Power BI has evolved as an indispensable tool to accelerate decision-making and gain enterprise-wide visibility all on a single platform. However, a downside of this technological wonder is as more individuals secure access to data, some super-sensitive for an enterprise, the more are the risks of the same getting exposed to unauthorized users.
Consider that an HR manager wants to share the list of details of all the recruits for a quarter by publishing a report on the Power BI dashboard. But the person is not keen on sharing the salary details of the recruits with HR executives keeping the organizational protocols in mind. To separate the row of the salary details from the list and sharing it individually across the HR department hierarchies is an extremely time-consuming and cumbersome job. The Power BI security stack allows the HR manager to enable access for specific users for specific rows. An HR executive can view the contact details of recruits but will not have a view access to their salary details while the HR director can have a comprehensive view of all the details of a recruit.
With an increase in instances of data leakages and stringency in data-related regulations, Microsoft has worked to add more layers of security and access control to reports and dashboards om Power BI. One such layer is to allow IT administrators to enable/disable publish access of content to websites.
|Did you know that the initial version of the Power BI data visualization tool enabled publishing of data visualizations to website contents without much control of the IT administrators on the publish access?|
As organizations embrace cloud enabled operations, they will have to contend with two burning questions:
- Is my data secure in the cloud?
- How to I prevent my data from being leaked?
These questions bear more relevance for the Power BI platform as it handles extremely sensitive data of an organization. To respond to this concern, Microsoft had deployed over 3500 engineers and tools to build a robust security stack to make the tool ready to counter any sorts of data security threat.
How Does the Power BI Security Safeguard Data?
- Microsoft Information Protection sensitivity labels classify sensitive Power BI data and label accordingly.
According to the session policy, the “protect” capability will only work on a data that is not labelled. An existing label cannot be overridden in the Power BI tool.
- Governance policies ensures an end-to-end data protection even after the content is exported from the tool to PowerPoint, PDF, Excel, and other export formats.
- User’s handling of sensitive data is constantly tracked and protected by Cloud app security that issues real-time alerts, monitors user sessions, and conduct risk remediation.
- Microsoft Cloud App Security boosts the organizational oversight of IT administrators by providing augmented security investigation capabilities and create data protection reports.
Did you know that the Cloud app security is functional only on PowerPoint, Excel, and PDF files?
For an in-depth understanding of the Power BI security framework, lets look at the tool architecture.
Power BI Tool Architecture
The Power BI tool architecture is composed of two clusters which are the Web Front End (WFE) and the Back-End cluster. The Power BI tool uses Azure Active Directory (AAD) to manage and store user credentials in Azure Blob. Data and metadata are stored and managed in Azure SQL Database.
Web front-end cluster– The WFE cluster shoots the initial HTML page contents for an onsite load of users’ browsers to support the initial connection and authentication process for the Power BI tool. Azure Active Directory (Azure AD) is used to verify the user authentication and allow subsequent user access to the Power BI back-end service. This user authentication is done by the Azure Traffic Manager which communicates with the client’s DNS service as soon as a user attempts to connect to the Power BI service.
Back-end cluster– Back-end clusters are made of several virtual machines that are combined into multiple resizable-scale sets. These sets are built to execute specific tasks and manage resources including service buses, SQL databases, caches, and other critical cloud components. All the back-end clusters are used to host data of tenant and are individually referred to as the tenant’s home cluster. Global Service provides the information of an authenticated user’s home cluster which is used by the WFE cluster to send requests to the tenant’s home cluster. The tenant data and metadata are stored within cluster limits which does not include data replication to another back-end cluster in a paired Azure region. The other back-end cluster works as a failsafe cluster to brace for a regional outage.
Power BI Mobile Architecture
It is a collection of apps that was built for primarily for Windows, Android, and iOS. The Power BI mobile apps can be broadly classified into two categories:
Device communication– All the Power BI Mobile applications use the same connection and authentication sequences of users while communicating with the Power BI service. The Power BI mobile applications for Android and iOS creates a browser session within the application itself, while the application meant for Windows mediates via a broker to communicate with Power BI.
The application and device data – Telemetry gathers mobile app usage statistics and other similar data apart from customer data. The data is then conveyed to services to monitor user activities with sensitive data. The Power BI mobile application stores data on the device pertaining to the usage of the app:
- Azure AD and refresh tokens backed by standard security measures are stored in a safe mechanism on the device.
- Data and settings are cached while being stored on the device and are encrypted by the OS. This action is automatically done in an iOS as soon as a user sets a passcode while in Android, the action is configured in the settings. In Windows, this action is performed using BitLocker.
- For iOS and Android-enabled apps, the data and settings are cached in the device storage in a sandbox and internal storage that is accessible only to the app. For Windows-enabled apps, the data and settings can be accessed only by the user and admin.
- Users can enable or disable the geolocation feature at their own will. Upon enabling the geolocation, data will not be saved on the device and neither will it be shared with Microsoft.
- Users have the liberty to enable or disable notifications. Upon enabling, iOS or Android-enabled device will not support geographic data residency needs for notifications.
What are the Steps Taken to Ensure a Robust Power BI Security?
Implementation of the Azure AD Conditional Access feature– Clients can activate a premium subscription to leverage the Azure AD Conditional Access. This feature boosts security by setting the following measures:
- The device must be joined by domains.
- Access is only enabled from trusted locations.
- Access is not allowed from certain Operating Systems.
- Requirement for a multi-factor authentication (MFA).
- Access is not allowed for individual clients through desktops or mobiles.
Power BI security for workspaces and apps creations– Post exporting data from Power BI desktop in the form of workbooks, reports, data dashboards, dataflows, datasets, clients can add user groups for security, Office 365 groups, individuals as admins, contributors, and viewers. These members are then allocated their roles that control their actions with the exported data. This option can be rolled into a single package designed as an app and circulate or publish it across the entire organization, or across specific groups of people. However, this package can include only workbooks, reports, and dashboards and clients can make use of the “included in app” option to publish specific data sets among the exported data. Clients can use the “build permission” option to allow users secure access to an app’s datasets. They can spot these datasets while they search for shared datasets. The procedure of creating apps is initiated within workspaces by means of an effective collaboration on the Power BI content and then displaying the finished app across the organization. These apps are known to simplify the process of managing permissions.
Row-level security– The back-end cluster of the Power BI tool uses row-level security (RLS) as a security technique to avert any unwanted access to data. This security technique allows restriction on an individual level and enables controlling what a user can view and access while working with Power BI reports, datasets, dashboards, and others.
Did you know that the dynamic RLS enables you to exclude a particular data value in some scenarios and then include the same in other scenarios as per your needs?
RLS is activated by following the steps stated below:
- Setting up user-specific roles in Power BI.
- Including a Data Analysis Expression (DAX) to filter out data for all the roles created in the step above.
- Validating all the roles in the Power BI Desktop to ensure their functionality.
- Testing and validation of all the roles in Power BI Service.
Tracking tenant activity – It is critical to have an all-round visibility on the actions and on the components accessed by a Power BI tenant to fulfill the requirement to adhere to regulatory compliance and manage records. This process of tracking is enabled by Power BI features termed as the Power BI activity log and the unified Office 365 audit log. Both of these Power BI logs maintain a complete record of the tenant activity data that can be viewed to gain a complete visibility on tenant’s activity with data. Since the lifecycle of data in the audit logs is not more than 90 days, it is advised that clients create a report from the audit logs and store it via Azure Blob Storage.
Importing data – Post a data import in Power BI Desktop, the Power BI tool uses the current user’s authentication credentials from the desktop or use credentials that are identified as part of configuring scheduled refresh from the Power BI service to establish connection with the data source. Restraint and utmost care are advised while publishing and distributing such reports. Clients should set a row-level security as part of the datasets. Users should not be able to view or access anything beyond the shared data.
Exporting data – Authors can classify reports and use Microsoft Information Protection sensitivity labels to distinguish reports based on their sensitivity. If the sensitivity labeling is done with protection settings, the Power BI tool will apply these settings while it exports report data to into PowerPoint, Excel, PowerPoint, and PDF file formats. The data files with activated protection settings can be opened only by authorized users. IT administrators can use the Microsoft Cloud App Security feature to track user activity and access to data files. They can perform risk analysis in real-time and establish label-specific controls.
Data Sources –DirectQuery is an ideal option to set any level of security to data as it queries all the underlying data sources. Power BI does not use different credentials between importing and exporting of data to connect to the underlying data source after a DirectQuery report is published to the Power BI service. Therefore, it is essential to configure all the credentials of the users immediately following the publishing of a DirectQuery report. The credentials, once provided, can be used by any user whoever wants to open the report, much like importing data. Any user accessing the report will get to see the same data unless a row-level security in implemented on a report or a part of it. Sharing of the report demands the same amount of attention if in case there are security rules defining the underlying data source. It is to be noted that DirectQuery will be of no benefit in terms of security of data source until the Power BI tool allows the identity of the report consumer to cross through to the underlying data source.
The Crux of the Above Information
It is extremely critical to keep business data confidential and particularly with a view to the rising instances of high-level data breaches. For the Power BI tool, taking advantage of the multiple security options such as the dynamic row level security, users can not only secure a whole data file but also choose to hide a part of the file. The roles assigned to users can be fine-tuned at a granular level, to control the access and activity of team members on the information. It should be noted that to enable this security structure it is essential to properly activate all the features in the desktop as well as the cloud-based components of the Power BI tool.
Who are We and Why are We Considered as an Industry Authority?
FlatworldEDGE is a frontrunner in the IT solutions arena and have extensive expertise in software testing services, providing infrastructure management solutions, business intelligence solutions, and designing custom software. We leverage data analytics capabilities in our solutions to bring transformational business changes for our clients. Our Power BI solutions have aided our clients in bringing efficiency and acceleration in their day-to-day operations.