1 MicroStrategy Analytics: Delivering Secure Enterprise Analytics
2 Copyright Information All Contents Copyright 2015 MicroStrategy Incorporated. All Rights Reserved. Trademark Information MicroStrategy, MicroStrategy 6, MicroStrategy 7, MicroStrategy 7i, MicroStrategy 7i Evaluation Edition, MicroStrategy 7i Olap Services, MicroStrategy 8, MicroStrategy 9, MicroStrategy Distribution Services, MicroStrategy MultiSource Option, MicroStrategy Command Manager, MicroStrategy Enterprise Manager, MicroStrategy Object Manager, MicroStrategy Reporting Suite, MicroStrategy Power User, MicroStrategy Analyst, MicroStrategy Consumer, MicroStrategy Delivery, MicroStrategy BI Author, MicroStrategy BI Modeler, MicroStrategy Evaluation Edition, MicroStrategy Administrator, MicroStrategy Agent, MicroStrategy Architect, MicroStrategy BI Developer Kit, MicroStrategy Broadcast Server, MicroStrategy Broadcaster, MicroStrategy Broadcaster Server, MicroStrategy Business Intelligence Platform, MicroStrategy Consulting, MicroStrategy CRM Applications, MicroStrategy Customer Analyzer, MicroStrategy Desktop, MicroStrategy Desktop Analyst, MicroStrategy Desktop Designer, MicroStrategy ecrm 7, MicroStrategy Education, MicroStrategy etrainer, MicroStrategy Executive, MicroStrategy Infocenter, MicroStrategy Intelligence Server, MicroStrategy Intelligence Server Universal Edition, MicroStrategy MDX Adapter, MicroStrategy Narrowcast Server, MicroStrategy Objects, MicroStrategy OLAP Provider, MicroStrategy SDK, MicroStrategy Support, MicroStrategy Telecaster, MicroStrategy Transactor, MicroStrategy Web, MicroStrategy Web Business Analyzer, MicroStrategy World, Application Development and Sophisticated Analysis, Best In Business Intelligence, Centralized Application Management, Information Like Water, Intelligence Through Every Phone, Intelligence To Every Decision Maker, Intelligent E-Business, Personalized Intelligence Portal, Query Tone, Rapid Application Development, MicroStrategy Intelligent Cubes, The Foundation For Intelligent E-Business, The Integrated Business Intelligence Platform Built For The Enterprise, The Platform For Intelligent E-Business, The Scalable Business Intelligence Platform Built For The Internet, Office Intelligence, MicroStrategy Office, MicroStrategy Report Services, MicroStrategy Web MMT, MicroStrategy Web Services, Pixel Perfect, Pixel-Perfect, MicroStrategy Mobile, MicroStrategy Integrity Manager and MicroStrategy Data Mining Services are all registered trademarks or trademarks of MicroStrategy Incorporated. All other company and product names may be trademarks of the respective companies with which they are associated. Specifications subject to change without notice. MicroStrategy is not responsible for errors or omissions. MicroStrategy makes no warranties or commitments concerning the availability of future products or versions that may be planned or under development. Patent Information This product is patented. One or more of the following patents may apply to the product sold herein: U.S. Patent Nos. 6,154,766, 6,173,310, 6,260,050, 6,263,051, 6,269,393, 6,279,033, 6,567,796, 6,587,547, 6,606,596, 6,658,093, 6,658,432, 6,662,195, 6,671,715, 6,691,100, 6,694,316, 6,697,808, 6,704,723, 6,741,980, 6,765,997, 6,768,788, 6,772,137, 6,788,768, 6,798,867, 6,801,910, 6,820,073, 6,829,334, 6,836,537, 6,850,603, 6,859,798, 6,873,693, 6,885,734, 6,940,953, 6,964,012, 6,977,992, 6,996,568, 6,996,569, 7,003,512, 7,010,518, 7,016,480, 7,020,251, 7,039,165, 7,082,422, 7,113,993, 7,127,403, 7,174,349, 7,181,417, 7,194,457, 7,197,461, 7,228,303, 7,260,577, 7,266,181, 7,272,212, 7,302,639, 7,324,942, 7,330,847, 7,340,040, 7,356,758, 7,356,840, 7,415,438, 7,428,302, 7,430,562, 7,440,898, 7,486,780, 7,509,671, 7,516,181, 7,559,048, 7,574,376, 7,617,201, 7,725,811, 7,801,967, 7,836,178, 7,861,161, 7,861,253, 7,881,443, 7,925,616, 7,945,584, 7,970,782, 8,005,870, 8,051,168, 8,051,369, 8,094,788, 8,130,918 and 8,296,287. Other patent applications are pending.
3 Introduction An organization s most precious asset is information. The past, present, and future of a company is captured and stored in its data, holding both lessons learned and the path forward. Information has truly become the fuel that drives business, and ensuring its accuracy and integrity must be a top priority for all organizations. Yet many organizations try to protect their systems with antiquated, 20th century technology. As the rate of cyber-attacks continues to rise, reaching one every 18 seconds, companies are losing time, money, and peace of mind. Cybercrime costs up to $114B per year globally, and no organization is immune. In fact, an estimated 21% of companies are affected by information theft, and 60% of US companies are affected by fraud at least once per year. Information security is a vital concern that every major corporation must take seriously and seek to fully understand. In an effort to capitalize on ballooning amounts of data, organizations are placing it in the hands of more users through more channels than ever before. While this enables data-driven decision making and provides better insight into enterprise activity, it also can make sensitive data more vulnerable. Given recent data breaches across multiple organizations, it s clear that reports, dashboards, and applications containing sensitive information need to be proactively and adequately safeguarded. And with the proliferation of mobile devices in the enterprise, it is critical to ensure the security of these applications, as an unlocked tablet or laptop can expose vital sales pipeline reports or financial statements. In the space of business intelligence (BI) and analytics, the term security is applied broadly to characterize many different features, functions, and practices. This paper will address critical capabilities needed to secure BI and analytics applications and how these are addressed by the MicroStrategy Analytics Platform. It will also describe the need for security via digital authentication and verification, and how MicroStrategy Usher delivers these benefits. The integration of the MicroStrategy Analytics Platform with MicroStrategy Usher, a sophisticated enterprise security platform, offers a real solution to information security threats by adding a layer of identity management to the robust security capabilities already present in MicroStrategy. MicroStrategy Usher replaces traditional physical badges, tokens, and passwords with secure mobile badges. These digital identity badges are stored on a smartphone and allow users to securely access sensitive corporate information and systems at the touch of a button while preventing security breaches commonly associated with password theft. MicroStrategy Analytics Platform Security Designed to ensure the security of valuable enterprise information, MicroStrategy builds on its already-robust security model by adding a layer of identity management. Uniquely positioned at the nexus of analytics, security, and mobility, it addresses a wide variety of security concerns and vulnerabilities that exist in many existing enterprise systems, such as weak authentication capabilities and static access restrictions. MicroStrategy is a comprehensive platform that combines the power of the MicroStrategy Analytics Platform with the security and convenience of MicroStrategy Usher. Figure 1: An Usher Mobile identity badge The MicroStrategy Analytics Platform security model enables the creation of users and groups, giving administrators granular control over the data they can see, the objects they can use, and more. Like most security architectures, the MicroStrategy security model is built around the concept of the user, requiring unique user credentials to access, analyze, and manipulate information. Once logged in, users can perform tasks such as creating objects or executing reports and microstrategy.com 3
4 documents, and can take advantage of all the features they have permission to access. All users created in the MicroStrategy environment are assigned a customizable set of privileges, determining the ability to access and work with various features present in the software. These are they key security features in the MicroStrategy Analytics Platform: Privileges and Permissions. Administrators need to have the ability to specify object-level permissions and privileges. Privileges define the degree of control users have over individual objects in the system, ranging from read-only to full editing control. In the case of a business report containing five columns, Region, City, Revenue, Profit, Cost, a regional analyst may have permission to view only the overview data presented at Region and Revenue level, while the national director can view and modify all five fields in the report, on the basis of their individual permissions. While privileges are assigned to users, permissions are assigned to objects. More precisely, each object has an Access Control List (ACL) that specifies the permissions for different sets of users in relation to that object. This allows organizations to create a single dashboard or report that will present a different view of the data depending on the permissions assigned to the group to which the user accessing it belongs. This is also reflected in capabilities such as drilling across pre-determined paths, sharing content, accessing a data source, and modifying a report. Data View Restrictions. Security filters enable control over the specific subset of rows within a column (such as United States within Country) that users are able to view whenever that column is used. A security filter can be assigned to a user or group, narrowing down the set of results displayed when they execute reports or browse the available objects. The security filter applies to all reports and dashboards, including when filtering on specific attributes. For example, two national brand managers of an international corporation can have different security filters assigned to them: one has a security filter that only shows the data regarding France when the Country column is displayed, while the other only sees data for Germany. If these two national managers run the same report, they will see the same analysis, but display different results based on the subset of Country data to which they have access. Key Benefits of Privileges, Permissions, and Data Views in MicroStrategy: Reusability. All the privileges and permissions created for a user or an ACL are reusable across the analytics environment, significantly cutting down the setup time for each dashboard, document, or report that is developed. Global Application. The security permissions and privileges are global in the MicroStrategy environment, regardless of the access point. This means that any time an administrator makes a change to the permissions and privileges, that change will be immediately reflected in every dashboard, document, or report where those permissions have previously been applied. Database Security. Databases have their own security architectures that provide authentication, access control, and auditing. Users may choose to use these native features to manage access to data, use mechanisms in the MicroStrategy application to manage access to data, or a combination of the two. In addition to the security features that different database management systems offer, MicroStrategy is designed to work with general database security techniques, such as security views and splitting fact tables by rows and columns. Key Benefits of Database Security in MicroStrategy: Reducing Redundancy. The optimization of settings in the database allows administrators to reduce redundancies in how users view data. Restricting access to certain tables or columns in the database means users won t ever have them as an available option, thus preventing the need to create other permissions and privileges in the analytics environment at a later stage. Seamless Integration. MicroStrategy enables administrators to successfully implement general database security techniques, without having to learn and implement a whole new array of methods. Mobile Security. Advancing mobile technology has made mobile device security a vital concern for every organization. Today, companies leverage mobile apps to distribute relevant, critical data to their workforce, partners, and customers. In order to provide an industry-leading, secure mobile app platform, an additional set of capabilities are necessary, including: microstrategy.com 4
5 The encryption of data in transit and at rest. Remote access revocation. Support for certificate server, single sign-on, and credential management. User-level security controls across data and objects. MicroStrategy has invested heavily in developing those features, also extending to native applications and device capabilities including MicroStrategy-designed app-level protection code for Android, Touch ID integration for ios, and several layers of authentication control, providing enterprises with a flexible security architecture strong enough to protect even the most confidential business information. Authentication security User authentication is the gateway to your information and, as such, is often targeted by security threats. As cybersecurity threats become more advanced, traditional authentication tools like usernames and passwords have become increasingly vulnerable. Recently, many of the most publicized data breaches at leading organizations involved the theft of large quantities of user identities, which effectively compromised the integrity of valuable information systems. Key Benefits of Mobile Security in MicroStrategy: Security Continuity. The seamless development of MicroStrategy Analytics and MicroStrategy Mobile means that all the security settings enabled for web access in the analytics environment will also be reflected when users access content on their mobile devices. Device Capabilities. Native device features allow organizations to further enhance the security of their mobile analytics. For example, Touch ID functionality on ios devices allows for biometric-grade access to documents and reports. For more information on MicroStrategy Mobile security, please read the dedicated white paper: MicroStrategy Usher - authentication and access restrictions By integrating tightly with MicroStrategy Usher, the MicroStrategy Analytics Platform introduces a new set of enterprise security features to further protect information and data. Built to address the wide range of vulnerabilities and challenges that have developed in the cybersecurity space, Usher offers features aimed at optimizing the security of user authentication, access restrictions, and information transfer. The user authentication capabilities introduced include: password-free user validation, multi-factor authentication, and Touch ID access. Additionally, MicroStrategy Usher enables administrators to create geographic and time-based restrictions to user access, as well as robust AES-128 GCM Encryption. Usernames and passwords are an antiquated way of securing information in today s rapidly evolving age of information and technology. In an effort to strike a balance between security and user convenience, many organizations only require their employees to change passwords at monthly or quarterly intervals, leaving these credentials as a standing target for long periods of time. Static usernames and passwords represent security vulnerabilities for a number of other reasons too, including users tendency to write down their credentials or share them via . Implementing Usher authentication in a MicroStrategy Analytics environment allows enterprises to remove or reduce the use of static usernames and passwords. MicroStrategy Usher allows administrators to manage user credentials seamlessly across enterprise systems, while eliminating the static element of traditional authentication. A user s identity is stored in their mobile Usher badge, protecting it from the exchange of keys normally experienced in login methods that require users to type out credentials. An alternative factor of authentication, or identity verification method, is used to either substitute or complement the use of usernames and passwords, adding layers of security to information access. microstrategy.com 5
6 The following authentication factors are supported by MicroStrategy: Primary Factor of authentication - QR Code. The primary factor of authentication utilized with the Usher integration is the QR, or Quick Response, code. This type of barcode is a machine-readable optical label, which contains encoded information that can be easily scanned with a mobile device. When attempting to gain access to the MicroStrategy Analytics environment through a web browser, users are presented with a dynamically generated QR code that, when scanned by the Usher Mobile app, will verify a user s identity. The digital Usher badge is used to authenticate access permissions on the Usher Server and will either grant access to the system or deny it. The QR codes are set to expire at 60-second intervals and are subsequently replaced by new ones, protecting the access point from cyber threats. Secondary Factor of Authentication - Dynamic Code. An additional factor of authentication, dynamic codes, can be implemented with MicroStrategy Usher. In order to authenticate their identity, users are prompted to enter a code. These Usher Codes are time-bound, valid only for a preset, configurable time period, with a default setting of 30 seconds, providing unique credentials for any point in time that are associated individually with that badge. After the preset time period expires, each code is refreshed and replaced with a newly generated code. The previous code is rendered invalid and can no longer be used. All Usher Codes are linked to a specific device, enabling the Usher Server to precisely identify the device being used. This architectural design ensures that the security risk associated with stolen Usher Codes is minimal, preventing replay attacks. Biometric Authentication. Biometric capabilities built into Usher Mobile App ensure that only the true owner can use a mobile badge. Various biometric factors are used for identity verification, while sophisticated algorithms are integrated into the security architecture to precisely detect fraudulent techniques, ensuring that mobile identity is always secure. The different authentication factors can be combined to create a multi-factor authentication process for your MicroStrategy Analytics environment. This allows for more checkpoints or verification systems, increasing the overall security and integrity of the MicroStrategy Analytics environment and all the information assets it contains. Mobile Authentication. The benefits of the enhanced user authentication features introduced in the MicroStrategy Analytics Platform via the MicroStrategy Usher integration are also reflected in MicroStrategy Mobile. The authentication methods in mobile access differ slightly from web access of the analytics environment. For example, instead of scanning a QR code, mobile authentication is achieved with the app-switching capability. When a user is presented with an Usher QR code on their mobile device, the smartphone will automatically switch to and then back from the microstrategy.com 6
7 am pm Figure 2: Geographic and time-based access restrictions using Usher with MicroStrategy Analytics Usher app that holds the digital badge once the user identity is verified. Touch ID can also be deployed at the application level and document level with MicroStrategy Mobile. Users are able to authenticate their identity using their verified and stored fingerprint. For example, confidential reports on an executive s MicroStrategy application could be secured by requiring Touch ID verification. Access restrictions Authentication activities that fall outside of predefined and observed patterns can be a sign of occurring or impending fraudulent access to your MicroStrategy environment. Integration with MicroStrategy Usher allows organizations to increase the security of their assets by adding access restrictions that prevent activity outside of expected usage patterns. Access restrictions can be geographic or time-based, only granting access to authorized users attempting to verify their identity if it falls within the accepted time or geographic range. Geo-fencing and time-fencing. Using the MicroStrategy Usher integration, organizations are able to geo-fence assets in the MicroStrategy Analytics Platform, effectively creating a virtual access boundary around a defined real-world geographic area. By setting geographic parameters defining locations in which an asset can be accessed, anomalies and other abnormal authentication requests can be identified and blocked. For example, sensitive sales reports may only be available to senior management while working at headquarters and should not be made available to them on the road. Using the geo-fencing capabilities allows for the creation of a virtual perimeter, set as a radius around the headquarters GPS location, thus limiting access to users that have the correct permissions and are requesting access from within that area. In addition to setting a geographic limit to user access for assets and systems, time-based restrictions are also supported. Much like creating a geographic radius around a specific GPS point, administrators can add a specific time frame for authorized access. For example, a given report might be confidential in nature and should only need to be accessed during official work hours. Timefencing allows the addition of a 9am to 6pm restriction for that specific report, automatically denying any attempts to access it after work hours. The two restriction types, geographic and time-based, can also be combined to limit access to both specific times and locations, establishing an additional security condition that has to be met to gain authorized access. microstrategy.com 7
8 For more information on the security capabilities of the MicroStrategy Usher platform, read the Usher security white paper: microstrategy.com/us/go/usher-security-white-paper. More information on the cybercrime statistics provided in this paper can be found here: More information on the cybercrime statistics provided in this paper can be found here: Frequency of Cyber Attacks: nh.gov/doit/cybersecurity/resources/documents/nl1210-stayingsafe-online.pdf Cost of Global Cybercrime: symantec.com/about/news/release/article.jsp?prid= _02 Percentage of US companies affected by information theft: krolladvisory.com/library/ _global_fraud_report_ Executive_Summary_FINAL.pdf Percentage of US companies hit by at least one fraud a year: krolladvisory.com/library/ _global_fraud_report_ Executive_Summary_FINAL.pdf 1850 Towers Crescent Plaza Tysons Corner, VA Copyright All Rights Reserved. microstrategy.com COLL