Category

Uncategorised

PowerBI Desktop Security Risk!

By | Uncategorised | No Comments

Who doesn’t love PowerBI Desktop? Enterprise BI capability on your desktop for free! You can connect to virtually any source, pull all the data from it and start creating powerful analytics in a matter of minutes. Brilliant! But PowerBI Desktop Security Risk is rarely considered….

PowerBI Desktop Security Risk

PowerBI Desktop Security Risk

Sorry, did you just say “Pull all the data”?

Oh yes. All of it. Everything the developer has access to. You know how business owners used to stress about sales people having their own black books or stealing the customer data? This is so much worse.

If someone (not even a PowerBI developer) has enough access to one of your systems they can pull everything they want from it into PowerBI. There may be some restrictions put in place at the application level which restrict what can be pulled, but users find them annoying and so often access to the data is often very generously granted. The risk then lies in these two factors:

  • Any application security is removed by pulling the data into PowerBI. All those logins that prevented application access now have no effect.
  • A PowerBI file is an unencrypted store of all that data and is easily shared. It can’t even be password protected.

Most of the time this is not really a big concern – people are trying to do the right thing and just want the data to do their jobs. But there are two key scenarios where this risk becomes problematic.

Scenario 1: Malicious actor

Someone within the business wants your data for their own purposes and needs a simple, portable store to take it off your systems. PowerBI is a great tool for pulling large quantities of data and making it highly portable. As PowerBI Desktop is free, once someone has a PowerBI file, they have a means of reading all that data at their convenience.

Scenario 2: Naïve actor

A user builds a piece of valuable reporting that helps someone external to the organisation. They email it to that 3rd party, forgetting that some of the working data has client personal information in it. There has now been an inadvertent data breach for your business to control.

How do you limit the PowerBI Desktop Security Risk?

As with all issues to do with governing risk, there are a mix of hard (technical) and soft (policy) tools you can bring to bear to the problem.

On the “hard” front, first is your Data Loss Prevention software which actively stops PowerBI files being distributed outside of your organisation by email, upload or whatever methods of egress you want to control. Second is controlling the spread of the software by limiting who can actually install it on their desktops. Finally, keep a better grip on your data through rigorous access control, and deploying tools such as Azure information protection to keep an eye or lock on sensitive data.

On the “soft” front, your teams need to be educated on the risks of data loss, costs of data leakage and how it can happen. It won’t deter malicious users much – but it will at least give the naïve actor pause for thought.

How does my organisation protect itself?

PowerBI presents risks but it also offers the ability to really drive data driven decision making in your organisation. It just needs to be governed and directed properly to make sure you maximise the benefits while minimising risks. We have advised many organisations on just this – please reach out to us if PowerBI is in growing your organisation and needs to be properly managed as part of an Enterprise PowerBI implementation.

 

PowerBI Governance – it grows like Mushrooms!

By | Uncategorised | No Comments

PowerBI Governance strangely coincides with one of my other hobbies. I have had a lifelong interest in hunting mushrooms, and was recently gifted a copy of an Australian Field Guide, which helps a lot as my existing knowledge is UK based and not just irrelevant but potentially deadly.

Now, first the science bit: Mushrooms themselves are actually just the most visible part of the whole fungi, which is actually a huge network of mycelium growing in the ground, or in an old tree trunk or whatever its preferred food is. A mushroom is the just the fruiting body of the fungus itself. By the time you see a mushroom, the fungus itself is well established and growing healthily.

PowerBI Governance Mushrooms

PowerBI Governance Mushrooms in the wild!

PowerBI – by the time you see it, it’s already established

From an organisational perspective, PowerBI Governance and mushrooms have a lot in common. By the time a leader becomes aware PowerBI is in the organisation by having spotted a wild dashboard – it usually means it’s got into many parts of the organisation in a wild and unmanaged state.

This isn’t a problem in itself; a few wild gems here and there are good thing to find and can add value to the business. However as with wild mushrooms, telling the good from the bad is not a simple task. Superficially one report can look very much like another – but one can contain the poison of bad data or incorrectly applied business rules – and there’s no way to tell from just looking at it.

This why we farm our mushrooms

To ensure our mushrooms on toast doesn’t end up killing us, we farm mushrooms to make sure we get a safe, edible species to eat. Similarly for PowerBI, once we start consuming it we want to be able to confident of its provenance. This means that you need to move from a business led anarchic state to something more managed.

There’s a lot of models for delivering an Enterprise PowerBI platform but they boil down to 3 approaches:

  • Business Led, bottom up
  • IT Led, top down
  • Hybrid – IT Managed, Business Developed

Which one is right for your organisation will depend on your particular structure and culture. Typically the Hybrid model delivers best results though, as IT manages the technical components – building data sources and so forth – and Business manages the consumables – reports & analysis on that data. Each area plays to its strengths.

Applying governance to your PowerBI deployment

Managing a balance of responsibilities between IT and Business is never easy and so laying some ground rules is essential. Things that need to be considered include:

  • Who is accountable for the validity of the data?
  • How is the service managed from a cost and capacity perspective?
  • What security risks are there and how are they managed?
  • How is adoption and effective usage going to be enabled?

All these things require careful thought and then enforcement through “hard” technical configuration and “soft” policies and guidance. There’s no right answer, and Microsoft’s continual updates mean the answer keeps changing – but my experience with organisations from Local Councils to Global Law Firms to Resource companies has helped me know the right questions.

If you are struggling with an emerging wild mushroom PowerBI deployment, we’d love to hear from you and see what we can do to help bring them under control as part of our Enterprise PowerBI offerings.

And a closing dad joke:

Q: Why does the mushroom always get invited to parties?

A: Because he’s a fun guy!*

The 3 faces of Enterprise PowerBI – Training Personas

By | Uncategorised | No Comments

PowerBI Training Personas! Since self service BI became an actual thing we have advised many organisations on how to roll it out successfully and give the best ROI and understanding the users is essential. A key mantra for us has always been to tune the content to the audience. After all, you book The Wiggles for your children’s party, not a heavy metal band (well, unless they are into Hevisaurus!).

Over the course of working with organisations to define these audiences, consistently there are 3 personas that come up, each with their own needs with regards to enablement in terms of data and training. These 3 personas are:

  • The Actor
  • The Creator
  • The Analyst

Lets have a quick walk through these PowerBI Training Personas!

The Actor

This user makes up the bulk of users in most organisations. Their use of data and reporting is as an input to drive or inform decision making. The individuals in these roles can range from the CEO who needs to have an at-a-glance dashboard of their organisations performance, to a field sales worker who needs to know the buying profile of their next client.

The level of interactivity with any reporting will be basic – maybe selecting a few options or filters, perhaps drilling down a preset path to get some finer detail. Consequently the degree of training and enablement they need is fairly light. Key information for them is where to find the report, what the data on the report actually means and what buttons to press.

The Creator

This type of user is actually one of the most important in terms of organisational impact. These are the people that are tasked with generating content for the Actors, and as such have a deep understanding of the data in their domain. These are the people tasked to work with the technology experts to build out the data models that drive much of the self service capability.

These users really get into the guts of the data and understand it in depth. When an Actor asks for explanation on a particular data point they are the ones that have to investigate. The technical training they need focuses on content creation and publishing. The enablement needs to cover things like business analysis skills, Master Data Management and Data Cataloguing.

The Analyst

Most people calling themselves PowerBI experts sit here, and most organisations have a handful of them – they are not a big population (though a vocal one!). They sometimes fill the role of creator but more often than not are trying to make sense of the organisations data, how it interlinks and where the hidden treasure lies. They “self-serve” from the raw data, constructing new ways to get insight into the organisations performance.

Here enablement focuses on technical capability as they need to understand how to manipulate and interrelate data that may be in less than ideal forms and certainly hasn’t been through an enterprise cleaning process. Data Catalogues support them in the discovery process.

To wrap

The key message to take from this post is that when rolling out PowerBI at scale these different communities and capabilities need to be addressed – and in different ways. There is no value in sending all of your team on advanced PowerBI training if the skills learned will never find a practical application. Similarly if you build it, they won’t come – you need to guide them there.

Good luck!

(Adapted from an original LinkedIn article by the author)