IEBISec: Immersion Event on Securing Your BI Platform

In 2016, 4.2 billion accounts were exposed in data breaches. This number represents a four-fold increase over the previous record high established in 2013. Most data breaches result from inadequate data security. Have you considered how well your BI development practices protect your data? That job is not limited to the DBA. Everyone who works with data needs to understand the risks and take the appropriate steps to ensure your organization’s data is adequately protected at all times.

The Microsoft BI stack contains multiple tools which each have different security configuration options and inter-dependencies. In this 2-day Level 300 training class, you see specifically how data can be compromised in this stack, learn where the potential risks of a data breach are lurking in your BI solutions, and leave with specific steps you can take to mitigate those risks.

This class starts with an overview of security principles. As the class progresses, we explore the anatomy of an attack on your data component by component. We review the security architecture of each component in the BI stack and highlight vulnerabilities in the architecture that must be addressed to properly secure your BI environment. Furthermore, we explore security by using a multi-tier, multi-layered approach, leaving no stone unturned.

By the end of this class, you’ll understand the relationship across the security settings not only in the BI tools, but also the back-end databases and the Windows operating system. As we examine potential security issues, we show you how to build a security action plan for Integration Services, Analysis Services, and Reporting Services. Is Azure in your environment? We also cover important aspects of cloud security for a BI solution. Come learn how to preserve and protect your data effectively from the inside out.

Target audience:

  • DBAs who need to understand and mitigate the security risks of the BI components in the data platform
  • BI architects and developers who need to confidently design and build secure BI solutions

Instructor: Stacia Varga

Need Help Justifying Training? Here’s a letter to your boss explaining why SQLskills training is worthwhile and a list of community blog posts about our classes.

Ready to register? Please see our Immersion Events Schedule for class dates and our comprehensive Immersion Events F.A.Q. for class costs and other frequently asked questions.


Curriculum

Module 1: Introducing Security Principles

We start this class with an introduction to data security principles and threat modeling. Topics covered include:

  • Types of threats to consider
  • Terminology
  • Anatomy of an attack
  • Security principles and objectives
  • STRIDE threat modeling
  • Common causes of vulnerabilities

Module 2: Reviewing Integration Services Security

Integration Services (SSIS) allows you to read, write, and transform data. Not only does access to packages potentially provide access to data. Even if data permissions prevent a malicious user from accessing data directly, the ability to view package design can provide very useful information about your technical infrastructure that can be used in an attack. In this module, we examine Integration Services from all angles to discover all the different ways that packages can be compromised and steps you can take to protect your packages. Topics covered include:

  • Integration Services architecture review
  • Server-side versus client-side considerations
  • STRIDE modeling for SSIS
  • Package protection
  • Package versus project mode considerations: deployment, execution, security
  • Digital signatures
  • Data taps and logging
  • SQL Server Agent security for package execution

Module 3: Reviewing Analysis Services Security

Although Analysis Services (SSAS) is primarily a read-only platform for end users, there are some potential risks to understand. In this module, we explore the specific vulnerabilities that should be addressed by your security plan. Topics covered include:

  • Analysis Services architecture review for multidimensional and tabular models
  • Client-side development architecture
  • STRIDE modeling for SSAS
  • Model development considerations
  • User and administrator security
  • Writeback
  • Service account configuration

Module 4: Reviewing Reporting Services Security

Reporting Services (SSRS) is another platform that is predominantly read-only, yet there are vulnerabilities that can be exploited unless you take action. In this module, we review these vulnerabilities and discuss how to address them. Topics covered include:

  • Reporting Services architecture review
  • Client-side development architecture
  • STRIDE modeling for SSRS
  • Report design standards to protect data
  • Deployment considerations
  • Item-level security on the report server
  • Linked reports
  • System roles
  • Encryption keys
  • Surface area reduction options

Module 5: Azure BI Security

Azure services are highly secure, but you still need to limit your exposure to security problems by understanding where the risks lie. In this module, we review the key points about Azure services commonly used in BI and the security steps to take. Topics covered include:

  • Hybrid cloud architecture
  • STRIDE modeling
  • Azure BI security best practices

Module 6: Building a Security Action Plan

Now that we have reviewed the key components and vulnerabilities in your BI architecture, we’ll take a multi-tiered approach to building out an action plan that you can personalize and use to safeguard your environment. We’ll review components affected, the top threats to those components, and specific steps to protect these components from attack. Topics covered include:

  • General security best practices
  • Network
  • Server and client computers
  • Web servers, if applicable
  • Database servers
  • Applications: SSIS, SSAS, SSRS

Ready to register? Please see our Immersion Events Schedule for class dates and our comprehensive Immersion Events F.A.Q. for class costs and other frequently asked questions.


Questions?

If you have any questions not answered by our F.A.Q., please contact us.