Microsoft Ignite 2019: Power BI gets new data protection features

Power BI adds new data protection features, that extend all the way to documents containing Power BI exports. Combined with new data lineage and recently-added dataset endorsement features, this feature puts Power BI onto the data governance on-ramp.

At its Ignite technology conference in Orlando today, Microsoft is announcing new data protection features for its Power BI business intelligence platform. Along with data lineage and impact analysis features announced just last week, and its recently-added dataset endorsement features, Power BI is starting to get serious about data governance. Power BI doesn't offer a beefy data catalog facility, nor is it trying to. It is, however, weaving governance into common BI use cases and workflows, which may amplify and support more formal governance initiatives.

For your own protection

Power BI data protection is based on the same Microsoft Information Protection technology built into Office. Here's how data protection works:

  • Sensitivity labels are first defined by security administrators in the Microsoft Security and Compliance center (shown in the animated GIF below), and they apply to both Power BI and all Office 365 apps across the organization
  • Data owners can then assign sensitivity labels for Power BI dashboards, reports, datasets, and dataflows.
  • With that policy in place, any Power BI data exported to Excel, PowerPoint or PDF file will carry that sensitivity label with it, and only authorized, authenticated users will be able to access the exported data
setsensitivitylevel.gif

Setting Sensitivity Level on a Power BI report

Credit: Microsoft

Also read: Power BI delivers AI power

Power BI data protection is different from data security facilities on other BI platforms. Those offerings tend to focus on role-based access to the data itself, something already covered by Power BI's row-level security feature. Power BI data protection on the other hand, acknowledges, and indeed embraces, the fact that BI insights are often shared in spreadsheets, slide decks and PDF documents, often sent as email attachments. For many platforms, such dissemination of BI assets goes outside their contemplated security boundaries, and is effectively treated as a rogue scenario. But Power BI can now tolerate and, for that matter, encourage such sharing, allowing it to take place in a governed framework. 

Oh, no you don't

And, because Power BI data protection is also integrated with Microsoft Cloud App Security, downloads of protected documents will be blocked altogether for users on un-managed devices (shown below). Furthermore, administrators can leverage Microsoft Cloud App Security to closely monitor and control risky sessions in Power BI, including access from an uncommon location, or a suspicious sharing of a Power BI report.

unmanageddevice.gif

Downloads of Power BI protected data is blocked on un-managed devices

Credit: Microsoft

Artifact lineage and endorsed datasets

Power BI offers other newly-added data governance features. For example, Microsoft announced just last week a new Lineage View that visualizes the relationships between the dashboards, reports, datasets, dataflows and connections in a Power BI workspace. Lineage View is available simply as an toggled alternative to the separate list-style views of datasets, dashboards, reports and data flows. Artifacts in the lineage view offers contextual options, like metadata display and dataset refresh. And Microsoft says it plans to implement a cross-workspace dataset impact analysis feature as well.

Another recently added feature, dataset endorsement, allows individual datasets to be tagged as "Promoted" or Certified" by the dataset owner or administrator, respectively. Later, when users select the Get Data option in Power BI Desktop, then connect to Power BI datasets, they'll see a listing of all datasets in the workspace, with Certified, then Promoted ones listed first.

What does it all mean?

Much data governance technology has required a detour: in order to govern data, analysts have had to put aside analysis work, move over to a security or data catalog platform, and dedicate a bunch of time to inventorying, organizing and securing data. This can add friction, effectively discouraging good governance practices among those in analyst (as opposed to data steward) roles. The sort of embedded governance features that have been added to the Power BI platform reduce that friction. These features aren't meant to replace more formal governance platforms or the initiatives to implement them, but rather to support those platforms and initiatives, and perhaps influence rank-and-file buy-in to them.

Whether it works out that way is another question. Regardless, a move to imbue the analytics workflow with good data governance practices, and the features to support them, is a positive development, in and of itself.

Brust is a Microsoft Data Platform MVP and has done work for the Power BI product team.