Our client provides financial services throughout northern Europe and is responsible for safeguarding large amounts of data. Since they deal with highly sensitive information daily, they must be careful to adhere to the strict regulations in their industry.
As compliance and data security are crucial for organizations in this field, the company is committed to implementing strong security measures to protect its reputation and avoid data leaks or other incidents which may compromise its customers’ information.
To that end, the organization looked to create a central IT unit responsible for managing and setting up Power BI reports and protecting against unauthorized access and potential data breaches.
The application also needed to meet all industry regulations and be convenient for end-users who would use the reports to analyze the company’s performance and manage customer finances.
The client previously used Power BI Report Server but felt its capabilities were insufficient for their needs and desire to operate fully in the cloud.
As a result, they decided to switch to the Power BI service, which offers a wider range of features, and develop a unified service architecture, strategy, and service delivery model for use across the company.
Setting up governance around the Power BI service would allow them to:
The central IT would then be capable of onboarding BI applications from other business units while staying confident that all prerequisites, best practices, the scope of the services, and limitations are respected within the platform.
Despite having experience with the technology, the client’s teams anticipated that the upcoming project would be challenging due to strict security compliance requirements and high business expectations.
They turned to Predica to help them with the project and to ensure that all regulations and security measures were accounted for.
Designing the new architecture and capabilities required a deep understanding of the challenges and the teams’ previous operations, leading to a model that included the 4 elements below:
To avoid regulatory issues, we had to customize some features available in the Power BI service by default.
For example, we blocked the use of My Workspace for creating and sharing reports. My Workspace was problematic for the organization because of the potential risk of sharing data with an inappropriate audience which would be hard to govern centrally.
Also, sensitive data at rest that is stored in the cloud must be encrypted with a key managed by the bank. However, in Power BI, it is normally the cloud service provider who generates and manages the key.
To address this, we enabled the Bring Your Own Key (BYOK) security method to make the data unreadable to the service provider.
With security being a priority in a regulated industry, we had to approach identity and access management with utmost care.
To reduce the risk of uncontrolled and ad-hoc access granting and sharing, we developed the Workspaces, Roles & Permissions reference model as a best practice configuration. This model helps to propagate security and maintenance standards to departments that onboard their solutions to the Power BI service.
By establishing a data gateway, we enabled connections to on-premises sources, providing access to data that is not stored in the cloud. We also included data gateway-related roles into the Workspaces, Roles & Permissions reference model.
The final part was designing an onboarding process for business units and application owners who intend to host BI solutions in the Power BI online service.
Our model guides them through organizational requirements, gathers necessary documentation, and provides a reference structure for setting up the reports.
By introducing the Power BI service model, the company obtained a platform organized according to best practices and policies and developed a clear application onboarding process with one approved structure.
Whereas the previous solution did not ensure full compliance, the encryption methods used in the current cloud solution can successfully address concerns over meeting industry regulations.
The ultimate goal is to simplify the collaboration and sharing of information between different teams in a secure manner, so the company is determined to promote the adoption across all business units.
When properly evangelized, users will know what to expect when requesting a new report and what is expected of them, resulting in a more efficient and user-friendly experience.
Ideally, the process will then lead to building one source of truth, ensuring data trustworthiness for company analyses and promoting good data sources.
Having a unified platform will eventually lower costs for the company, as otherwise, each business unit would need to spend money on separate solutions.
Finally, the governance model will help the company with access and identity management, leading to a clear understanding of who can process sensitive information and who is allowed to use the reports, minimizing the risk of unauthorized changes.
The company has taken an important step towards protecting sensitive information and addressing compliance concerns by implementing a new model for governing Power BI reports.
As long as the company follows the established guidelines and procedures, all business units will be soon able to successfully utilize the new features and rely on a trustworthy and dependable source of knowledge.