Information Protection in Power BI
How should organizations protect sensitive business data? BI tools have always been an area of concern for the security teams and CISO. They worry about if any of the confidential, PII/PHI information is been shown in the reports. Another area of concern is how to protect the data outside the BI environments. I have spent countless hours working with the security teams before getting approval for a BI implementation. There is always a risk of data leakage from the organization.
Data is always protected when used in Power BI. We can govern who has access to the report, BI application, apply row-level security to protect who can see what data. However, when data leaves Power BI, for example, when data is exported to Excel, then how can we protect the data? Unfortunately, there is no easy way to protect the data once it is outside the boundaries of the BI environment. This is true for all BI products in the market today.
Organizations try to address this differently. Some try to address data security by disabling export. Some address the concern by restricting the export to limited data. Some organizations define data guidelines and expect everyone to follow them. Some also take the risk that the data could be exposed. None is this a great option when we are trying to empower the users and cultivate the data culture.
Microsoft has been thinking about this issue and trying to solve this issue. Power BI has recently implemented a solution to address this challenge. Microsoft has implemented the information protection framework (MIP) which is available in Office 365 and other products. MIP allows us to tag Power BI data using sensitive labels that are carried with the data everywhere it goes.
It means Power BI reports or dashboards can now be marked with various MIP labels that are already defined in the organization (general, public, confidential, highly confidential, encrypted, internal, etc.)
MIP labels are persistent
- Now whenever the data leave Power BI, for example, exported to Excel, PowerPoint or PDF, the data inherits the MIP labels.
- If a report is marked as highly confidential, the exported data in the Excel file will also be marked as highly confidential.
- If the MIP label was encrypted, the Excel file will be encrypted. This means even when the Excel file, reaches anyone who should not have access, they cannot open the Excel file.
- If the file accidentally gets emailed to outside the organization, it cannot be opened.
- If the file is saved on USB drive it is still protected
- Once the employee is terminated and AD credentials are disabled, the employee cannot open the file if he/she has the file with him.
- The MIP labels are also applied to the Power BI reports on mobile devices.
This is a powerful feature that is introduced in Power BI. I am not aware of any other tool that has solved this issue.
Microsoft has also integrated Power BI with cloud app security. Now Power BI data policies can be set based on the type of device. If it’s a managed device, allow them to export highly confidential data. But if accessing from unmanaged devices, like home computers, another public computer, then block the export.
Power BI has also introduced some features that empower administrators to better govern the environment. Admins have visibility on all certified, all protected data, and user activities on data with sensitive labels. Admins can also receive alerts regarding suspicious activities on sensitive labeled data.
This new addition allows data protection to travel with the data even after it leaves Power BI. Security and data protection is a step in the right direction. It is differentiating Power BI with the competition. In the future, if the feature can be extended and integrated with the Azure data catalog and source system, the labels can be set once at the system of records, which can then be inherited and carried to all downstream systems and applications.