Rising concerns about privacy mean that the security of sensitive information, such as medical and financial data and information about children, is coming under tighter scrutiny these days. And this is forcing IT managers to turn their attention to the richest repositories of such data: their data warehouses.
But for many businesses, just defining the roles and purposes of those staffers accessing such data can be daunting. Consider that a single hospital admittance could result in a patient’s records being viewed by more than 150 people, both inside and outside the hospital, according to a study by Predictive Systems Inc., a New York-based technology consulting firm.
Fortunately, data warehouse software and the applications that serve such warehouses are relatively mature. Database software can define access down to the object level. And tools to automate user account management are particularly helpful in large user environments.
The first step in data warehouse security is defining what data needs protecting, which can be more difficult than it sounds, according to IT managers.
“[Legislation] talks in general terms about what data needs protecting and provides little of what kind of data and what kind of protection that data needs,” says Mike Hager, vice-president of network security and disaster recovery at New York-based Oppenheimer Funds Inc., a wholly owned subsidiary of Massachusetts Mutual Insurance Corp. in Springfield, Mass.
The key to passing all forms of regulatory muster is defining “personally identifiable information” and then limiting access to that information to only those with a need to know.
For example, you don’t want a statistician mining for demographics on sexually transmitted diseases to also have access to the names and addresses of individual patients with such diseases. Access rights to this type of data must be fine-grained enough that a statistician can only gather broader demographics like age, sex or region.
And that means defining user roles, says Hager. “The real key here is being able to define who has access to what. Without a role-based security model, there is no way of accomplishing this,” he says.
It took Hager’s team six months to define the roles of Oppenheimer’s 2,500 users, 400 of whom require access to the data warehouse.
“There’s a business process that must take place before you can automate this,” Hager explains. “You need to identify group and individual user rights, which we did by going over [human resources] accounting codes and then going to business units and asking everyone to justify their access needs. And now they must also fill out an annual review form.”
Once you know who requires access to the warehouse, it’s time to measure the technical controls around those users. That means asking some tough questions: