Power BI has evolved as an indispensable tool to accelerate decision-making and gain enterprise-wide visibility all on a single platform. However, a downside of this technological wonder is that as more individuals secure access to data, some super-sensitive for an enterprise, the more are the risks of getting exposed to unauthorized users.
Consider that an HR manager wants to share the list of all the recruits for a quarter by publishing a report on the Power BI dashboard. But the person is not keen on sharing the salary details of the recruits with HR executives keeping the organizational protocols in mind. It is extremely time-consuming and cumbersome to separate the row of the salary details from the list and share it individually across the HR department hierarchies. The Power BI security stack allows the HR manager to enable access for specific users for specific rows. An HR executive can view the contact details of recruits but will not have access to their salary details, while the HR director can have a comprehensive view of all the recruit details.
With an increase in data leakages and stringency in data-related regulations, Microsoft has added more layers of security and access control to reports and dashboards on Power BI. One such layer is to allow IT administrators to enable/disable publish access of content to websites.
|Did you know that the initial version of the Power BI data visualization tool enabled publishing of data visualizations to website contents without much control of the IT administrators on the publish access?|
As organizations embrace cloud enabled operations, they will have to contend with two burning questions:
- Is my data secure in the cloud?
- How do I prevent my data from being leaked?
These questions bear more relevance for the Power BI platform as it handles extremely sensitive data of an organization. To respond to this concern, Microsoft deployed over 3500 engineers and tools to build a robust security stack to make the tool ready to counter any data security threat.
How Does the Power BI Security Safeguard Data?
- Microsoft Information Protection sensitivity labels classify sensitive Power BI data and label accordingly.
According to the session policy, the “protect” capability will only work on a data that is not labelled. An existing label cannot be overridden in the Power BI tool.
- Governance policies ensures an end-to-end data protection even after the content is exported from the tool to PowerPoint, PDF, Excel, and other export formats.
- User’s handling of sensitive data is constantly tracked and protected by Cloud app security that issues real-time alerts, monitors user sessions, and conduct risk remediation.
- Microsoft Cloud App Security boosts the organizational oversight of IT administrators by providing augmented security investigation capabilities and create data protection reports.
Did you know that the Cloud app security is functional only on PowerPoint, Excel, and PDF files?
For an in-depth understanding of the Power BI security framework, lets look at the tool architecture.
Power BI Tool Architecture
The Power BI tool architecture is composed of two clusters: the Web Front End (WFE) and the Back-End cluster. The Power BI tool uses Azure Active Directory (AAD) to manage and store user credentials in Azure Blob. Data and metadata are stored and managed in Azure SQL Database.
Web front-end cluster– The WFE cluster shoots the initial HTML page contents for an onsite load of users’ browsers to support the Power BI tool’s initial connection and authentication process. Azure Active Directory (Azure AD) is used to verify the user authentication and allow the subsequent user access to the Power BI back-end service. The Azure Traffic Manager does this user authentication, which communicates with the client’s DNS service as soon as a user attempts to connect to the Power BI service.
Back-end clusters are made of several virtual machines that are combined into multiple resizable-scale sets. These sets are built to execute specific tasks and manage resources, including service buses, SQL databases, caches, and other critical cloud components. All the back-end clusters are used to host tenant data and are individually referred to as the tenant’s home cluster. Global Service provides the information of an authenticated user’s home cluster, which is used by the WFE cluster to send requests to the tenant’s home cluster. The tenant data and metadata are stored within-cluster limits, which does not include data replication to another back-end cluster in a paired Azure region. The other back-end cluster works as a failsafe cluster to brace for a regional outage.
Power BI Mobile Architecture
It is a collection of apps that were built primarily for Windows, Android, and iOS. The Power BI mobile apps can be broadly classified into two categories:
All the Power BI Mobile applications use the same connection and authentication sequences of users while communicating with the Power BI service. The Power BI mobile applications for Android and iOS create a browser session within the application itself, while the application meant for Windows mediates via a broker to communicate with Power BI.
The application and device data –Telemetry gathers mobile app usage statistics and other similar data apart from customer data. The data is then conveyed to services to monitor user activities with sensitive data. The Power BI mobile application stores data on the device pertaining to the usage of the app:
- Azure AD and refresh tokens backed by standard security measures are stored in a safety mechanism on the device.
- Data and settings are cached while being stored on the device and are encrypted by the OS. This action is automatically done in iOS as soon as a user sets a passcode, while in Android, the action is configured in the settings. In Windows, this action is performed using BitLocker.
- For iOS and Android-enabled apps, the data and settings are cached in the device storage in a sandbox and internal storage that is accessible only to the app. For Windows-enabled apps, the data and settings can be accessed only by the user and admin.
- Users can enable or disable the geolocation feature at their own will. Upon enabling the geolocation, data will not be saved on the device, and neither will it be shared with Microsoft.
- Users have the liberty to enable or disable notifications. Upon enabling, iOS or Android-enabled devices will not support geographic data residency needs for notifications.
What are the Steps Taken to Ensure a Robust Power BI Security?
Implementation of the Azure AD Conditional Access feature– Clients can activate a premium subscription to leverage the Azure AD Conditional Access. This feature boosts security by setting the following measures:
- The device must be joined by domains.
- Access is only enabled from trusted locations.
- Access is not allowed from certain Operating Systems.
- Requirement for a multi-factor authentication (MFA).
- Access is not allowed for individual clients through desktops or mobiles.
Power BI data security for workspaces and apps creations:– Post exporting data from Power BI desktop in the form of workbooks, reports, data dashboards, dataflows, datasets, clients can add user groups for security, Office 365 groups, individuals as admins, contributors, and viewers. These members are then allocated their roles that control their actions with the exported data. This option can be rolled into a single package designed as an app and circulated or published across the entire organization or across specific groups of people. However, this package can include only workbooks, reports, and dashboards, and clients can make use of the “included in-app” option to publish specific data sets among the exported data. Clients can use the “build permission” option through Power BI permission levels to allow users secure access to the app’s datasets. They can spot these datasets while they search for shared datasets. The procedure of creating apps is initiated within workspaces by means of effective collaboration on the Power BI content and then displaying the finished app across the organization. These apps are known to simplify the process of managing permissions.
Implement Row-level security in Power BI
The back-end cluster of the Power BI tool uses row-level security (RLS) as a security technique to avert any unwanted access to data. This security technique allows restriction on an individual level and enables controlling what a user can view and access while working with Power BI reports, datasets, dashboards, and others.
Did you know that the dynamic RLS enables you to exclude a particular data value in some scenarios and then include the same in other scenarios as per your needs?
RLS is activated by following the steps stated below:
- Setting up user-specific roles in Power BI.
- Including a Data Analysis Expression (DAX) to filter out data for all the roles created in the step above.
- Validating all the roles in the Power BI Desktop to ensure their functionality.
- Testing and validation of all the roles in Power BI Service.
Tracking tenant activity – It is critical to have all-around visibility on the actions and on the components accessed by a Power BI access control user to fulfill the requirement to adhere to regulatory compliance and manage records. This process of tracking is enabled by Power BI features termed as the Power BI activity log and the unified Office 365 audit log. Both of these Power BI logs maintain a complete record of the tenant activity data that can be viewed to gain complete visibility on the tenant’s activity with data. Since the lifecycle of data in the audit logs is not more than 90 days, it is advised that clients create a report from the audit logs and store it via Azure Blob Storage.
Importing data – Post a data import in Power BI Desktop. The Power BI tool uses the current user’s authentication credentials from the desktop or uses credentials that are identified as part of configuring scheduled refresh from the Power BI service to establish a connection with the data source. Restraint and utmost care are advised while publishing and distributing such reports. Clients should set row-level security as part of the datasets. Users should not be able to view or access anything beyond the shared data.
Exporting data – Authors can classify reports and use Microsoft Information Protection sensitivity labels to distinguish reports based on their sensitivity. If the sensitivity labeling is done with protection settings, the Power BI tool will apply these settings. Export data from Power BI to PowerPoint, Excel, PowerPoint, and PDF file formats. The data files with activated protection settings can be opened only by authorized users. IT administrators can use the Microsoft Cloud App Security feature to track user activity and access data files. They can perform risk analysis in real-time and establish label-specific controls.
Data Sources –DirectQuery is an ideal option to set any level of security to data as it queries all the underlying data sources. Power BI does not use different credentials between importing and exporting of data to connect to the underlying data source after a DirectQuery report is published to the Power BI service. Therefore, it is essential to configure all the credentials of the users immediately following the publishing of a DirectQuery report. The credentials, once provided, can be used by any user who wants to open the report, much like importing data. Any user accessing the report will get to see the same data unless row-level security is implemented on a report or a part of it. Sharing of the report demands the same amount of attention if there are security rules defining the underlying data source. It is to be noted that DirectQuery will be of no benefit in terms of the security of the data source until the Power BI tool allows the identity of the report consumer to cross through to the underlying data source.
Example of Role Usage in Power BI Row-level security
Sample customer profiles from a specific nation can be used to demonstrate the working of the said security mechanism. Most reports display comprehensive data about all customers. Assume the intrinsic level of detail of the data in the report is for management eyes only. The accessibility factor to relevant stakeholders is an essential point of security wherein the full range of information might not be meant for guardians. Statistics related to finite activity spaces could be useful for guardians. Protecting critical information from prying eyes is extremely important.
To ensure the pertinent limit of data display for users responsible for specific regions, the roles need to be configured for access of individual data sets through Power BI. Not every row will be displayed, and the said filters will restrict the data after authentication for the particular role only. Rules can be drafted for multiple objects at the same point in time to limit access to critical data by category attributes through tables and even hide information.
Assign diverse expressions to filter tables for specific roles that include the guardian to be able to view reports for a specific province. To assign users to common groups, you can publish the given set to the Power BI workspace by enabling the relevant row management security section. Test the correct security operation by logging in to the selected role. The reports will be available for display without the need to change rights for the same account. Test settings locally before deployment through the Power BI.
Users assigned to row-level security roles cannot manage the configuration or edit content in the workspace, and restrictions of selected data sets will be changed too.
The Crux of the Above Information
It is extremely critical to keep business data confidential and particularly with a view to the rising instances of high-level data breaches. For Power BI security, users can take advantage of the multiple security options such as the dynamic row-level security. This security detail can help users to secure a whole data file and also the choice to obfuscate a part of the file. The roles assigned to users can be fine-tuned at a granular level to control the access and activity of team members on the information. It should be noted that to enable this security structure, it is essential to properly activate all the features in the desktop as well as the cloud-based components of the Power BI tool.
Who are We and Why are We Considered as an Industry Authority?
Flatworld EDGE is a frontrunner in the IT solutions arena and has extensive expertise in software testing services, providing infrastructure management solutions, business intelligence solutions, and designing custom software. We leverage data analytics capabilities in our solutions to bring transformational business changes for our clients. Our Power BI solutions have aided our clients in bringing efficiency and acceleration in their day-to-day operations.