DataWorks:Platform security diagnostics

The Platform safety diagnosis page displays the security risks that are detected during business interactions between the current workspace and the associated compute engine instances based on the best practices for security risks. You can identify risk categories and levels based on the diagnosis, view risk details, and process the items to be optimized to ensure secure and reliable business interactions. Diagnostics items are classified into the following categories:

• Data calculation and storage

  Diagnostics items that belong to this category are used to check the security of features such as data permission control, data encryption, and data backups and identify potential risks at the earliest opportunity. This ensures the security of data storage and data access.

• Data transmission security diagnosis

  This category of diagnostics item diagnoses security issues for features, such as the access control of data sources and the isolation of data sources in the production and development environments. This category of diagnostics item also identifies security risks during data transmission so that you can manage these risks at the earliest opportunity. This ensures a secure and reliable environment for data transmission.

• Standardized diagnosis of data production

  Diagnostics items that belong to this category are used to check security issues related to production processes, such as whether the roles, number of administrators, and deployment engineers within the current workspace are assigned properly. These diagnostics items allow you to identify and handle security risks at the earliest opportunity. This helps improve the reliability and security of the data output system.

• Platform security configuration diagnosis

  This category of diagnostics item diagnoses security issues for features, such as the auditing of DataWorks operations, to improve the overall data security.

Diagnostics items to be optimized are classified into low-risk, medium-risk, and high-risk items. Specific diagnosis and suggestions are provided for each item to be optimized to ensure secure and reliable business interactions. For more information about the diagnostics rules for all diagnostics items from different dimensions, see Appendix: Details of diagnostics items.

On the Platform safety diagnosis page, the diagnostics items to be optimized are quantified by category. You can view the medium-risk and high-risk items in each category. You can also click a medium-risk or high-risk item to view the risk details and optimize the item based on the suggestions provided. The following figure shows you how to view the diagnostics items to be optimized in the Data transmission security diagnosis category.

View the diagnosis and suggestions for the access control of data sources, as shown in the following figure.

• Security risks

  Access control is not configured for the data sources. This way, users with lower security levels can access data with higher security levels. This leads to insecure access to the data sources.

• Suggestions

  You can improve access security for the data sources by configuring access permissions for the data sources based on the provided suggestions.

The following tables describe the diagnostics items supported by the platform security diagnostics feature.

• Data calculation and storage

  This category of diagnostics item improves security during data storage and access.

  Diagnostics dimension	Diagnostics item	Diagnostics object	Diagnostics method
  MaxCompute fine data permission control	MaxCompute column-level permission control Note The security model of MaxCompute V2.0 provides more fine-grained data permission management capabilities, more scientific mechanisms of decentralized project management, and more powerful end-to-end identification capabilities. The security model allows you to implement security configurations that are more suitable for actual scenarios.	MaxCompute project	Column-level permission control relies on the MaxCompute V2.0 permission model. This diagnostics item detects the MaxCompute projects in which the MaxCompute V2.0 permission model is disabled.
  	Data download control Note To avoid unexpected data leaks, we recommend that irrelevant users be strictly restricted from downloading data directly to the local by using MaxCompute Tunnel.	MaxCompute project	Download permission control relies on the MaxCompute V2.0 permission model and the download permissions. This diagnostics item detects the MaxCompute projects in which the MaxCompute V2.0 permission model is disabled. In addition, this diagnostics item detects the MaxCompute projects in which the MaxCompute V2.0 permission model is enabled and download permission control is disabled. For more information about whether and how to enable download permission control, see Download control.
  	Data protection mode Note The data protection mechanism of MaxCompute projects allows you to manage the data outflow method.	MaxCompute project	This diagnostics item checks whether you have set the protection mode for some or all of the MaxCompute projects. For more information about the project data protection feature of MaxCompute, see Project data protection.
  MaxCompute storage security enhancement	Data storage encryption Note MaxCompute supports data storage encryption based on Key Management Service (KMS), and provides static data protection for enterprises to meet the regulation and security compliance requirements. For more information, see Data encryption.	MaxCompute project	This diagnostics item detects and lists the MaxCompute projects in which data storage encryption is disabled. To enable data storage encryption for an existing MaxCompute project, submit a ticket.
  	Data storage backup Note The system automatically backs up the historical versions of MaxCompute data and retains them for a certain period of time. During the retention period, you can quickly restore the data to prevent data loss due to accidental operations. For more information, see Backup and restoration.	MaxCompute project	By default, this feature is enabled for MaxCompute projects. You can adjust the retention period or restore data based on the actual situation. For more information, see Backup and restoration.
  EMR fine data permission control	EMR secure access mode Note If an EMR cluster is associated with a DataWorks workspace by using the Security mode, data permissions are isolated among Alibaba Cloud accounts and RAM users. For more information about the Security mode, see Security mode.	DataWorks workspace	This diagnostics item detects the workspaces that are associated with EMR clusters by using a mode other than the Security mode.

• Data transmission security diagnosis

  This category of diagnostics item improves security prior to data transmission.

  Diagnostics dimension	Diagnostics item	Diagnostics object	Diagnostics method
  Data source protection	Data source access control Note DataWorks allows you to set access permissions for the configured data sources to prevent users with lower security levels from accessing data with higher security levels.	DataWorks workspace data source	This diagnostics item detects the workspaces in which access permissions are not set for the configured data sources. For more information about how to set access permissions for data sources, see Manage permissions on data sources.
  	Production and Development Data Source Isolation Note In a workspace in standard mode, the configurations of a data source vary based on whether the data source is used in the production or development environment. This prevents data leaks from the development environment. You can evaluate and modify data sources. For more information, see Isolate a data source in the development and production environments.	DataWorks workspace data source	This diagnostics item detects the workspaces in standard mode in which a data source has the same configurations in the production and development environments.
  	Data source access mode Note DataWorks supports role-based access to OSS data sources. This mode is more secure than the traditional AccessKey mode and can effectively prevent leaks of AccessKey pairs.	DataWorks workspace data source	This diagnostics item detects the workspaces in which OSS data sources can be accessed in AccessKey mode. You can modify the data sources. For more information, see Use the RAM role-based authorization mode to add a data source.

• Standardized diagnosis of data production

  This category of diagnostics item improves the stability and security of the data output system.

  Diagnostics dimension	Diagnostics item	Diagnostics object	Diagnostics method
  Reasonable planning of working space	Use the "standard mode" workspace for data production Note A workspace in standard mode is more secure than a workspace in basic mode. For more information, see Differences between workspaces in basic mode and workspaces in standard mode.	DataWorks workspace mode	This diagnostics item detects the workspaces in basic mode in the current region. You can upgrade a workspace in basic mode to a workspace in standard mode based on the actual situation. Proceed with caution when you perform this operation. For more information, see Scenario: Upgrade a workspace from the basic mode to the standard mode.
  	Computing Engine Production Development Environment Isolation Note In a workspace in standard mode, the configurations of a compute engine instance vary based on whether the compute engine instance is used in the production or development environment. This prevents data leaks from the development environment.	DataWorks workspace compute engine	This diagnostics item detects the workspaces in which an associated compute engine instance has the same configurations in the development and production environments in the current region.
  	Reasonably specify the number of workspace administrators Note In a single workspace, too many administrators may cause disordered management. We recommend that you set no more than three administrators for each workspace.	DataWorks workspace member management	This diagnostics item detects the workspaces in which more than three workspace administrators are set.
  	Reasonable allocation of workspace member roles Note In a single workspace, we recommend that each member play a dedicated role to prevent unauthorized operations caused by one member playing multiple roles.	DataWorks workspace member management	This diagnostics item detects the workspaces in which one member plays multiple roles in the current region. We recommend that you configure roles after understanding the purpose of each role. For more information, see Permissions of built-in workspace-level roles .
  	Avoid frequent logons of sub-accounts as scheduled access identities Note To prevent irrelevant users from viewing key compute engine data, we recommend that you prohibit logons as RAM users that are scheduling access identities of compute engines.	DataWorks workspace management	This diagnostics item detects the workspaces that allowed logons to DataWorks as RAM users that are scheduling access identities in the past three months in the current region.
  Standardized data production	Code review Note DataWorks provides the code review feature. If you enable forcible code reviews, you must commit each node for the specified reviewer to review the code of the node. You can deploy the node only after the reviewer approves the code. For more information, see Code review.	DataWorks workspace management	This diagnostics item detects the workspaces in which the code review feature is disabled or the code review scope is not configured in the current region. You can configure the workspaces. For more information, see Code review.
  	Reasonable Arrangement of Publish Personnel Note In a workspace in standard mode, the person who deploys a task must be distinguished from the task developer.	DataWorks workspace management	This diagnostics item detects the tasks that were developed and deployed by the same person in the past 30 days.

• Platform security configuration diagnosis

  This category of diagnostics item improves the overall data security.

  Diagnostics dimension	Diagnostics item	Diagnostics object	Diagnostics method
  DataWorks operation behavior audit	DataWorks operation behavior audit Note DataWorks supports the operation audit feature. You can audit user operations in DataWorks by using ActionTrail with a delay of about 5 to 10 minutes. For more information, see Use ActionTrail to query behavior events.	DataWorks workspace management	By default, this feature is enabled for DataWorks workspaces. After you activate ActionTrail, you can record DataWorks operation logs.