Cognos, Google Sound Off on Information Security

The challenge is to simultaneously ensure both the integrity and the appropriateness of BI data for the users who consume it.

It’s not as if business intelligence (BI) vendors have only just discovered the importance of air-tight security—not, at least, in the sense that they’ve heretofore neglected the security feature sets of their respective BI tools.

Most BI vendors actually have very good out-of-the-box security stories to tell, complete with support for features such as over-the-wire encryption, integration with enterprise directory services and other authentication mechanisms, and increasingly, support for role-based access to data. (

Nevertheless, a confluence of drivers has pushed concerns about BI security to the fore, especially the Coming of Compliance and all of its attendant concerns. If compliance requirements such as the Sarbanes-Oxley Act (SOX) Act of 2002 helped put the onus on all software vendors to improve the out-of-the-box security and (just as important) accountability of their products, it especially upped the ante for BI and data management players. These are the vendors whose software typically consumes the highly sensitive data which measures like SOX are designed to protect in the first place.

“Compliance is definitely a big driver, but that’s been so for a while now. This is obviously [an area in which] Information Builders—and most of our competitors—have had to improve the overall security of our products,” agreed Michael Corcoran, vice-president and chief communications officer with Information Builders Inc. (IBI), during a May interview coincidental with IBI’s enterprise search-related announcements.

Corcoran says he sees a future in which security becomes an even greater concern, especially as more and more BI (or BI-like) capabilities are embedded—often transparently—in more and more applications. “We already have situations where a lot of our [WebFocus] users aren’t even aware that they’re using WebFocus, because we’re behind the scenes, [embedded] in the application itself. But it’s WebFocus which provides the query and the reporting and the connectivity to everything in the background.”

The challenge, says Corcoran, is to simultaneously ensure both the integrity and—increasingly—the appropriateness of this data for the users who are accessing it. Or—to put it another way—there are certain and identifiable cases in which an organization’s financial left hand shouldn’t be able to see what its HR right hand is doing, and vice-versa. As organizations seek to connect once-siloed information sources—either by means of data federation technologies, just-in-time operational data stores, full-fledged data warehouses, or other information-centric strategies—opportunities for conflicts of interest, and the potential for regulatory imbroglios, increase exponentially.

Nowhere is the potential for disaster more evident than in the enterprise search segment. Indeed, if the Coming of Compliance upped the ante on the security front for the great mass of BI vendors, says TDWI director of education Wayne Eckerson, the growth of enterprise search—and, more to the point, the manner in which enterprise search is fast emerging as a key enabling technology for BI information delivery—has increased the stakes even more.

“Security is a key issue with [enterprise search],” Eckerson argues. “If you think about it, this stuff [search technology] works too well. It can literally return any data that’s relevant to any query, including data that certain users [or users in certain classes or groups] shouldn’t have access to. So the problem becomes getting the right data to the right users—and doing so for the most part dynamically—and this is something the search vendors have really focused on.”

That’s one reason BI vendors and their enterprise search partners have gone on the offensive, in some cases emphasizing the robust security underpinnings of their bread-and-butter products. Consider Cognos Inc., which last week trumpeted the results of a recent security audit by Symantec Corp. According to Cognos officials, Symantec researchers determined that Cognos 8 is based on a “robust architecture” which is conducive to secure reporting and analysis. Symantec researchers also concluded that Cognos “understands sound security practices and has surpassed industry best practices by designing a secure architecture and framework for reporting and analysis applications.”

There’s another reason Cognos has kicked its security-focused messaging up a few notches, however. Earlier this year, that vendor announced two significant partnerships in the enterprise search arena, first in conjunction with IBM Corp.—whose WebSphere OmniFind search tool is supported by Cognos 8—and then in tandem with Google Inc., whose Google Search Appliance and Google OneBox API program are both supported by Cognos 8. Cognos officials position enterprise search as a key enabling technology for BI, but they also concede that search in its most ubiquitous form—i.e., Web search—simply isn’t “safe” for enterprise BI. (

That makes enterprise search the next frontier—or the central front, if you will—in the struggle to make pervasive information delivery safe for the enterprise, argues Cognos senior director of product marketing Harriet Fryman.

“If you think about it, the goal [of enterprise search] is to make it easier for users to access this [information] in the format that’s most intelligible to them, to present [data] in a context they can understand. But not all users should have access to the same data, and not all users should have the same view [of that data], even when they can access it. An HR department shouldn’t be able to see financial data, for example, while a financial department shouldn’t have access to HR data. Different users within [either department] need to see different kinds [views] of the same data,” she explains. “The key [with BI and enterprise search] is to only show [the data] if the users have sufficient privileges to see it, so to provide role-based views of this [BI] information.”

This is one area in which enterprise search players—spurred in part by stinging claims about the un-enterprise-worthiness of their solutions—have long been out in front. It’s an issue, for example, to which Google has devoted considerable attention, claims Matthew Galzbach, product manager for Google Enterprise.

“To be honest, we wouldn’t be offering this [Google Search Appliance] if we weren’t able to provide these kinds of [security filtering] capabilities,” said Galzbach in an interview earlier this year. “So our goal is to protect the security of [a customer’s environment], but do it in a fast, simple, easy-to-use and straightforward manner. So underneath that thin simple HTML [search] interface sit a host of technological mechanisms concerning security and access control. For example, as we index the information, we can also understand how the information is secured, such that when a user conducts a search, we actually go and check in real time to see if the user has access to those same results. We also integrate with a variety of different types of security systems, including single sign-on, HTTP [SSL], [NT LAN Manager], and SAML.”

Nor is Google the only player that’s hip to the importance of search security. When it announced its own foray into enterprise search earlier this year, Oracle Corp. made search security—and, specifically, role-based access to information—one of its key talking points.

“[When] people are browsing the Web on their own, they just go to one of these Internet search sites and they get results. And they go back to their office and say, why can’t I have the same sort of experience?” commented Greg Crider, senior director of product marketing with Oracle, at the time of the announcement. “On the other hand, if you look at the point of view of what big organizations are going through today, they have all of these concerns about securing their information, about meeting compliance requirements, about dealing with privacy laws, about dealing with intellectual property.”

Fryman, for her part, says pervasive information access—a dashboard (or its equivalent) on every desktop—is the future of BI. She outlines a quasi-Utopian future-scape in which users at every level of an organization have the ability to access the information that’s most intelligible to—and appropriate for—them, either by means of straight-up reports or dashboards, or in the form of BI capabilities embedded in conventional applications.

In this respect, she and other Cognos officials argue, enterprise search will play a key role. “We feel that this is truly the way to bring BI to the masses. We—all of us—have been talking about this [idea] for years now, but this is the paradigm shift. It uses an interface and an experience that users feel completely at home in [the Web browser search engine] and it lets them access BI content without knowing anything about [BI]. This means companies can expose this [BI] technology to entirely new user groups, to users who have never had access before,” said senior product marketing manager Paul Hulford.

At the same time, Fryman stresses, it doesn’t fall entirely to the search vendors to safeguard the integrity and dissemination of enterprise data. “Our goal is to make it possible for them to have a single BI environment [Cognos 8], but to tightly control what data they have the ability to see. That way, if everybody [the search vendors and the BI vendors] does their part, it helps increase the overall security [of enterprise information],” she comments. There’s an added benefit, too, says Fryman: reduced costs. By providing support for features such as highly granular role-based security, she says, BI vendors can reduce the development and support burden for IT: “From our perspective, we make it possible for IT to develop a single report that may include gross margin and any number of other metrics, but each user gets a view that’s based on their data rights. So IT maintains one report for every different class of user.”