In the previous installment, I described the need to clearly understand the purpose of a Business Intelligence (BI) platform used for management information and to manage the expectations placed on the system. It is important to remember that your BI system should be providing targeted, business-led reporting and not simply used as a data-dump tool. In this continuation of the series, I would like to talk about the options we have to secure the stored data for targeted reporting which can bring the business requirements and compliance together.
The first principle is: do not import sensitive data unless absolutely required.
It may seem obvious, but many organisations miss this key opportunity to ensure that sensitive data cannot be accessed in the BI platforms; it really can be as simple as ensuring the data is not there in the first place. As discussed last time, with a clear understanding of the report requirements it may be possible to include only a level of information which is not considered sensitive and therefore does not require the same level of control as that of the source system.
By working closely with the extraction and transformation specialists from the BW build team, it is possible to ensure that these sensitive characteristics are then stored in a format which presents minimal risk of access to the data, such as aggregated information. Logical separation of the data, such as storing in dedicated info providers can further help to ensure that even users with the ability to create reports cannot access the sensitive data. This is particularly relevant in systems where you must consider Data Privacy and commercially sensitive or confidential data.
Challenging the need to import data is one of the most straightforward ways in which we can assist users at all levels of the business in thinking about the need to include information in the BW systems. ETL (extraction and transformation) layers of the data model encompass not only the direct extraction of data from source systems, but also have the capability to transform data. Transformation provides an up-front mechanism to identify sensitive data that may be required and to manipulate it into formats which do not present the same degree of risk to an organisation, for example aggregation, which allows data to be displayed for a team, rather than identifiably linked to individuals.
Many organisations have used BI systems merely as a replacement for table queries from their SAP systems; importing all data and providing it in a format which is difficult to secure and which does not intelligently present the data in a manner which supports business processes. Ensuring that reports are process-driven will permit authorisation teams to work with management information functions and provide compliant, business-led reporting.
Once your data is extracted from source and transformed into a form which is delivering the needs of the reports, in a more compliant format, you can think about the next principles for securing reporting data, which I will cover in the next session.
If you have any comments or questions, please feel free to use the comment submission below.