Data security monitoring and auditing refers to the monitoring and auditing of data operation planes, such as monitoring the access behavior of databases, data storage (OSS), and operation behaviors related to data processing. Data security monitoring and auditing are beneficial for detecting risks in advance and conducting post-event audits. For cloud-based data security monitoring and auditing, the following dimensions need to be considered:
Dimension of Security Monitoring | Monitoring Features | Feature Description |
Abnormal Flow | Download of sensitive data from abnormal geolocations | Data download from abnormal geolocations may indicate that an external attacker has obtained account access permissions, resulting in data leakage. |
Download of sensitive data from abnormal terminals | Data download from abnormal terminals may indicate that an external attacker has obtained account access permissions, or an employee is using a non-work terminal for data download. | |
Download of sensitive data at abnormal times | Data download at abnormal times may indicate that an external attacker has obtained account access permissions, or an employee is downloading data during non-working hours. | |
First-time download of sensitive data | The first-time download of sensitive data may be caused by incorrect assignment of sensitive data download permissions, resulting in sensitive data leakage. | |
Download of non-frequently-used sensitive tables | Downloading non-frequently-used sensitive tables may be caused by incorrect assignment of sensitive data download permissions, resulting in sensitive data leakage. | |
Abnormal file download volume | Abnormal file download volume by an account may be caused by an external attacker obtaining account access permissions or an employee maliciously backing up data. | |
Download of sensitive documents from non-frequently-used buckets | Downloading sensitive data from non-frequently-used buckets may be caused by incorrect assignment of sensitive data download permissions, resulting in sensitive data leakage. | |
Abnormal data download volume | Abnormal data download volume by an account may be caused by an external attacker obtaining account access permissions or an employee maliciously backing up data. | |
Download of non-frequently-used sensitive libraries (IP dimension) | Accessing non-frequently-used libraries from an IP address may be caused by an external attacker obtaining account access permissions, resulting in data leakage. | |
Too many IP addresses downloading sensitive data | Using too many IP addresses to download data may be caused by an external attacker obtaining account access permissions, resulting in data leakage. | |
Abnormal frequency of data download | Downloading data at a faster frequency may be caused by an external attacker obtaining account access permissions, resulting in data leakage. | |
Download of sensitive data from abnormal Referrers | Downloading data from abnormal Referrers may be caused by an external attacker obtaining account access permissions, resulting in data leakage. | |
Abnormal Behavior | Abnormal login times | Authentication records from abnormal times may be caused by an external attacker obtaining account access permissions or an employee accessing data during non-working hours. |
Abnormal login terminals | Authentication records from abnormal terminals may be caused by an external attacker obtaining account access permissions or an employee accessing data using non-office terminals. | |
Abnormal login locations | Authentication records from abnormal geolocations may be caused by an external attacker obtaining account access permissions, resulting in potential data leakage. | |
Multiple attempts to access nonexistent files | Multiple attempts to access nonexistent files may indicate external attack attempts. | |
Multiple attempts to access files without permissions | Multiple attempts to access files without permissions may indicate external attack attempts. | |
Continuous login password errors | Multiple incorrect password attempts may indicate attackers using weak passwords for password probing. | |
Download of sensitive data from malicious sources (threat intelligence data) | Downloading sensitive data from malicious sources may indicate that attackers are attempting or have succeeded in attacking. | |
Configuration Abnormality | Misconfiguration - Sensitivity project in MaxCompute not set for protection | If a project containing sensitive data is not labeled with the Protection attribute, the project cannot implement data exfiltration protection. |
Misconfiguration - Sensitivity project in MaxCompute not set for label security | If a project containing sensitive data is not labeled with the Label Security attribute, access to sensitive data columns cannot be controlled. | |
Misconfiguration - OSS sensitive bucket set to public | If a bucket containing sensitive data is set to public, external personnel can access sensitive data through the API. | |
Misconfiguration - RDS whitelist IP set to public access | If an RDS instance IP whitelist contains 0.0.0.0/0, anyone can connect to the instance, leaving it susceptible to brute-force cracking of login passwords. |
Data operation auditing requires enabling auditing services for the way data is stored. Audit logs need to comply with security requirements of relevant regulations, such as retaining audit logs for 180 days in protection level.