Published: 10 Oct 2021 | Author: James Beresford
Who doesn’t love PowerBI Desktop? Enterprise BI capability on your desktop for free! You can connect to virtually any source, pull all the data from it and start creating powerful analytics in a matter of minutes. Brilliant! But PowerBI Desktop Security Risk is rarely considered….
Oh yes. All of it. Everything the developer has access to. You know how business owners used to stress about sales people having their own black books or stealing the customer data? This is so much worse.
If someone (not even a PowerBI developer) has enough access to one of your systems they can pull everything they want from it into PowerBI. There may be some restrictions put in place at the application level which restrict what can be pulled, but users find them annoying and so often access to the data is often very generously granted. The risk then lies in these two factors:
Most of the time this is not really a big concern – people are trying to do the right thing and just want the data to do their jobs. But there are two key scenarios where this risk becomes problematic.
Scenario 1: Malicious actor
Someone within the business wants your data for their own purposes and needs a simple, portable store to take it off your systems. PowerBI is a great tool for pulling large quantities of data and making it highly portable. As PowerBI Desktop is free, once someone has a PowerBI file, they have a means of reading all that data at their convenience.
Scenario 2: Naïve actor
A user builds a piece of valuable reporting that helps someone external to the organisation. They email it to that 3rd party, forgetting that some of the working data has client personal information in it. There has now been an inadvertent data breach for your business to control.
How do you limit the PowerBI Desktop Security Risk?
As with all issues to do with governing risk, there are a mix of hard (technical) and soft (policy) tools you can bring to bear to the problem.
On the “hard” front, first is your Data Loss Prevention software which actively stops PowerBI files being distributed outside of your organisation by email, upload or whatever methods of egress you want to control. Second is controlling the spread of the software by limiting who can actually install it on their desktops. Finally, keep a better grip on your data through rigorous access control, and deploying tools such as Azure information protection to keep an eye or lock on sensitive data.
On the “soft” front, your teams need to be educated on the risks of data loss, costs of data leakage and how it can happen. It won’t deter malicious users much – but it will at least give the naïve actor pause for thought.
PowerBI presents risks but it also offers the ability to really drive data driven decision making in your organisation. It just needs to be governed and directed properly to make sure you maximise the benefits while minimising risks. We have advised many organisations on just this – please reach out to us if PowerBI is in growing your organisation and needs to be properly managed as part of an Enterprise PowerBI implementation.
Get the latest Talos Newsletter delivered directly to your inbox
Automation & Analytics Technologies for Business
Specialising in all customer-related processes, she has been trained to quickly learn specific customer processes.
Using our EPIC methodology guiding you to deliver outcomes quickly and cost effectively.
Specialising in all compliance related processes, she has been trained to quickly learn specific compliance processes.
Enable self service analytics to meet the needs of the whole organisation with our proven methodologies.