Microsoft, as part of an ongoing effort to elevate application security awareness, announced today that it is expanding the data security capabilities it provides within its business intelligence (BI) application environment in a way that will pass muster with the U.S government.
A Power BI for Azure Government Secret capability is now under review by the Microsoft Third-Party Assessment Organization (3PAO). Once completed, that capability will be submitted for Provisional Authorization to Operate (P-ATO) in support of Department of Defense Impact Level 6 (IL6) workloads.
That capability will be further enhanced via a VNet capability due out later this month that provides organizations with greater control over how data is exported to other applications connected over virtual networks. Microsoft already provides support for service tags to restrict access to Power BI from external applications employing application programming interfaces (APIs) over public internet connections.
Service tags can be associated with Microsoft Information Protection (MIP) sensitivity labels (MIP) to give end users a simple way to classify Power BI content as secret, which then automatically restricts who has permission to view that data.
Power BI also supports a Microsoft Azure Private Link feature that restricts access to endpoints on an Azure cloud network.
Also read: How AI Might Change the BI Experience
In general, there’s not enough focus on the level of data security applied to BI applications that routinely contain some of an organization's most sensitive data, says Arun Ulag, corporate vice president for Power BI at Microsoft. “This is one area where the industry is not doing enough,” he notes.
In addition to evaluating BI applications on their core capabilities, Ulag says that in the age of the cloud cybersecurity teams should also be exercising influence over the selection of applications. In many cases, those cybersecurity teams will discover that data residing in BI applications widely employed throughout the enterprise can be readily accessed and even exported in ways that provide much meaningful protection.
Of course, Ulag concedes there will never be such a thing as perfect security. However, organizations should expect providers of applications to make it difficult for any malevolent actor to view or exfiltrate data.
Restricting Data Access
Very few organizations today have much insight into how much data is being lost because it’s simply too easy to access. Even if data is encrypted anyone who has gained access to a set of legitimate credentials can access it. Organizations should have a series of processes in place that restrict access to data based on identity and role as part of a larger zero-trust approach to cybersecurity. That challenge is as always to implement those controls in a way that doesn’t interfere with productivity. End users should be able to classify data as they create it with a single click of a button.
It’s not clear to what degree data security within applications will become a more elevated conversation in the months ahead. However, organizations should assume that cybercriminals have already figured out how to get around usernames and passwords that are in a lot of cases easy to find on the Dark Web. As is always the case, cybercriminals are always looking for the simplest method possible to achieve their aims. In more cases than anyone cares to admit, that means logging into any application they choose just like they were any other end user.