Are you an enterprise, CIO or IT decision maker?
Before investing your budgets in a modern BI tool for your organization, we strongly advise to evaluate your BI vendors security and architecture. Whether the tool is Power BI, Tableau, Qlik or Looker, each of these tools provide a cloud BI solution for your needs.
You have cloud and on-premise versions. Using the cloud version offers several known advantages. However, data security becomes the key. There are several questions that might be bothering you.
Is my data secure?
Where is my data stored?
What security options and best practices does the vendor implement?
How is the data movement?
Is the data encrypted? What all is encrypted?
Does this sound like you?
If you are looking for answers to above questions or evaluating Power BI as your go to modern Enterprise BI tool, I invite you to read Power BI security whitepaper which talks about Power BI security and architecture in detail.
Power BI is a SaaS platform by Microsoft hosted on Azure. It uses Azure services for its operation. There are Web Front End clusters and Back End clusters.
Front End cluster
The frontend cluster (WFE) is responsible for initiation and authentication to the Power BI service, sending static files and content.
Back End cluster
The Back-end cluster role comes into play once the authentication is done. This cluster is responsible for data, storage, visualization, connections, refresh, and other user interactions etc.
The Back End cluster is the heart. If you consider your data as your asset, then the Back End cluster is a critical asset.
You should particularly focus on items to the left of the dotted line above and items to the right of the dotted line. A request to get data, dashboards or reports goes to “Gateway Role” only. This Gateway Role decides where to route the request.
Snippet from the security paper:
The Gateway Role acts as a gateway between user requests and the Power BI service. Users do not interact directly with any roles other than the Gateway Role.
Important: It is imperative to note that only Azure API Management (APIM) and Gateway (GW) roles are accessible through the public Internet. They provide authentication, authorization, DDoS protection, Throttling, Load Balancing, Routing, and other capabilities.
The dotted line in the Back-End cluster image, above, clarifies the boundary between the only two roles that are accessible by users (left of the dotted line), and roles that are only accessible by the system. When an authenticated user connects to the Power BI Service, the connection and any request by the client is accepted and managed by the Gateway Role and Azure API Management, which then interacts on the user’s behalf with the rest of the Power BI Service. For example, when a client attempts to view a dashboard, the Gateway Role accepts that request then separately sends a request to the Presentation Role to retrieve the data needed by the browser to render the dashboard.
Top questions asked by customers
Where is my data stored?
The data that you upload along with Power BI Report (PBIX) is stored in Azure Blob Storage. The metadata – data about dashboards, reports, refresh cycles etc. is stored in Azure SQL Database.
The data is stored in the region same as the Power BI tenant’s region.
Is my data encrypted?
In the Power BI service, data is either at rest (data available to a Power BI user that is not currently being acted upon), or it is in process (for example: queries being run, data connections and models being acted upon, data and/or models being uploaded into the Power BI service, and other actions that users or the Power BI service may take on data that is actively being accessed or updated). Data that is in process is referred to as data in process. Data at rest in Power BI is encrypted. Data that is in transit, which means data being sent or received by the Power BI service, is also encrypted.The data at rest and in transit is encrypted.Source: Power BI Whitepaper
Is Power BI Pro secure?
Power BI Pro is a shared environment. The Frontend and backend clusters could be shared between customers. Azure Blob Storage and Azure SQL Database could be shared between customers.
Is Power BI Premium secure?
When you initiate a Power BI Premium subscription, behind the scenes the back-end clusters are deployed to dedicated VMs. These VMs are dedicated to you and should not be shared between customers.
What happens when I login to app.powerbi.com?
Check this section in the whitepaper to know what happens behind the scenes when you try to access app.powerbi.com
All Power BI features in one page?
Check out this blog to see all Power BI features in one page!
Planning to migrate to Power BI?
Read this first: https://bigintsolutions.com/2020/04/21/migrate-to-power-bi/
What licensing options does Power BI support?
Power BI supports Power BI Pro and Power BI Premium licensing options. It also has a free version. If you need to know more about different licensing options, check out our Power BI Licensing guide.
I have more questions on security:
Power BI is a great Modern BI tool. When evaluating Power BI for Enterprises, we walk them through the architecture and security implementations in Power BI. This boosts enterprise customer confidence to take next big step in modernizing their reporting and analytics.
Don’t hesitate to contact us today if you are looking for Power BI Enterprise deployment or want us to evaluate Power BI as your go to modern Enterprise BI tool.