Security and Compliance for Software as a Service Business Intelliegence
What impact does BI have on compliance?
by Dyke Hensen
Software-as-a-Service (SaaS) business intelligence solutions have fueled an evolution from complex collections of spreadsheets, data silos, and static reports to collaborative dashboards and on-demand reports that leverage financial data across business-driven categories. The shift addresses a key 2009 priority for IT executives and security professionals by reducing the reliance on spreadsheets and disconnected data marts and automating processes to shore up compliance efforts.
As on-demand analytics becomes pervasive across large user communities and data sets on both sides of the firewall, the focus on data security is intensifying. Companies impacted by standards such as SOX, GAAP, and IFRS or by mandates such as HIPAA are discovering that next-generation SaaS BI offers compelling capabilities to bolster compliance efforts.
The Weakest Link
The Sarbanes-Oxley Act introduced controls, arguably, to eliminate vulnerabilities that compromise the accuracy of financial reporting processes. When financial reporting is generated from BI implementations, SOX requires organizations show proof of a process that secures and “locks down” financial data in source systems, data warehouses, and data marts. Unfortunately, many traditional departmental BI solutions rely on unsecured spreadsheets to produce the finalized financial statements, leaving a Titanic-sized hole in the financial reporting process.
Modern SaaS architectures don’t rely on tools such as spreadsheets or word processors in their formal reporting process. This removes the weakest link in the SOX reporting chain by design, but modern SaaS BI systems offer far more than just a secure final link in the financial reporting chain.
Beyond Financial Statements
Although the major emphasis of SOX is financial performance reporting, it is imperative to assure the same level of system control is in place when financial data is used in critical decision-making processes. I recommend focusing on three areas to secure the entire BI process.
Centralize data and audit security, backup, and system controls:
Mature SaaS BI vendors that support thousands of users have had to prove their security and system controls many times over. SOX requirements challenge the effectiveness of these controls as they relate to financial reporting. SaaS companies that have achieved audited end-to-end SAS 70 Type II certification have demonstrated that they have implemented a system of security and controls that support the SOX audit process. Of course, working with a vendor that has a SAS 70 Type II certification does not guarantee a successful SOX audit, but auditors will appreciate the controls in SAS 70 Type II certification on a centralized set of data.
Look beyond data center certification because SOX looks at the entire end-to-end process, not just the physical security of the data center itself. SaaS companies have spent considerable time, effort, and money to secure their services, and you should reap the benefits. However, be aware that if only the data center is SAS 70 certified, you may not meet the requirements for full-service certification.
Data access: Mature SaaS vendors also offer a synchronized identity management and single sign-on capability. This includes the ability to log all access to their system and immediately remove access to the system.
Backup and restore: Established SaaS vendors provide backup, restore, and recovery mechanisms beyond what is typically associated with departmental data marts and that also exceeds what most end users have at their desktops.
Here are some tips to make audits and compliance easier to manage:
- Tip #1: To ensure adequate controls and safeguards are in place to protect your data in today’s complex regulatory environment, ask if your SaaS vendor has passed a full, end-to-end Type II audit. In addition, I recommend checking with your auditors to see what additional measures may be needed beyond the SAS 70 data center.
- Tip # 2: Look for a vendor that allows you to incorporate your existing identity management frameworks. With the evolution to SaaS 2.0, enterprises are adopting multi-tier security frameworks that synchronize and federate identity and access management across the cloud and their existing internal access management frameworks that can be extended to a single sign-on model.
- Tip #3: Look for SaaS vendors that allow you to extend your internal data security beyond simple application access. Robust BI solutions must be able to restrict data access by groups and individuals at the database level. It is critical to provide application-level security as well as the individual data elements in the application that contain sensitive data. Look for security down to the row and field level in your SaaS BI solution.
- Tip #4: A thorough audit should evaluate all existing data governance measures to mitigate financial risk. An organization that deals with patient or employee data knows there are compliance implications to assure the safeguards of that data. What is not as widely known is that the SOX process will also measure an organization’s risk on a broader level. Employee and patient data is not specifically related to financial reporting, but when left unsecured in a BI system, it may represent a financial risk that could have significant financial ramifications for an organization -- which is a SOX concern.
- Tip #5: The more centralized control, logs, and audit trails your SaaS BI vendor can provide, the fewer SOX compliance steps you need to build and maintain internally. Established SaaS vendors create and maintain detailed system access logs and the best SaaS vendors offer this type of reporting to their customers.
Dyke Hensen has spent over 25 years at the forefront of business intelligence with software providers such as SPSS, Hyperion Solutions, and Arbor Software. He currently serves as CMO at PivotLink, a leading provider of SaaS-based BI solutions. You can contact the author at firstname.lastname@example.org.