Post: Security for IBM Cognos- How Much is Too Much?

There is often a misconception of the idea of security. Many think security means that your system can’t be hacked, and your personal files are not accessible. Security means that nobody can get your great aunt’s secret banana bread recipe. You can never be too secure, right?


Well, actually you can. There IS such thing as too secure.

The only way to keep a secret is to not tell anyone. The equivalent in our data world might be to not store the data, or unplug the server altogether. How practical is that?

Data Access

Security is more than just keeping the bad guys out. There is no one-size-fits-all, but the right security approach within an organization is always about balance. Ironclad security can actually be a hindrance to business users. Many Cognos users fall in this category. When capabilities and permissions are restricted too tightly, Cognos users may not have access to needed tools, reports, or data.

Unintended Consequences

There are many ways that companies try to optimize the protection of their Cognos environment. For example, forced password changes every few weeks, or providing limited access to critical data. The weakest link in a security system is almost always the user. If password changes are required so frequently, how is a user going to remember the latest edition? Most likely by writing it down on a post-it note, which completely negates the purpose of this security practice. In other words, perhaps by accident, enforcing unnecessarily restrictive policies can often prove ineffective.

Just like a flowing stream will find the least restricted path, so, users will find ways around policies that are overly restrictive.


Similarly, if a user has to answer more questions to access his/her Cognos environment than opening a bank account, valuable time is being wasted.


Of course, it is necessary to protect the assets in your Cognos environment. But, the key is to find a balance between vulnerability and usability. Just as in personal relationships, anything short of total lock-down requires some trust. Giving Cognos users more control over their content proves that you trust them. An employer’s ability to trust their employees goes a long way.

For example, think of the recent few social media mistakes that have been floating around. When the Houston Rockets eliminated the Dallas Mavericks in the NBA post-season, somebody from the Rocket’s organization posted emojis that Dallas deemed “not very classy.”

Houston then issued an apology statement. We’ve all seen the PR expert begging forgiveness after an employee sends an unintentionally inappropriate tweet. The companies who lock down Internet access of their employees are hit harder. The companies who admit to being human and having faults have less hard to fall.

Of course, in addition to weighing vulnerability and access, organizations must also evaluate the potential risk of compromising access to confidential data. We recognize that in some industries there are laws (thankfully!) regulating the protection and safeguard of personal, financial and health care data.

Too often security planners consider only half of the equation. A solution, instead, is to give users enough information that they need to do their job. Here is a security matrix table, with which you can estimate the proper amount of security required by everyone to do their job.

Interested in learning more about security best practices in IBM Cognos? See this recorded webinar.


Scroll to Top
As the BI space evolves, organizations must take into account the bottom line of amassing analytics assets.
The more assets you have, the greater the cost to your business. There are the hard costs of keeping redundant assets, i.e., cloud or server capacity. Accumulating multiple versions of the same visualization not only takes up space, but BI vendors are moving to capacity pricing. Companies now pay more if you have more dashboards, apps, and reports. Earlier, we spoke about dependencies. Keeping redundant assets increases the number of dependencies and therefore the complexity. This comes with a price tag.
The implications of asset failures differ, and the business’s repercussions can be minimal or drastic.
Different industries have distinct regulatory requirements to meet. The impact may be minimal if a report for an end-of-year close has a mislabeled column that the sales or marketing department uses, On the other hand, if a healthcare or financial report does not meet the needs of a HIPPA or SOX compliance report, the company and its C-level suite may face severe penalties and reputational damage. Another example is a report that is shared externally. During an update of the report specs, the low-level security was incorrectly applied, which caused people to have access to personal information.
The complexity of assets influences their likelihood of encountering issues.
The last thing a business wants is for a report or app to fail at a crucial moment. If you know the report is complex and has a lot of dependencies, then the probability of failure caused by IT changes is high. That means a change request should be taken into account. Dependency graphs become important. If it is a straightforward sales report that tells notes by salesperson by account, any changes made do not have the same impact on the report, even if it fails. BI operations should treat these reports differently during change.
Not all reports and dashboards fail the same; some reports may lag, definitions might change, or data accuracy and relevance could wane. Understanding these variations aids in better risk anticipation.

Marketing uses several reports for its campaigns – standard analytic assets often delivered through marketing tools. Finance has very complex reports converted from Excel to BI tools while incorporating different consolidation rules. The marketing reports have a different failure mode than the financial reports. They, therefore, need to be managed differently.

It’s time for the company’s monthly business review. The marketing department proceeds to report on leads acquired per salesperson. Unfortunately, half the team has left the organization, and the data fails to load accurately. While this is an inconvenience for the marketing group, it isn’t detrimental to the business. However, a failure in financial reporting for a human resource consulting firm with 1000s contractors that contains critical and complex calculations about sickness, fees, hours, etc, has major implications and needs to be managed differently.

Acknowledging that assets transition through distinct phases allows for effective management decisions at each stage. As new visualizations are released, the information leads to broad use and adoption.
Think back to the start of the pandemic. COVID dashboards were quickly put together and released to the business, showing pertinent information: how the virus spreads, demographics affected the business and risks, etc. At the time, it was relevant and served its purpose. As we moved past the pandemic, COVID-specific information became obsolete, and reporting is integrated into regular HR reporting.
Reports and dashboards are crafted to deliver valuable insights for stakeholders. Over time, though, the worth of assets changes.
When a company opens its first store in a certain area, there are many elements it needs to understand – other stores in the area, traffic patterns, pricing of products, what products to sell, etc. Once the store is operational for some time, specifics are not as important, and it can adopt the standard reporting. The tailor-made analytic assets become irrelevant and no longer add value to the store manager.