AYX Concern

Hey Fools,

So a friend of mine who works at a large bank texted to let me know the bank had begun using Alteryx. There was a great deal of initial enthusiasm about the product and all was well.

But then they let me know about a concern. Apparently some technical higher-ups became worried about the fact that Alteryx copies the entire data set to the local server and allows all AYX users to access the data which they feel presents a security concern. There is a strong feeling among the computer engineers at this bank that the product should come with greater controls as part of the core offering. I guess the bank’s tech team needs to do some legwork to get the controls they feel they need in place. I’m told the bank is “pulling back” on the product.

I don’t have any more info than that, don’t know what exactly pulling back means. This is a very busy exec who shared the info through texts and has shared all they know/wish to share. Normally I’m skeptical of gossipy, half-baked stuff, but this is someone I both like and admire, and this info seems worth sharing.

I would love to hear from techies if this seems like legit concern and if so how fixable it actually is, meaning, is there anything about the nature of the service that requires all users have access to all information.

FWIW, I initially got a text saying there was a security issue, ruined my diaper, and sold most of my shares. But after hearing more detail bought most of those back, preferring to use some to add to my CRWD position. When this person told me about the sheer volume of never-ending waves of attacks from malicious actors it upped my enthusiasm for security.

Fool On,

Broadway Dan

15 Likes

Well… there was a minor “breach” in 2017.

“Following a report that it left data about more than 100 million households exposed on AWS, Alteryx’s CEO declared that the company has taken steps to ensure that it doesn’t happen again.”

Original story: https://www.datanami.com/2018/01/05/alteryx-takes-action-fol…

CEO Response: https://community.alteryx.com/t5/Analytics-Blog/Third-Party-…

6 Likes

And this very much on banks’ minds…

Capital One data breach
https://www.google.com/amp/s/fortune.com/2019/07/31/capital-…

It is hard to say what issues the bank has with Alteryx’s security, but there is security software built in their product.

If you go to the Alteryx website:

https://www.alteryx.com/products/alteryx-platform/alteryx-co…

and scroll down to the section “Permissioning Assets of Alteryx Connect” and click on the “Watch the Demo” link you can watch a 2.5 minute video explaining how permissions can be set up to control user access to Alteryx data.

Video description: Watch this product demo video to see how Alteryx Connect lets organizations set permissions to limit or restrict access to sensitive data.

I suspect the bank has to complete this “Permissioning Assets” step and then re-roll out Alteryx to their users.

9 Likes

Alteryx copies the entire data set to the local server and allows all AYX users to access the data which they feel presents a security concern.

This could be any number of concerns, such as:

  1. The copying of sensitive data to another machine (the local server) potentially puts that data at risk since that local machine may not have the security of the primary data store. This could range from authorized users of the local machine who are not permitted to see this data all the way to outside attackers getting access to the local machine.

  2. Alteryx’s permission scheme may not be granular enough to protect certain fields of data records, and so while some fields are being properly accessed to run an analytic report (for instance), the other fields are also accessible. The brief overview I saw had data being protected on a folder hierarchy type basis, which wouldn’t be granular enough for some uses - example: I want to know how much customers have spent on bank service fees, but the customer records that have that data also have the customers’ addresses.

  3. The bank wants its users to be able to see summary or analytical reports derived from the data, but not the actual data itself. For instance, maybe a report shows the average account balance by Age Bracket, but the data feeding that has the exact account balance for each and every customer. If Alteryx enables users see the source data for a report in order to see the report, that could be a problem.

There could be other concerns as well, of course (eg, just making a copy of sensitive data is something that has to be logged). Depending on how the bank stores its data, what field level protection it has in place, how well it controls the security of “local servers”, or any number of other data transmittal or regulatory issues (this is a bank, after all) it may be that things have to be restructured in order for Alteryx to work.

BTW, this seems like a normal situation for data analytics.

10 Likes

I think that there might be a misunderstanding by your source regarding the security concern.

While there may be a number of ways to deal with this (someone on this thread mentioned the Alteryx permissions, I apologize for not noting the name), another way to approach the problem is to avoid sourcing sensitive data that is not required for analysis. I do not know if the bank in question is using the entire Alteryx suite of tools, or if they are using some existing tools already developed at the bank for sourcing data and prepping, but if they are using the Alteryx tools there are ample opportunities to filter out sensitive data.

The other issue to keep in mind is what is the alternative? Seems to me that this is not really a problem with Alteryx at all. What other analytical capability is available that doesn’t also copy the entire analytical database to a server (be it actual or virtual)? First of all, Alteryx doesn’t have all that many competitors. But the granddaddy of analytics is SAS. I have never been a user of this tool, but I used to work with statisticians in the quality assurance organization at the company I worked for who had extensive experience with SAS. It is my recollection that this is exactly how it worked. There is a great deal of data manipulation that is precursor to execution of analytics. The data is extracted, integrated, partitioned, organized and formatted in order to support subsequent analytical operations. The massaged data is separately stored on a dedicated device.

In any case, the way I see it, there are numerous methods which can be applied to mitigate the problem and in addition, the problem is not a flaw in the Alteryx software, it comes with the territory. If you wish to perform analytics on sensitive data, it’s incumbent on you the end user to take steps to protect the database just as you would for any sensitive data.

Assumptions are always dangerous, but my guess is the “pull-back” mentioned by your acquaintance is not a rejection of Alteryx, rather a pause in implementation while they address the security issues. I have no idea why this wasn’t part of the implementation plan in the first place, but I’ve seen much bigger mistakes which should have never been made during my tenure in IT.

18 Likes

I agree with much of what brittlerock wrote. It is my recollection that this is exactly how it worked. There is a great deal of data manipulation that is precursor to execution of analytics. The data is extracted, integrated, partitioned, organized and formatted in order to support subsequent analytical operations. This is commonly referred to as ETL - extract, transform, and load. Data is almost never stored in a manner that is easily analyzed. Various very good reasons for this, too much to go into here. But its one reason why tools like Alteryx exists, to easily transform data from the manner in which it is stored into a manner which is suitable to analyze. In every book I’ve read about data science this is stressed, that more work is put into massaging data into something usable than in the analysis itself. I’ve found that to be true in my own work.

As long as the bank is careful in what data it allows to leave hallowed grounds all is fine. If not, sorry, the problem is on the bank, not on Alteryx.

I’m keeping my current allocation unless more comes of this. FWIW, AYX is one of the few high growth names I’ve decided to buy back into and hold.

1 Like

They can run the data through a Mongo data base that enables in-database encryption at a very granular level for sensitive information so that it is only available to authorized persons. That would solve the problem quickly. Seems to me not an Alteryx problem but a bank methodology problem. Information like social security numbers is not very useful for data analysis, but extremely valuable to hackers. It should never be left unencrypted except for very specific use cases.

I understand that there was some controversy over how useful that feature was for Mongo. Seems quite useful, but you have to use it (assuming you have Mongo as your database, or a similar product with the same feature).

Tinker

7 Likes

Thx to all for responding. The generosity, honest discourse, openness to exploring counter ideas and overall intelligence of this board is impressive and greatly appreciated. I will pass these posts along and if I hear anything useful, update all.

5 Likes

Did I read correctly that one person told you some stuff about their experience with a product after only a short period (and probably without any RTFM), and you sold your entire set of shares in the company that makes that product?

Sorry, that seems… well, I guess to each their own, but I would at least want to test the veracity of those assertions before pulling the plug on a stock that has performed extremely well for years.

Not to repeat everything already posited, but it’s almost a foregone conclusion that their original data set wasn’t filtered properly before ingest, or they just haven’t gone into the Alteryx config to restrict access to what they need to. We use Alteryx at my employer (not a bank, but we have an equivalent in terms of secure customer data), and I can assure you, we have controls over what can or can’t be seen by individuals. It’s there, they probably just haven’t turned it on or configured properly.

If I was to base all my stock decisions on single points of information… man, I would have given up and went back to index funds long ago.

27 Likes

My investing style of no importance but since called out in public: I was up 100% and for personal reasons need to play D right now. I had a bank exec I admire tell me there could be a security flaw. I jumped out, shared w board, got comfortable again and hopped back in. If flaw was serious could have lost 30-50% fast. if fear overblown could get right back in at close to same price. No tax implications. This is big disadvantage of my not being techie and being in stocks I don’t fully get. If I had single data point that Arista was gonna lose big client before ER I would have acted on that. Anyway…

If I was to base all my stock decisions on single points of information… man, I would have given up and went back to index funds long ago.

Your multi data point analysis decision making is admirable and I will try to grow as an investor through your wise counsel.

Lets kill this thread as key point’s been made.

BD

6 Likes

Let’s kill the thread with or piece of advice. If one piece of anecdotal information, that is utterly disparate from actual real world results is enough to cause panic, then for god’s sake invest vain mutual funds or bonds.

Seriously.

Tinker

19 Likes