How to maximise compliance and data security in a financial services organisation

Protecting access to customer data

The organisation wanted to create a central IT unit responsible for managing and deploying Microsoft Power BI reports and protecting against unauthorised access and potential data breaches.

The application also needed to comply with all industry regulations and be user-friendly for end users who would use the reports to analyse the company’s performance and manage customer finances.

The client had previously been using Microsoft Power BI Report Server but felt that its capabilities were insufficient for their needs and their desire to operate fully in the cloud.

As a result, they decided to switch to Microsoft’s Power BI Service, which offers a wider range of features, and to develop a unified service architecture, strategy, and service delivery model for use across the company.

Setting up governance around the Power BI service would allow them to:

• identify data sources for end-users
• manage how users can access and utilise the reports
• decide which type of authentication will be allowed
• integrate on-premises data
• monitor and manage solution performance
• maintain consistent standards for data access across the organisation

The central IT department would then be able to onboard BI applications from other business units ,with the confidence that all prerequisites, best practices, service scopes and constraints are met within the platform.

Despite their experience with the technology, the client’s teams anticipated that the upcoming project would be challenging due to strict security compliance requirements and high business expectations.

They turned to SoftwareOne to help them with the project and to ensure that all regulations and security measures were taken into account.

Building a new approach to utilising Power BI reports

Designing the new architecture and capabilities required a deep understanding of the challenges and the teams’ previous operations, leading to a model that included 4 elements:

1. Making the service compliant
2. Setting security and functionality baselines
3. Enabling connectivity to data sources
4. Establishing the application onboarding process

Compliance

Due to regulatory issues, SoftwareOne had to customise some features available in the Power BI Service by default.

For example, the use of My Workspace to create and share reports needed to be blocked. My Workspace was problematic for the organisation because of the potential risk of sharing data with an inappropriate audience which would be difficult to manage centrally.

In addition, sensitive data at rest that is stored in the cloud must be encrypted with a key managed by the bank. In Power BI, however, it is usually the cloud service provider that generates and manages the key. To address this, the Bring Your Own Key (BYOK) security method has been enabled to make the data unreadable to the service provider.

Security

With security a priority in a regulated industry, SoftwareOne had to approach identity and access management with the utmost care.

To reduce the risk of uncontrolled and ad-hoc access granting and sharing, the Workspaces, Roles & Permissions reference model was developed as a best practice configuration. This model helps to propagate security and maintenance standards to departments that onboard their solutions to the Power BI service.

Connectivity

By establishing a data gateway, connections to on-premises sources were enabled, providing access to data that is not stored in the cloud. Also, data gateway-related roles were included in the Workspaces, Roles & Permissions reference model.

Application onboarding

The final part was to design an onboarding process for business units and application owners who wanted to host BI solutions in the Power BI online service.

The model developed by SoftwareOne guides them through the organisational requirements, collects the necessary documentation, and provides a reference structure for setting up the reports.