Microsoft’s PowerBI product is a robust data visualization tool for end users. It is easy to get started with the tool and produce output that really shines. Some of PowerBI’s strong points include the flexibility of being simply a desktop reporting tool and being able to scale to an online dashboard destination. However, its strengths can be it’s weaknesses in terms of SOX or HIPAA compliance. This article decribes the PowerBI architecture configurations and highlights their impact to compliance policies.
PowerBI is available in multiple product variations, each having various deployment configurations:
- Desktop-only, free edition
- Hosted Professional edition
- Hosted Premium edition
- On-premise Premium edition
Each configuration uses basically the same authoring technique but vary in terms of how the workbooks are shared and where they are hosted. These differences greatly affect security exposure and risk / privacy compliance.
Desktop-Only, Free Edition
The desktop-only, free version installs directly on users’ workstations or laptops. Users author workbooks that connect to whatever data sources they can access on from there desks, including on-premise and online sources. Workbooks are saved to either local drives or internal network locations.
Authors share reports or workbooks by either making the workbooks available to other users via a shared network drive or by converting to a common file format and emailing or saving to an intranet location.
Security risks arise mainly from the sharing of the reports. If users can email reports in a common file format, then they can be emailed outside the organization or copied to a portable drive.
Best practice is to create standard locations for workbooks and output files. Workbooks should be stored on network drives managed by Active Directory groups. Similarly, users should be trained to store output files on either shared network locations or intranet locations. Email policies should be created that limit or discourage users from sending attachments outside the organization.
PowerBI Professional Edition
The ability to publish to powerbi.com is built into the desktop application. PowerBI Professional uses the PowerBI desktop application to publish reports and dashboards to powerbi.com. Microsoft encourages users to sign-up via a free trial using their business email address and to create a workspace. Data for the reports is embedded in the workbooks. Users publish workbooks to their workspace on powerbi.com.
Authors share reports by inviting others to join the same workspace. Invited users can then access the shared reports via browsers or mobile devices. The invitation process works via the honor system. It puts all the access responsibility on the person publishing the report.
In this scenario, security risks abound, at least from a compliance standpoint. There is no control on what data is published to powerbi.com, nor is there central control of who can see the data once it’s published. Since this is freeware, there are no special network security features such as a VPN or Azure ExpressRoute to keep the data secure in transit.
If your organization must adhere to SOX, HIPAA, or other regulation, best practice is to avoid using the free trial/professional version. The IT infrastructure team should lock down the service and prevent users within the organization from using it. Again, this not a crticism of Microsoft, but the free powerbi.com service is designed to get you acquainted with the platform. The free hosted version does not fit as a corporate reporting solution.
Hosted Premium Edition
The Premium edition adds a great deal more infrastructure to the solution – but for a price. For about $5K/month, Microsoft will allocate dedicated Azure storage and compute resources to host a PowerBI report destination. In addition, on-premise data sources can upload to cloud-based storage using the On-Premise Gateway. PowerBI workbooks can also access Azure-based data sources, including Azure SQL and CosmosDB.
Authors share their reports in the same way as in the Professional edition. Reports are available to browser-based and mobile devices. In contrast to the Professional edition, the Premium edition includes tight integration with on-premise Active Directory or Azure AD. Report access is controlled via the Report Admin Portal.
The Premium edition employs much tighter security than the Professional edition thanks to Active Directory integration. The On-Premise Gateway securely transfers data to Azure-based storage. However, you still bear the responsibility of securing data at rest within the cloud storage.
Premium Edition with On-Premise Report Server
Premium subscribers also have the option of using an on-premise Report Server. Users who have SQL Server with Software Assurance can deploy Report Server on-premise and connect to local data sources. This allows authors to publish to a local destination, allowing Report consumers to connect their browsers to the same local servers.
The on-premise solution gets around many security and management concerns associated with a Premium cloud-based deployment. However, there’s no way at this time to decouple the license for the on-premise Report Server and the dedicated Azure resources. For users who only want the on-premise solution, the Azure resources will go wasted.
Best practice is to weigh your costs and benefits carefully. An on-premise Report Server solution may be the way to go despite the hefty price tag. If your company has not yet made use of cloud as infrastructure, an on-premise solution may be wise. If your company is already using cloud infrastructure (in particular, Azure), then hosted PowerBI premium may make the most sense.
Conclusion
Microsoft PowerBI is a powerful tool that builds on the familiarity of Excel and goes way beyond to support myriad data sources and allow limitless visualizations. The associated infrastructure can present a challenge. In particular, the ease with which users can create a Professional edition trial subscription. Business users are eager to adopt tools like PowerBI. It’s important to get in front of the ask and start thinking of the best deployment option for your organization.
More Information
Deployment options and other PowerBI topics are discussed in the book
Microsoft has several whitepapers that describe Power BI deployments in detail. You can find them at
https://docs.microsoft.com/en-us/power-bi/whitepapers