Computerworld

Mashups may make BI applications less secure

The new technology has implicaitons, says Mark Hall
  • Mark Hall (Unknown Publication)
  • 26 October, 2008 22:00

I hate to be the teetotaler at the mashup party, but someone has to take a sober look at the security implications of this emerging approach to business intelligence.

Mashups let you take data from an outside source and combine it with your own data to yield new information or insight.

Think about that for a minute. Data from somewhere else running on your network? Even if the person who initiates the mashup believes the data comes from a trusted source, do you know if the originating systems meet your security standards? Are those systems at current patch levels? If your business works in a regulated environment, will such a mashup put you out of compliance?

Do you have people on staff who are up to date on mashup security issues? Here's one to consider: For mashups to work, you have to suspend the security feature in browsers called same-origin policy. Same-origin was designed to stop one website from dropping malicious code onto another.

Oh, and then there's JavaScript. Does the mashup your company is creating include JavaScript from outside your company?

Think about that one. Your data. Someone else's script processing it. Is it proprietary data of special value to your enterprise? Do you know exactly what the script does with your data?

You should also ask yourself whether you would treat the data in a traditional BI app as cavalierly as some people use data in a mashup. As Chris Rafter, vice president of consulting services at Logicalis, a technology services company with a BI practice, explained to me, "Mashups violate some of the unwritten rules of business intelligence".

For example, he says, BI apps are generally built around a data warehouse, which is highly secured and certainly unreachable by outsiders. He also notes that good governance for BI precludes generating reports laden with unaudited external data.

This isn't to say you shouldn't explore mashup technology behind your firewall and with your own data sources, or with data from established and vetted partners whose scripts you have scrutinised and tested. Mashups can be a quick way for business analysts to get insight from the knowledge locked in different silos inside your organisation, where most of the illuminating information about and for your business resides.

But be wary of business units that want to contrast internal data with outsiders -- say, a boutique market research house that can stream information to your network. The data may be golden, but it could turn into fool's gold if that firm's data-streaming application doesn't conform to WS-Security standards and its program gets compromised.

The bald fact is that mashups open another door for malware.

Earlier this year, IBM contributed code called Smash (a play on the term "secure mashups") to the OpenAjax Alliance, an open-source consortium that promotes IT's use of AJAX, the technical foundation of mashups. Smash permits two sources to supply content for a mashup but keeps the source material separate, opening a secure communications channel between the sources so the mashup can occur. If you're not using Smash or tools like it to secure your mashups, you're taking a gamble with your company's reputation and its information.

But, hey, don't let me spoil the party.

Mark Hallis a former Computerworld editor at large. Contact him at mark.everett.hall@comcast.net