The past year has confirmed that a digital-first strategy is not just a trend, but the new standard for business moving forward. What business calls “digital life” is just life for most people, as is the expectation that organizations will keep up with the accelerating volume of data and pace of change while protecting sensitive information. As data becomes more accessible for analysis, risk of accidental oversharing or misuse of business-critical information increases. It is more important than ever to answer the questions: “How secure is my data in the cloud? What end-to-end protection is available to prevent my sensitive data from leaking?”
Today we are announcing new and enhanced security capabilities for Microsoft Power BI to ensure the highest levels of data security while bringing data insights to everyone across the organization. As detailed in a new Microsoft Power BI security whitepaper, our point of view is that data security should no longer be about BI and its data permissions. Rather, it should be part of an integrated data security strategy that promotes the free flow of analytics in support of the creation of a sustainable data culture, while at the same time ensuring secure usage everywhere.
Power BI delivers security using a multi-layer, integrated model that leverages the same security stack in Microsoft Azure that government agencies and institutions around the world now depend on. Additionally, Power BI also integrates with existing data protection tools in Microsoft 365. The combination of this strategy allows Power BI to:
- Ensure your data is secure in the Microsoft Cloud
- Help you secure your data when it is being used
- Help you govern your data
Your data is secure in the Microsoft Cloud
As enterprises seek to protect their data environment from unauthorized and unwanted access, many businesses are turning to network isolation. Network isolation allows only specific clients or computers to connect to a particular endpoint based on a list of allowed IP addresses. Network security features in Power BI include:- Service tags: You can use service tags to achieve network isolation and restrict your network to the general Internet while accessing Power BI service using public APIs. Additionally, you can use Power BI Service Tag range IPs in firewall rules of to protect your resources and data sources accessed from the Power BI service.
- Private links: Azure networking provides the Microsoft Azure Private Link feature that enables Power BI to provide secure access through Azure networking private endpoints. With Private Link and private endpoints, data traffic is sent privately using Microsoft's backbone network infrastructure, and thus the data does not traverse the Internet.
- VNet (coming by the end of February 2021): While the Private Link integration feature provides secure inbound connections to Power BI, this VNet connectivity feature enables secure outbound connectivity from Power BI to data sources within a VNet. VNet gateways (Microsoft-managed) will eliminate the overhead of installing and monitoring on-premises data gateways for connecting to data sources associated with a VNet. They would, however, still follow the familiar process of managing security and data sources as with an on-premises data gateway.
Tetra Pak, a Swedish-Swiss multinational food packaging and processing company, demands very high levels of protection for data—especially true for cloud-based solutions. Sergei Lechinsky, Director, Business Information Management, explains how Power BI security capabilities have impacted his team. “We are very pleased with what Microsoft has delivered in the areas of information protection and access control,” said Lechinsky. “The combination of Power BI Premium with BYOK, multi-factor authentication and now information protection sensitivity labels (IPSL) for Power BI artefacts opens Power BI platform for the analysis of confidential data in Tetra Pak. Additionally, cooperation between Microsoft and Tetra Pak is another very positive aspect. Microsoft worked with us to incorporate our feedback regarding IPSL and built some of them into the product.”
In addition to security capabilities that protect Tetra Pak and thousands of organizations across industries, Power BI is optimized to meet the unique needs of government customers that must meet state and federal compliance and security standards.
Today, we are announcing that Power BI for Azure Government Secret is under review by our Third-Party Assessment Organization (3PAO) and will be submitted for Provisional Authorization to Operate (P-ATO) to support Department of Defense Impact Level 6 (IL6) workloads.
Power BI US Government Secret is designed for the unique requirements of critical national security workloads that cannot be served out of a single geographic location. To provide the geo-diversity required, Power BI US Government Secret delivers across three dedicated regions for US Federal Civilian, Department of Defense (DoD), Intelligence Community (IC), and US government partners working within Secret enclaves. These dedicated Azure regions are located over 500 miles apart to enable applications to stay running in the face of a disaster without a break in continuity of operations.
Secure your data wherever it is accessed and analyzed
As part of empowering organizations to work securely with their business data, we have worked hard to ensure that Power BI is part of an end-to-end security platform that is easy to use, integrated with productivity solutions, and enables remote work. Power BI integrates Microsoft's leading security products, providing unparalleled data protection capabilities to help people securely uncover insights, collaborate, and share appropriately, no matter where data goes—even outside the organizational network or on unmanaged devices.Power BI sensitivity labels in Power BI service
Last year we announced the general availability of Power BI data protection capabilities, being the only BI product leveraging Microsoft Information Protection sensitivity labels (MIP) and providing users a simple way to classify critical content in Power BI without compromising productivity or the ability to collaborate. Sensitivity labels can be applied on datasets, reports, dashboards, and dataflows, and those labels are persisted along with relevant protection when data is exported from Power BI to Excel, PowerPoint, or PDF files.Moreover, we extended data label inheritance to Excel when connecting a Power BI dataset to a PivotTable. Once again, the dataset’s sensitivity label will be inherited and applied to your Excel file along with its associated protection and will stay up to date upon refresh.
Imagine a user exporting sensitive BI data to Excel and sharing further within the company or externally, or alternatively a former worker accessing an old local Excel file: once the Excel includes respective sensitivity label and protection, only authorized users are able to access that content.
Organizations can now rest assure that their sensitive data remains protected throughout its journey, according to company policies, no matter where the data lands or when it is being accessed.
Preview of support for sensitivity labels in Power BI Desktop
Announced for preview in December, sensitivity labels are now supported in Power BI Desktop. One of the most requested features from our community, this is the natural extension of our existing support for sensitivity labels, which is now supported both in the consumption as well as creation of Power BI assets.
Integration with Microsoft Azure Purview to show sensitivity labels in scanned Power BI assets
Governance of data is critical, as is the ability to discover the right, high-quality data assets you can trust and reuse to make critical business decisions. Power BI has partnered with Azure Purview to make it simple to discover, understand, and govern your data assets. Leveraging this partnership, your Power BI assets metadata and connections can now be scanned into the Azure Purview data catalog. Once scanned, key features are enabled for users including effective data governance, deriving end-to-end data lineage and impact analysis, and ensuring data protection leveraging visibility of MIP sensitivity labels on the various assets.
Securing the full data journey from Azure to Office
To ensure your data remains classified and secured across its data journey, we are adding support for label inheritance. By August 2021, Power BI datasets connecting to classified data in source systems—such as SQL, Microsoft Azure Synapse Analytics, or Excel—will inherit those labels such that data remains classified and secure when brought into Power BI, inherited downstream onto connected artifacts (such as reports or dashboards), and onwards when exported to Office. The result is secure, end-to-end inheritance and protection of your business data, from source to point of consumption.Helping you govern your data
Finally, the third pillar of our security point of view focuses on the management of content sharing, monitoring, and auditing. In June 2020, we announced the ability for admins to extend Data Loss Prevention policies as well as monitor in real time Power BI session and user activities within the Microsoft Cloud App Security (MCAS) portal.MCAS can now analyze suspicious Power BI activities like the impossible travel scenario or unusual sharing behaviors and raise a security alert. Combined with the ability for admins to configure content sharing with external guest users through integration with Microsoft Azure Active Directory (Azure AD) B2B and tracking of user and system events in Office 365 audit log, organizations have both depth of capabilities and breadth of organizational reach to govern a Power BI deployment with unparalleled confidence. To go more in depth on our recommendation for governance, please review the Governance and Deployment whitepaper.
