Anytime you allow people access to core and sensitive corporate data you need to ensure that there is a security process in place. With users now being encouraged to use BI to mine through those corporate database treasure troves to find even the merest hint of gold, the risks to corporate data have exploded.
Under normal circumstances, controlling user access to data would be done through users rights and permissions. With the huge rise in BI, however, some of that has been weakened and as users marry BI and collaboration, anything done at the database end becomes irrelevant once the data has been extracted.
How serious this is, depends on what happens to that data. If it is leaked to a competitor or taken by a departing member of staff to their new company, the impact could be significant. If part of that data is personal information and it is left on an unsecured device that is lost or stolen, the resulting penalty from the Information Commissioners Office will be hefty.
The problem is how to marry security and accessibility in order to allow users to work with as wide a set of data as possible while maintaining control. The answer, might just lie in a technology often denigrated for its ability to restrict what you can do.
There are probably few technologies that get people as riled up as Digital Rights Management (DRM). Originally introduced by media owners to protect their rights and prevent piracy, it has often backfired on those companies using it. Yet, that same restrictive behaviour for consumers is exactly what we need for corporate data.
Let me say now, I am not normally to be found supporting DRM. In fact, I’ve fairly vociferous in arguing against it but this is a case where I personally can support it.
We already have access to DRM in a business sense. Microsoft introduced it a number of years ago to protect information being leaked out of Redmond. At the time it seemed that hardly a day went by without another leak from the desk of a senior person at Microsoft covering product plans or business issues. As a result, Microsoft decided to take DRM and integrate it into Office and Exchange in order to prevent people forwarding email outside of the company.
The way it works is that the person creating the content assigns a set of controls. That might be that those who open it cannot print, email or copy it. It may allow some to make changes but not forward it to other people. It is, effectively, a content owners equivalent of user rights.
For Microsoft, it worked. The number of leaks slowed dramatically but in doing so, highlighted how widely information needed to be spread around the company in order to get things done. This is a serious by-product of a DRM solution. Unless you really understand who does need to see something in order to get things done, placing restrictions on usage can stultify productivity.
The solution is to use a fairly wide set of access permissions internally but restrict access to only those who have access to the corporate Active Directory. At minimum, this prevents the information being opened by people outside the company if it is accidentally, or even deliberately emailed to them. At best, it can be refined to user groups and departments to prevent information getting into the wrong hands.
This is where BI vendors need to look carefully at what they are delivering to users. Microsoft believes that as most users are doing their analysis inside Excel and their reports in Word, all a customer has to do is implement DRM and that is the end of the matter. While true it ignores a critical step in the process.
That step is that allowing the user to put the controls on the data AFTER it has been extracted, is not an auditable or complete solution. There is still a disconnect from the corporate security control on the database and what now happens to the data. There needs to be a link that goes from database to application.
Another issue is unsupported platforms. Execs, like most techies, love their toys. BlackBerry’s, BlackBerry PlayBook, Apple iPhones, Apple iPads, Android tablets – there are a lot of devices starting to appear on which the execs will want to consume reports from their users. The only way of controlling access on these devices is through a web application interface which means that the files are never stored on the local device.
This is a problem and one that we need both BI vendors and the industry to resolve. There has been a lot of work done to create a generic DRM standard for media files. That work now needs to take a new direction and be applied to business content and those vendors that want to be part of the business space need to look to adopt some of these controls.