Crystal Reports Administration: Security Issues

The Crystal Reports you are responsible for fall under a category called "Business Intelligence." In the United States, The Senate Intelligence Committee is responsible for various spy operations. That is not an idle connection. Your Crystal Reports can have the potential to damage your company, if they fall into the wrong hands.

In other articles, we cover "need to know." The basic concept is a person should not be on the report distribution list unless that person needs the information for doing his/her job. The exception to this is general company information that is part of the public record anyhow and any information the senior management wants released to select department heads or to employees in general. Absent specific instructions from senior management, you will need to apply some rules.

Let's see what those are:

• Define the report distribution parameters, as laid out in our article on that subject.
  
• Control passwords strictly, and educate end-users on the password policy. Stress to them that writing passwords on the bottom of coffee cups, making passwords all alpha, and taking other careless measures with them can cost the company some jobs. Some experts suggest it is a good idea to set passwords to expire every X days. End-users really hate this, and the practice results in their writing passwords down where they can find them rather than have to remember a new one every week or so. Consider the actual consequences of such a policy, rather than its intentions.
  
• Educate end-users to log out of their reporting sessions if they leave their workstations. This is a security measure, and it is also a way of conserving license seats when a licensing arrangement calls for a limited number of seats. You can get around this licensing issue by purchasing an unlimited license of cView.
  
• Educate end-users to clear out their caches and temporary folders after viewing sensitive files. If this step seems a bit like spitting into the wind, your network admin can set up the system so those folders reside on a central, controlled server or are deleted at logout. It is also possible to have those folders checked and purged at boot-up.
  
• Educate end-users not to print out their reports unless doing so is absolutely necessary. Paper reports are a huge security risk.
  
• Educate end-users to shred any and all paper reports they are done with, and to lock up any paper reports they leave unattended.
  
• Put a security disclaimer on reports that have especially sensitive information. Ask your operations manager for instructions on what text is appropriate.
  
• Develop a concise written security policy, get it approved by your operations manager, and distribute it to all end-users.
  
• Do random security checks. The idea isn't to "bust" violators, but to identify and correct problems. Submit a detailed report of these checks to your operations manager, including both absolute and relative data (number and kinds of violations, and the trends), plus a short assessment of the severity and specific risks. Your operations manager may ask you to step up training or to "turn in" violators. 

See our tech tips on report security at: Crystal Reports Administration: Security Tips

This article is copyrighted by Crystalkeen, Mindconnection, and Chelsea Technologies Ltd. It may be freely copied and distributed as long as the original copyright is displayed and no modifications are made to this material. Extracts are permitted. The names Crystal Reports and Seagate Info are trademarks owned by Business Objects.