Lora Bentley spoke with Clive Longbottom, service director, business process analysis, Quocirca.

Bentley: As the business intelligence software market has evolved and the solutions offered have matured, how is security affected?
Longbottom: The new generation of BI tools is aimed at greater use across an organization, and this brings in the need for a greater level of granular security in the way data is dealt with. For example, whereas a senior manager may be able to look at, say, all salaries for employees in his/her department, someone further down the line may only be see aggregated details or maybe only relative data. A security expert may be able to run a report against a whole organization, whereas a department head could only see information against their department.

Bentley: What is it, specifically, about current BI tools that requires such granular security?
Longbottom: As BI becomes more inclusive, covering more data sources, the need for granular security increases - and this has to be a mix of native security held in applications and databases, as well as built-in security within the BI tool itself, overlaid where necessary with specific security tools to ensure that a "holistic" — I hate that word — solution is gained.

Bentley: Can you give an example of what a "holistic" BI solution might look like?
Longbottom: By "holistic," I mean one that covers all the bases in a manner leaving no gaps. So, an application may have its own security, but the underlying database has either a different security model, or none at all. Therefore, someone can bypass the application and attack the database instead — and any event monitoring in the application will miss what's happening. A new security model can be built for the database so that this is now secure. Now, the blackhat can attack the data in motion instead of trying to get at it while at rest in the database. So, another security solution needs to be brought in to ensure that data in motion is encrypted, and so on.

Bentley: But just adding security solutions at each level is not the answer?
Longbottom: You then end up with a set of disconnected security approaches with no means of tracking any real patterns. An attack on the application fails, an event is created, but as the security threat was seen off, nothing needs to be done. The database is attacked, and the same happens. The data in motion is attacked, and this time the attack succeeds. If the security model was "holistic," the initial attack would have been noted, and the second attack would have been picked up as part of a pattern. Steps can then be taken to further protect the data in motion, proactively stopping the third attack.

Within the purview of BI, this again is reflected in ensuring that no matter what a BI user tries to do (accidentally or on purpose), the underlying single security model ensures that nothing untoward can be seen, and that anything that matches a specific pattern will trigger alarms that enable security staff to escort a user off the premises....