Platform security diagnostics - Data Governance| Alibaba Cloud Documentation Center

Background information

The Platform safety diagnosis page displays the security risks that are detected during business interactions between the current workspace and the associated compute engine instances based on the best practices for security risks. You can identify risk categories and levels based on the diagnosis, view risk details, and process the items to be optimized to ensure secure and reliable business interactions. Diagnostics items are classified into the following categories:

Data calculation and storage
This category of diagnostics item diagnoses security issues for features, such as data permission control, data storage encryption, and data storage backup, and identifies potential security risks at the earliest opportunity to improve security during data storage and access.
Data transmission security diagnosis
This category of diagnostics item diagnoses security issues for features, such as the access control of data sources and the isolation of data sources in the production and development environments. This category of diagnostics item also identifies security risks during data transmission so that you can manage these risks at the earliest opportunity. This ensures a secure and reliable environment for data transmission.
Standardized diagnosis of data production
This category of diagnostics item diagnoses security issues that are related to production processes, such as the rationality of the roles, number of administrators, and deployment persons within the current workspace, and allows you to identify and process security risks at the earliest opportunity. This category of diagnostics item improves the reliability and security of the data output system.
Platform security configuration diagnosis
This category of diagnostics item diagnoses security issues for features, such as the auditing of DataWorks operations, to improve the overall data security.

Diagnostics items to be optimized are classified into low-risk, medium-risk, and high-risk items. Specific diagnosis and suggestions are provided for each item to be optimized to ensure secure and reliable business interactions. For more information about the diagnostics rules for all diagnostics items from different dimensions, see Appendix: Details of diagnostics items. Platform security diagnostics

Go to the Platform safety diagnosis page

Log on to the DataWorks console.
In the left-side navigation pane, click Workspaces.
In the top navigation bar, select the region in which the workspace that you want to manage resides. Find the workspace and click Data Development in the Actions column.
On the DataStudio page, click the icon in the upper-left corner and choose All Products > Data governance > Security Center. The Data access control page appears.
In the left-side navigation pane, click Platform safety diagnosis to go to the Platform safety diagnosis page.
By default, the platform security diagnostics feature detects the diagnostics items to be optimized in the current region, quantifies the items, and labels the items as low-risk, medium-risk, and high-risk items.

View the diagnosis

On the Platform safety diagnosis page, the diagnostics items to be optimized are quantified by category. You can view the medium-risk and high-risk items in each category. You can also click a medium-risk or high-risk item to view the risk details and optimize the item based on the suggestions provided. The following figure shows you how to view the diagnostics items to be optimized in the Data transmission security diagnosis category.

View the diagnosis and suggestions for the access control of data sources, as shown in the following figure. Data source access control

Security risks
Access permissions are not configured for the data sources. This way, users with lower security levels can access data with higher security levels. This leads to insecure access to the data sources.
Suggestions
You can improve access security for the data sources by configuring access permissions for the data sources based on the provided suggestions.

Appendix: Details of diagnostics items

The following tables describe the diagnostics items supported by the platform security diagnostics feature.

Note The diagnostics items displayed on the page vary based on the compute engines associated with your workspace and the existing diagnostics items to be optimized.

Data calculation and storage

This category of diagnostics item improves security during data storage and access.


Diagnostics dimension	Diagnostics item	Diagnostics object	Diagnostics method
MaxCompute fine data permission control	MaxCompute column-level permission control Note The security model of MaxCompute V2.0 provides more fine-grained data permission management capabilities, more scientific mechanisms of decentralized project management, and more powerful end-to-end identification capabilities. The security model allows you to implement security configurations that are more suitable for actual scenarios.	MaxCompute project	Column-level permission control relies on the MaxCompute V2.0 permission model. This diagnostics item detects the MaxCompute projects in which the MaxCompute V2.0 permission model is disabled.
	Data download control Note To avoid unexpected data leaks, we recommend that irrelevant users be strictly restricted from downloading data directly to the local by using MaxCompute Tunnel.	MaxCompute project	Download permission control relies on the MaxCompute V2.0 permission model and the download permissions. This diagnostics item detects the MaxCompute projects in which the MaxCompute V2.0 permission model is disabled. In addition, this diagnostics item detects the MaxCompute projects in which the MaxCompute V2.0 permission model is enabled and download permission control is disabled. For more information about whether and how to enable download permission control, see Download control.
	Data protection mode Note The data protection mechanism of MaxCompute projects allows you to manage the data outflow method.	MaxCompute project	This diagnostics item checks whether you have set the protection mode for some or all of the MaxCompute projects. For more information about the project data protection feature of MaxCompute, see Project data protection.
MaxCompute storage security enhancement	Data storage encryption Note MaxCompute supports data storage encryption based on Key Management Service (KMS), and provides static data protection for enterprises to meet the regulation and security compliance requirements. For more information, see Data encryption.	MaxCompute project	This diagnostics item detects and lists the MaxCompute projects in which data storage encryption is disabled. To enable data storage encryption for an existing MaxCompute project, submit a ticket.
MaxCompute storage security enhancement	Data storage backup Note The system automatically backs up the historical versions of MaxCompute data and retains them for a certain period of time. During the retention period, you can quickly restore the data to prevent data loss due to accidental operations. For more information, see Backup and restoration.	MaxCompute project	By default, this feature is enabled for MaxCompute projects. You can adjust the retention period or restore data based on the actual situation. For more information, see Backup and restoration.
EMR fine data permission control	EMR secure access mode Note If an EMR cluster is associated with a DataWorks workspace by using the Security mode, data permissions are isolated among Alibaba Cloud accounts and RAM users. For more information about the Security mode, see Security mode.	DataWorks workspace	This diagnostics item detects the workspaces that are associated with EMR clusters by using a mode other than the Security mode.

Data transmission security diagnosis

This category of diagnostics item improves security prior to data transmission.


Diagnostics dimension	Diagnostics item	Diagnostics object	Diagnostics method
Data source protection	Data source access control Note DataWorks allows you to set access permissions for the configured data sources to prevent users with lower security levels from accessing data with higher security levels.	DataWorks workspace data source	This diagnostics item detects the workspaces in which access permissions are not set for the configured data sources. For more information about how to set access permissions for data sources, see Manage connection permissions.
	Production and Development Data Source Isolation Note In a workspace in standard mode, the configurations of a data source vary based on whether the data source is used in the production or development environment. This prevents data leaks from the development environment. You can evaluate and modify data sources. For more information, see Isolate connections between the development and production environments.	DataWorks workspace data source	This diagnostics item detects the workspaces in standard mode in which a data source has the same configurations in the production and development environments.
	Data source access mode Note DataWorks supports role-based access to OSS data sources. This mode is more secure than the traditional AccessKey mode and can effectively prevent leaks of AccessKey pairs.	DataWorks workspace data source	This diagnostics item detects the workspaces in which OSS data sources can be accessed in AccessKey mode. You can modify the data sources. For more information, see Use the RAM authorization mode to configure connections to data stores.

Standardized diagnosis of data production

This category of diagnostics item improves the stability and security of the data output system.


Diagnostics dimension	Diagnostics item	Diagnostics object	Diagnostics method
Reasonable planning of working space	Use the "standard mode" workspace for data production Note A workspace in standard mode is more secure than a workspace in basic mode. For more information, see Basic mode and standard mode.	DataWorks workspace mode	This diagnostics item detects the workspaces in basic mode in the current region. You can upgrade a workspace in basic mode to a workspace in standard mode based on the actual situation. Proceed with caution when you perform this operation. For more information, see Upgrade the workspace mode.
	Computing Engine Production Development Environment Isolation Note In a workspace in standard mode, the configurations of a compute engine instance vary based on whether the compute engine instance is used in the production or development environment. This prevents data leaks from the development environment.	DataWorks workspace compute engine	This diagnostics item detects the workspaces in which an associated compute engine instance has the same configurations in the development and production environments in the current region.
	Reasonably specify the number of workspace administrators Note In a single workspace, too many administrators may cause disordered management. We recommend that you set no more than three administrators for each workspace.	DataWorks workspace member management	This diagnostics item detects the workspaces in which more than three workspace administrators are set.
	Reasonable allocation of workspace member roles Note In a single workspace, we recommend that each member play a dedicated role to prevent unauthorized operations caused by one member playing multiple roles.	DataWorks workspace member management	This diagnostics item detects the workspaces in which one member plays multiple roles in the current region. We recommend that you configure roles after understanding the purpose of each role. For more information, see Permissions of built-in workspace-level roles .
	Avoid frequent logons of sub-accounts as scheduled access identities Note To prevent irrelevant users from viewing key compute engine data, we recommend that you prohibit logons as RAM users that are scheduling access identities of compute engines.	DataWorks workspace management	This diagnostics item detects the workspaces that allowed logons to DataWorks as RAM users that are scheduling access identities in the past three months in the current region.
Standardized data production	Code review Note DataWorks provides the code review feature. If you enable forcible code reviews, you must commit each node for the specified reviewer to review the code of the node. You can deploy the node only after the reviewer approves the code. For more information, see Code review.	DataWorks workspace management	This diagnostics item detects the workspaces in which the code review feature is disabled or the code review scope is not configured in the current region. You can configure the workspaces. For more information, see Code review.
Standardized data production	Reasonable Arrangement of Publish Personnel Note In a workspace in standard mode, the person who deploys a task must be distinguished from the task developer.	DataWorks workspace management	This diagnostics item detects the tasks that were developed and deployed by the same person in the past 30 days.

Platform security configuration diagnosis

This category of diagnostics item improves the overall data security.


Diagnostics dimension	Diagnostics item	Diagnostics object	Diagnostics method
DataWorks operation behavior audit	DataWorks operation behavior audit Note DataWorks supports the operation audit feature. You can audit user operations in DataWorks by using ActionTrail with a delay of about 5 to 10 minutes. For more information, see Use ActionTrail to query behavior events.	DataWorks workspace management	By default, this feature is enabled for DataWorks workspaces. After you activate ActionTrail, you can record DataWorks operation logs.