Table of Contents Table of Contents
Previous Page  75 / 96 Next Page
Information
Show Menu
Previous Page 75 / 96 Next Page
Page Background

W H I T E P A P E R

© 2017 Persistent Systems Ltd. All rights reserved. 75

www.persistent.com

Design approach to secure the data coming out of the DWeither in the formof exported reports, or DB backups

or log files or tools that DBA use to browse the data. Have an audit log mechanism in place to log all data

access events. Data going out of DW system periphery should either be encrypted or masked using a suitable

algorithm.

Network and Hardware security -

Restrict login access such that only BI system administrators log in to the servers running the DW/BI

components and other network services.

Restrict network (TCP/IP) access by ensuring the proper network components and protecting the contents

of the envelope via encryption, not tinkering with the IP addresses posted on the outer side of the

envelope.

Deploy packet filtering router to reject connection attempts from unknown hosts or spoofed as insiders or

sniffing

Ensure that the data repositories, code, build system, backup files are secure

Keep up to date with security patches of all software components including OS

Use a directory server using LDAP standard for communicating, authenticating, and authorizing all users of

the DW. This also provides single point of administration for enterprise policies and DBAs do not have to set up

low-level SQLGRANTs/REVOKEs to implement security, thus defeating the flexibility

Secure contents (not the addressing scheme) of distributed communicating systems like message queues,

enterprise bus, distributed grid systems like Hadoop. The following elements that encrypt communications at

some level are:

Private and Public key encryption

Trusted certificate authorities

Secure sockets layer (SSN)

Virtual private networks (VPN)

Kerberos authentication

7.2.8 Security at Implementation, physical design stage

Secure the development environment

(

page 210), as the data on development and QA servers is typically

[1]

drawn from production sites and is sensitive, thus create an access control policy on dev/QA servers. Ideally,

these servers should have similar security enforced as that of production servers but we may not want to lock

down the system so tightly that developers cannot function at ease.

Design and create metadata tables related to application security, scripts to create users/groups and relevant

GRANT/REVOKE permissions on objects to groups

(

page 211-220). Authenticate the users at BI system

[1]

layer as well as DW layer. Implement row-level and column-level security, by utilizing these metadata tables

and DB roles to controls what is being displayed in a DWviews.

Build a data sensitivity matrix like who can see raw data vs. aggregated data or who can see certain columns.

Also think of inferred values aspects e.g. the column may be secured but the users are able to infer the values,

for example, either fromother columns or by taking count of values

Never provide access to BI system to query base tables, instead all access to be granted through DWviews

1 70 71 72 73 74 75 76 77 78 79 80 81 96  FlippingBook