To get value from data, people have to access and use them. In some cases, this means you need to share specific data with a group of external stakeholders. But how do you do this without compromising data security, while providing a great user experience? We found Microsoft Embedded BI to be an effective and secure way to share management information with the Board of Directors.With a state-of-the-art cloud data platform in place and data distribution and access taken care of by Microsoft Power BI dashboards, your internal users’ data needs are all catered for. But how about external users, that are not in the corporate security ring? Take the Board of Directors, for example. They are external to your organization, but they do have a need for daily corporate performance data. This data is highly competition-sensitive and should under no circumstances fall in the wrong hands.
When we were confronted with this challenge by a client, we set three core objectives:
- Build a web app that can be accessed by users that do not have an organization email address;
- Secure this app, so that it can only be accessed by specific, authorized users;
- Find a solution that does not require the end-user to own a Power BI license.
Power BI Embedded, a Microsoft Azure service, provides a functionality called ‘app owns data’. Using this, we gave an Azure app access right to the data the users needed and then embedded that Azure app in a web page using Azure App Service. Because the app owns the rights, the external users don’t have to.
There are many ways to secure a web app and Azure App Services offers 5 choices out of the box. We opted for the Microsoft Identity Platform, based on Azure AD, because this allowed us to tightly integrate web app security with the existing cloud security and use Azure Key Vault to further improve security. Combining these powerful components, we built a proof of concept that presented a prebuild Power BI dashboard in a React web app with a .NET back-end.
waking up to reality
Yet, this necessity is not always felt by IT departments. Quite often, I talk to IT managers who are shocked to see how much of their infrastructure is visible to outsiders and therefore vulnerable to attack. They also tend to assume that their web properties are protected because their cloud providers have an impressive list of security certifications. While these are not without value, they do not keep malicious traffic off your websites. That will take a lot more effort. Waking up to this new reality, we need to start looking for solutions. One of the most important solutions is using a cloud-native Web Application Firewall.
your solution is probably different
But this is not a be-all, end-all solution. There are many challenges of this type in all larger organizations. And there are also many ways of securely sharing information. Which technology and architecture you choose, depends on the type of data, the type of user and the business objective you are trying to achieve. The simplest way would be to build a single Power BI dashboard, give all stakeholders access and let them figure out for themselves which data is relevant to them. At the other end of the spectrum, it is completely possible to build a web-based self-service environment that allows any user, internal or external, to build their own dashboard. The ideal solution is probably somewhere in between and depends on your requirements and the number of users you need to serve.
user experience as a security factor
You cannot, without proper onboarding and some training, give an inexperienced, non-tech-savvy user a Power BI dashboard and expect them to know what to do. In this project, we wanted to present data in an easy-to-use format and in an environment that all users know how to use: the web browser. The lesson here is that user experience should always be a huge factor in the choice of architecture and, consequently, in the way data security is implemented.
build your platform first
This project was only possible because the client already has a good central data platform. In most organizations, data is in different systems and in different formats. To make the data usable and accessible, we automated data retrieval and transformation with Robotic Process Automation (RPA). This resulted in high-quality data that is refreshed every 24 hours. All connections, operations and transfers on the data platform are secured by Azure’s built-in point-to-point encryption.
security starts with selection
Another important aspect to cloud data security is data selection. Before you start building anything, you need to know which user should see which data. IoT sensor data, for example, can be made available at many different levels. As an equipment vendor, you will be able to see every individual piece of data from every one of your machines. A client, however, should only be able to access data on the machines that they use or own. For benchmarking purposes, they could be allowed to see anonymous aggregate data from other clients in their vertical or region.
Data selection, like dashboard implementation, can be implemented in many different ways. Of course, you could just show everyone the same dashboard, but restrict data access. This is a secure solution but may show some users empty graphs, hurting the user experience. A web app like the one we described above is a much more user-friendly solution but has to be custom-built for the specific data set shown.
not every external user is external
An ‘external user’ can mean many different things in many different contexts. From a BI perspective, front-line workers without Power BI accounts are also ‘external’ users. Using embedded dashboards, you could enable any worker, be it an employee or a contractor, to use a mobile web browser or an existing data visualization app to see relevant data about their own performance or anything else that may be relevant to their job.
beyond dashboards: sharing data with partners and clients
Also, data use cases don’t stop at dashboards. Many of your external data users, like partners and clients, will want to use your data in their own environments, as this will allow them to combine data and make them more useful in their own processes. Are you in logistics? Then your e-commerce partners may see value in your process data, as it will allow them to more accurately predict delivery times and improve conversions and customer satisfaction.
When you arrive at this point, you will be happy that you have already put some serious thought into data security and external stakeholder access. Simply put: if you can use your cloud infrastructure to securely get data to an external user’s dashboard, you can probably do the same for an API.
Want to know more? See our pages on data and analytics.