MaxCompute and DataWorks Security Management Guide: Basics (2)

Join us at the Alibaba Cloud ACtivate Online Conference on March 5–6 to challenge assumptions, exchange ideas, and explore what is possible through digital transformation.

In this guide, we will share the basics of security management for MaxCompute and DataWorks. This guide is aimed at facilitating and assisting the project owner or security administrator of MaxCompute in the daily security operations of projects to ensure data security.

User and Permission Management

User Management

Image for post
Image for post

Role Management

Image for post
Image for post

For more information about the action and subject types, refer to the official document.

Authorization Management of ACL (Object Actions)

Image for post
Image for post

For more information about the action and subject types, refer to the official document.

Role Authorization Management

Image for post
Image for post

Package Authorization Management

For more information about the action and subject types, refer to the official document.

Label Authorization Management

Image for post

Enable the Security Feature

Set ProjectProtection (Data Outflow Protection Mechanism)

Project data protection is mainly to disallow users to transfer data from the project.

Image for post

Turn on Label Security (Column and Security Control)

Label-based security (LabelSecurity) is a mandatory access control (MAC) policy at the project level. It allows project administrators to control the user access to column-level sensitive data with improved flexibility.

Image for post
Image for post

Configure the Field Label Properly

Image for post
Image for post

Set a Whitelist of IPs That Are Allowed to Access a Project

Image for post

Disallow the Results of “Select” in DataWorks to Be Downloaded to a Local Path

Image for post
Image for post

Improving Security Management with RAM

Since other cloud services may be used together with MaxCompute, we should consider how to improve security management in MaxCompute by using other cloud services. A Resource Access Management (RAM) user is required when a project member is added if MaxCompute is used with DataWorks. This section mainly describes how to improve security management on a RAM user.

For MaxCompute user authentication, the preceding “MaxCompute security model” section mentions “two account systems, cloud accounts and RAM accounts, are supported. For RAM accounts, any RAM user of the primary account can be added to a certain project of MaxCompute only by identifying the account system but not the RAM permission system. However, MaxCompute does not consider the permission definition in RAM when verifying the permission of the RAM user.” Therefore, we can implement security control simply by using the RAM user login verification.

RAM User Password Strength Settings

If you allow a RAM user to change his or her logon password, you should require the user to create a strong logon password and encourage frequent password rotation.

You can create password policies, such as the minimum length, whether non-letter characters are required, and the rotation cycle, for RAM users on the RAM console.

Image for post

RAM User Login Mask Settings

Set a netmask to determine which IP addresses will be influenced by the login console. Sub-users can only log on from the specified IP.

Image for post

Revoke Permissions That Are No Longer Needed

If the employee owner of a RAM user no longer requires original permissions due to change in duties and responsibilities, the original permissions granted to the RAM user should be revoked in a timely manner.

Reference:https://www.alibabacloud.com/blog/maxcompute-and-dataworks-security-management-guide-basics-2_594471?spm=a2c41.12583932.0.0

Written by

Follow me to keep abreast with the latest technology news, industry insights, and developer trends.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store