The platform security diagnostics feature of DataWorks provides security capabilities for features, such as identity authentication, access control, and development mode, during the interactions between the current DataWorks workspace and the associated compute engine instances, such as data transmission, storage, and computing. In addition, best practices are provided for security diagnostics. The platform security diagnostics feature helps you identify the security risks of your platform at the earliest opportunity and build a basic security system before you perform related transactions.

Background information

The Platform safety diagnosis page displays the security risks that are detected during business interactions between the current workspace and the associated compute engine instances based on the best practices for security risks. You can identify risk categories and levels based on the diagnosis, view risk details, and process the items to be optimized to ensure secure and reliable business interactions. Diagnostics items are classified into the following categories:
  • Data calculation and storage

    This category of diagnostics item diagnoses security issues for features, such as data permission control, data storage encryption, and data storage backup, and identifies potential security risks at the earliest opportunity to improve security during data storage and access.

  • Data transmission security diagnosis

    This category of diagnostics item diagnoses security issues for features, such as the access control of data sources and the isolation of data sources in the production and development environments. This category of diagnostics item also identifies security risks during data transmission so that you can manage these risks at the earliest opportunity. This ensures a secure and reliable environment for data transmission.

  • Standardized diagnosis of data production

    This category of diagnostics item diagnoses security issues that are related to production processes, such as the rationality of the roles, number of administrators, and deployment persons within the current workspace, and allows you to identify and process security risks at the earliest opportunity. This category of diagnostics item improves the reliability and security of the data output system.

  • Platform security configuration diagnosis

    This category of diagnostics item diagnoses security issues for features, such as the auditing of DataWorks operations, to improve the overall data security.

Diagnostics items to be optimized are classified into low-risk, medium-risk, and high-risk items. Specific diagnosis and suggestions are provided for each item to be optimized to ensure secure and reliable business interactions. For more information about the diagnostics rules for all diagnostics items from different dimensions, see Appendix: Details of diagnostics items. Platform security diagnostics

Go to the Platform safety diagnosis page

  1. Log on to the DataWorks console.
  2. In the left-side navigation pane, click Workspaces.
  3. In the top navigation bar, select the region in which the workspace that you want to manage resides. Find the workspace and click Data Development in the Actions column.
  4. On the DataStudio page, click the Icon icon in the upper-left corner and choose All Products > Data governance > Security Center. The Data access control page appears.
  5. In the left-side navigation pane, click Platform safety diagnosis to go to the Platform safety diagnosis page.
    By default, the platform security diagnostics feature detects the diagnostics items to be optimized in the current region, quantifies the items, and labels the items as low-risk, medium-risk, and high-risk items. Platform safety diagnosis page

View the diagnosis

On the Platform safety diagnosis page, the diagnostics items to be optimized are quantified by category. You can view the medium-risk and high-risk items in each category. You can also click a medium-risk or high-risk item to view the risk details and optimize the item based on the suggestions provided. The following figure shows you how to view the diagnostics items to be optimized in the Data transmission security diagnosis category. Diagnostics items to be optimized
View the diagnosis and suggestions for the access control of data sources, as shown in the following figure.Data source access control
  • Security risks

    Access permissions are not configured for the data sources. This way, users with lower security levels can access data with higher security levels. This leads to insecure access to the data sources.

  • Suggestions

    You can improve access security for the data sources by configuring access permissions for the data sources based on the provided suggestions.

Appendix: Details of diagnostics items

The following tables describe the diagnostics items supported by the platform security diagnostics feature.
Note The diagnostics items displayed on the page vary based on the compute engines associated with your workspace and the existing diagnostics items to be optimized.
  • Data calculation and storage
    This category of diagnostics item improves security during data storage and access.
    Diagnostics dimension Diagnostics item Diagnostics object Diagnostics method
    MaxCompute fine data permission control MaxCompute column-level permission control
    Note The security model of MaxCompute V2.0 provides more fine-grained data permission management capabilities, more scientific mechanisms of decentralized project management, and more powerful end-to-end identification capabilities. The security model allows you to implement security configurations that are more suitable for actual scenarios.
    MaxCompute project Column-level permission control relies on the MaxCompute V2.0 permission model. This diagnostics item detects the MaxCompute projects in which the MaxCompute V2.0 permission model is disabled.
    Data download control
    Note To avoid unexpected data leaks, we recommend that irrelevant users be strictly restricted from downloading data directly to the local by using MaxCompute Tunnel.
    MaxCompute project Download permission control relies on the MaxCompute V2.0 permission model and the download permissions. This diagnostics item detects the MaxCompute projects in which the MaxCompute V2.0 permission model is disabled. In addition, this diagnostics item detects the MaxCompute projects in which the MaxCompute V2.0 permission model is enabled and download permission control is disabled. For more information about whether and how to enable download permission control, see Download control.
    Data protection mode
    Note The data protection mechanism of MaxCompute projects allows you to manage the data outflow method.
    MaxCompute project This diagnostics item checks whether you have set the protection mode for some or all of the MaxCompute projects. For more information about the project data protection feature of MaxCompute, see Project data protection.
    MaxCompute storage security enhancement Data storage encryption
    Note MaxCompute supports data storage encryption based on Key Management Service (KMS), and provides static data protection for enterprises to meet the regulation and security compliance requirements. For more information, see Data encryption.
    MaxCompute project This diagnostics item detects and lists the MaxCompute projects in which data storage encryption is disabled. To enable data storage encryption for an existing MaxCompute project, submit a ticket.
    Data storage backup
    Note The system automatically backs up the historical versions of MaxCompute data and retains them for a certain period of time. During the retention period, you can quickly restore the data to prevent data loss due to accidental operations. For more information, see Backup and restoration.
    MaxCompute project By default, this feature is enabled for MaxCompute projects. You can adjust the retention period or restore data based on the actual situation. For more information, see Backup and restoration.
    EMR fine data permission control EMR secure access mode
    Note If an EMR cluster is associated with a DataWorks workspace by using the Security mode, data permissions are isolated among Alibaba Cloud accounts and RAM users. For more information about the Security mode, see Security mode.
    DataWorks workspace This diagnostics item detects the workspaces that are associated with EMR clusters by using a mode other than the Security mode.
  • Data transmission security diagnosis
    This category of diagnostics item improves security prior to data transmission.
    Diagnostics dimension Diagnostics item Diagnostics object Diagnostics method
    Data source protection Data source access control
    Note DataWorks allows you to set access permissions for the configured data sources to prevent users with lower security levels from accessing data with higher security levels.
    DataWorks workspace data source This diagnostics item detects the workspaces in which access permissions are not set for the configured data sources. For more information about how to set access permissions for data sources, see Manage connection permissions.
    Production and Development Data Source Isolation
    Note In a workspace in standard mode, the configurations of a data source vary based on whether the data source is used in the production or development environment. This prevents data leaks from the development environment. You can evaluate and modify data sources. For more information, see Isolate connections between the development and production environments.
    DataWorks workspace data source This diagnostics item detects the workspaces in standard mode in which a data source has the same configurations in the production and development environments.
    Data source access mode
    Note DataWorks supports role-based access to OSS data sources. This mode is more secure than the traditional AccessKey mode and can effectively prevent leaks of AccessKey pairs.
    DataWorks workspace data source This diagnostics item detects the workspaces in which OSS data sources can be accessed in AccessKey mode. You can modify the data sources. For more information, see Use the RAM authorization mode to configure connections to data stores.
  • Standardized diagnosis of data production
    This category of diagnostics item improves the stability and security of the data output system.
    Diagnostics dimension Diagnostics item Diagnostics object Diagnostics method
    Reasonable planning of working space Use the "standard mode" workspace for data production
    Note A workspace in standard mode is more secure than a workspace in basic mode. For more information, see Basic mode and standard mode.
    DataWorks workspace mode This diagnostics item detects the workspaces in basic mode in the current region. You can upgrade a workspace in basic mode to a workspace in standard mode based on the actual situation. Proceed with caution when you perform this operation. For more information, see Upgrade the workspace mode.
    Computing Engine Production Development Environment Isolation
    Note In a workspace in standard mode, the configurations of a compute engine instance vary based on whether the compute engine instance is used in the production or development environment. This prevents data leaks from the development environment.
    DataWorks workspace compute engine This diagnostics item detects the workspaces in which an associated compute engine instance has the same configurations in the development and production environments in the current region.
    Reasonably specify the number of workspace administrators
    Note In a single workspace, too many administrators may cause disordered management. We recommend that you set no more than three administrators for each workspace.
    DataWorks workspace member management This diagnostics item detects the workspaces in which more than three workspace administrators are set.
    Reasonable allocation of workspace member roles
    Note In a single workspace, we recommend that each member play a dedicated role to prevent unauthorized operations caused by one member playing multiple roles.
    DataWorks workspace member management This diagnostics item detects the workspaces in which one member plays multiple roles in the current region. We recommend that you configure roles after understanding the purpose of each role. For more information, see Permissions of built-in workspace-level roles .
    Avoid frequent logons of sub-accounts as scheduled access identities
    Note To prevent irrelevant users from viewing key compute engine data, we recommend that you prohibit logons as RAM users that are scheduling access identities of compute engines.
    DataWorks workspace management This diagnostics item detects the workspaces that allowed logons to DataWorks as RAM users that are scheduling access identities in the past three months in the current region.
    Standardized data production Code review
    Note DataWorks provides the code review feature. If you enable forcible code reviews, you must commit each node for the specified reviewer to review the code of the node. You can deploy the node only after the reviewer approves the code. For more information, see Code review.
    DataWorks workspace management This diagnostics item detects the workspaces in which the code review feature is disabled or the code review scope is not configured in the current region. You can configure the workspaces. For more information, see Code review.
    Reasonable Arrangement of Publish Personnel
    Note In a workspace in standard mode, the person who deploys a task must be distinguished from the task developer.
    DataWorks workspace management This diagnostics item detects the tasks that were developed and deployed by the same person in the past 30 days.
  • Platform security configuration diagnosis
    This category of diagnostics item improves the overall data security.
    Diagnostics dimension Diagnostics item Diagnostics object Diagnostics method
    DataWorks operation behavior audit DataWorks operation behavior audit
    Note DataWorks supports the operation audit feature. You can audit user operations in DataWorks by using ActionTrail with a delay of about 5 to 10 minutes. For more information, see Use ActionTrail to query behavior events.
    DataWorks workspace management By default, this feature is enabled for DataWorks workspaces. After you activate ActionTrail, you can record DataWorks operation logs.