’ and slew of potential vulnerabilities to those who would
access proprietary data with criminal intent.
The software vendors in our space have been all too
complicit in this. After all, what sounds better to the business
decision-makers they market to: “multi-factor authentication” or “dashboards
across all your mobile devices”? “advanced animated visualizations” or
“intrusion detection”? “data blending” or “end-end data encryption”?
How about “self-service business analytics” or “help
yourself to our data”? Consider how easy we make it for the users in an enterprise
to export just the useful parts of a customer database, along with summaries of
transaction history to a USB stick and walk out the door with it?
This idea that BI and data warehousing requires more
attention to security is starting to gain traction, however. A quick web search
reveals that the academics are starting to study it and the leading established
vendors in the space are starting to feature it in their marketing in ways I
have not seen before. See the current headline on the MicroStrategy website for one
example.
The main takeaway here is that BI and data warehousing
practitioners need to consider cyber security in architectures and applications
the same way it is done in transaction processing:
- Get a complete BI vulnerability assessment from a cyber-security professional
- Calculate the expected value of an incident (probability of an event times the cost to recover) and allocate budgets accordingly
- Demand proven security technology from your vendors and integrators around features such as authentication, end-end encryption, and selective access controls by organizational role
- Don’t be afraid of the cloud. The leading vendors of cloud services employ state of the art security technology out of market necessity and are often the most cost effective solution available.