Solved: Secure or not secure ? That is the question

Garrett100 · ‎08-24-2017

It's back to that old question again.........how to share/ how to control the cost of sharing/recipients needing a Pro Licence

So here is my question: Time and time again I have read that one should avoid going down the "Publish to Web" route as that is not secure, and I realise that embedded links in a website/blog etc can clearly be accessed by the public. But if I choose the Publish to Web option, and simply send that embedded code link in an email to one person in my (small) organisation (say for example the CEO), am I thereby "publishing" secure information to the web ? Surely if only my single recipient opens their email and accesses the dashboard or report by clicking on the embedded link, the "public" as such cannot do the same unless they can access my email account?

I have no intention of pasting embedded links to websites or blogs etc.

Appreciate any words of wisdom on this.

Burningsuit · ‎08-27-2017

I agree with both responses, but for me it is not the security (or otherwise) of the URL generated that stops me using Publish to Web for all but the most trivial reports. It's the icon at the bottom right of a published report, the little "share" icon, that causes the problem.

I can manage who sees the Report by managing who I send the URL to, and the generated URL complexity gives a certain level of "security by obscurity". BUT I cannot control the recipients! It doesn't matter where the report is published, website, blog, SharePoint, Intranet, whatever. One click by them on the sharing icon and the report is all over Twitter, Facebook, Linkedin or gosh knows where else. If that data was confidential, I am relying on the recipient to treat it as such, but I have no way of stopping them clicking on that button, either in error, on purpose or maliciously. Effectively I have no control over the report once published, my recipient could easily put it on Facebook, Linkedin, Twitter et. al. and if they can, at some point they will.

For me, that is why Publish to Web is so insecure.

Stuart

View solution in original post

Seth_C_Bauer · ‎08-24-2017

@Garrett100 I'm passionate about this topic, as you've probably read in my previous posts related to it because it deals with data security.

When you generate the URL you instantly make your data publically discoverable. At that point, it doesn't matter where you embed, send, email, etc. The URL can now be found, so "no" this is not a super secret way to bypass sharing.

The URL itself is what can be found, and if it is, your private company information could be used by those malicious enough to be searching for these links.

For you and anyone else that may be reading this. Think of your company policies. Would you be able to generate an Excel report with the data in your Power BI report and send it to your competitor? Do you think there would be consequences? Even within your company you probably go to great lengths to make sure only the correct people have visibility into their particular area, would it be ok if you started sharing every report to every person? Or might you get into trouble for doing that? Please, stop and think before you use this feature, there is no method of using it that is considered "safe" for private data.

Looking for more Power BI tips, tricks & tools? Check out PowerBI.tips the site I co-own with Mike Carlo. Also, if you are near SE WI? Join our PUG Milwaukee Brew City PUG

CahabaData · ‎08-25-2017

@Seth_C_Baueris 100% right. One must assume some hackers have set up a system that is constantly scanning all url variations looking to consume all published info. What they do with it - who knows - sell to tabloid, sell to your competitors, trade on stockmarket,....

Having said that - I use it judiciously and it is a great feature. I recently put up a map for a client of their assets at risk for the hurricane approaching along the gulf. I did not put the company name, because the viewers know their own company. And their site IDs are sufficiently obscure as to be unintellible to outsiders. Plus they are not a publicly traded company.

I did some pro bono work for a school system that had statistics - and it was a great way to distribute to the ad hoc committee. I definitely did impress that it would be public - but they didn't view it as any different than a powerpoint attachment.....once it was out it was out.... of no interest to hackers but the general public would all see it of course

One simply must apply sound professional standards when approaching this feature. It has its use and benefits under the appropriate circumstances but one should assume the hackers will take a look at it.

www.CahabaData.com

Burningsuit · ‎08-27-2017

I agree with both responses, but for me it is not the security (or otherwise) of the URL generated that stops me using Publish to Web for all but the most trivial reports. It's the icon at the bottom right of a published report, the little "share" icon, that causes the problem.

I can manage who sees the Report by managing who I send the URL to, and the generated URL complexity gives a certain level of "security by obscurity". BUT I cannot control the recipients! It doesn't matter where the report is published, website, blog, SharePoint, Intranet, whatever. One click by them on the sharing icon and the report is all over Twitter, Facebook, Linkedin or gosh knows where else. If that data was confidential, I am relying on the recipient to treat it as such, but I have no way of stopping them clicking on that button, either in error, on purpose or maliciously. Effectively I have no control over the report once published, my recipient could easily put it on Facebook, Linkedin, Twitter et. al. and if they can, at some point they will.

For me, that is why Publish to Web is so insecure.

Stuart

Secure or not secure ? That is the question

Helpful resources

Microsoft Fabric Learn Together

Power BI Monthly Update - April 2024

Fabric Community Update - April 2024