Power BI Security
Protect your Customer Data and reports with a secure cloud solution for Customer Data visualization
Power BI operated by 21Vianet is a cloud-based suite of business analytics tools that you can trust to help you analyze Customer Data, publish reports, and share insights.
The Power BI service is built on Azure, which means that it benefits from the Azure platform’s robust security technologies. Power BI uses separate front-end and back-end clusters, the Gateway role, and a secure Customer Data storage architecture to help protect your information. The authentication process keeps unauthorized users out. And encryption of Customer Data, at rest and in transit, preserves confidentiality. Power BI can unify all your organization’s data, in the cloud or on premises.
The Power BI service is governed by the 21Vianet Online Standard Agreement for Office 365 and the Privacy Statement for Office 365 and Power BI Operated by 21Vianet.
Power BI operated by 21Vianet is built on Azure, and uses the Microsoft Entra ID identity and access management mechanisms to help ensure that only authorized users can access the environment, data, and reports.
Power BI uses Microsoft Entra ID as an identity repository for authentication and authorization. Users sign in to the Power BI service via a secure (HTTPS) website, and all communications between the user’s web browser and Power BI service are encrypted. The Azure Traffic Manager receives the request, checks the user’s DNS record, determines the location of the nearest Power BI deployment, and responds with the IP address of that web front end (WFE) cluster.
The user is redirected to the 21Vianet Online Services to sign in, is authenticated, and is redirected to the nearest WFE cluster, which inspects the cookie obtained when the user signed in, checks with Microsoft Entra ID to authenticate the Power BI service subscription, and returns an Microsoft Entra security token. The WFE cluster returns the token, session information, and the web address of the appropriate back-end cluster. The user’s browser downloads files necessary to interact with the Power BI service. Subsequent interactions are through the back-end cluster, and include the user’s Microsoft Entra token.
- To learn more about how the Azure Traffic Manager performs traffic routing, read the Azure documentation on Traffic Manager traffic-routing methods.
- To learn more about the Azure Content Delivery Network (CDN), from which necessary files are downloaded, watch the Azure documentation CDN videos.
Because Power BI operated by 21Vianet is built on Azure, it employs Azure infrastructure security, which relies on best security practices and technologies to protect Customer Data as it travels within datacenters located exclusively in mainland China and across the Internet.
Architecture
The Power BI architecture is designed to help protect your data. Power BI is deployed in datacenters around the world, and each deployment consists of two clusters:
- WFE cluster. All users connect to the WFE before accessing any information in Power BI. Servers in the WFE cluster authenticate users, using Microsoft Entra ID to store user identities and authorize access to data. The Azure Traffic Manager finds the nearest Power BI deployment, and that WFE cluster manages login and authentication.
- Back-end cluster. All subsequent activity and access to data is handled through the back-end cluster. It manages dashboards, visualizations, datasets, reports, data storage, data connections, and data refresh activities. The back-end cluster hosts many roles, including Azure API Management, Gateway, Presentation, Customer Data, Background Job Processing, and Data Movement.
Users directly interact only with the Gateway role and Azure API Management, which are accessible through the Internet. These roles perform authentication, authorization, distributed denial-of-service (DDoS) protection, bandwidth throttling, load balancing, routing, and other security, performance, and availability functions. There is a distinct boundary between the roles that users can access and the roles that are accessible only by the system.
Threat management
The Azure multipronged threat management approach protects Power BI operated by 21Vianet by using intrusion detection, DDoS attack prevention, penetration testing, data analytics, and machine learning to constantly strengthen its defense and reduce risks.
Physical security
Power BI operated by 21Vianet is physically and logically entirely isolated from Microsoft Cloud services in other regions of the world, which datacenter located in mainland China are protected by layers of defense-in-depth security that include perimeter fencing, video cameras, security personnel, secure entrances, and real-time communications networks, continuing from every area of the facility to each physical server unit.
Customer Data transferred through the Power BI operated by 21Vianet Enterprise Gateway is encrypted. Uploaded Customer Data is typically sent to Azure Blob storage, and all metadata and artifacts for the system itself are stored in an Azure SQL database.
The Power BI service handles Customer Data at rest (not currently being acted upon) and Customer Data in process (being actively accessed or updated by users or the service). Customer Data is divided into two categories:
- Customer Data accessed by direct query
- Customer Data not accessed by direct query
Direct queries are directly translated to the native language of an underlying data source. Non-direct queries do not include credentials for the underlying data. The distinction between a direct query and other queries determines how the Power BI service handles the data at rest, and whether the query itself is encrypted.
Power BI uses Azure Storage for Blob storage and Azure SQL Database for metadata that the system generates and uses. The user never connects directly to these storage repositories—all user connections are made to the Gateway role, which then forwards requests for data to other roles, such as the Presentation role, which is used to render the dashboard.
Only authorized users can access Customer Data, with authorization decisions based on the user’s identity. However, when users access Customer Data, it becomes their responsibility to secure any Customer Data they share (particularly in the case of static reports).
- Static reports. When a static report is created, the Customer Data is fixed in the report—similarly to a PDF. (There is no “callback” to the Power BI system to view the data visualized in the report.)
- Dynamic reports. With a dynamic report, the Customer Data doesn’t actually reside in the report; instead, the report is generated by pulling Customer Data from SQL Server Analysis Services, using the Power BI Analysis Service Connector Power BI Analysis Service Connector to connect to SQL Server.
With static reports, authorized users can share reports with unauthorized users. With dynamic reports, users can see reports only if they are authenticated and authorized.All Customer Data requested and transmitted by Power BI is encrypted in transit by using HTTPS to connect from the data source to the Power BI service.