Data warehouse MaxCompute

What is  MaxCompute?

MaxCompute is a cloud-native, high-performance SaaS model enterprise-level data warehouse service. It is widely used to build a modern enterprise data platform and carry out application scenarios such as BI analysis, data operation, portrait and recommendation, and intelligent prediction. MaxCompute is built on Alibaba Cloud's large-scale computing and storage resources, and provides fully managed online data warehouse services with a serverless architecture. MaxCompute supports a variety of classic computing models (batch processing, machine learning, interactive analysis, etc.) and comprehensive enterprise management functions. With MaxCompute, users can easily integrate and manage enterprise data assets, simplify the data platform architecture, and accelerate value realization.

MaxCompute enterprise-level security capabilities

· Fine-grained authorization, · Data encryption (BYOK) · Data desensitization (data umbrella) · Continuous backup and recovery · Cross-region disaster recovery backup · Real-time audit logs

MaxCompute products integrate many data security capabilities, which can be divided into the following three levels:

1. Basic security and trusted platform to ensure the physical security and network security of the data center, mainly including the construction of data center security facilities, data center security management and control, and data center network security. 2. The data security of the big data platform mainly provides subsystems such as classification and grading, transmission encryption, storage encryption, backup recovery, sandbox isolation, data desensitization, fine-grained permissions, and client restrictions from the perspective of life cycle, which are the upper-layer security applications. Or tools provide the platform capability base. 3. Data application security, provide users with a security center, data protection umbrella, and data map, optimize user experience, and help users better deal with various data risks.

In big data security management, there are mainly the following data security risks:

1. Data misuse 2. Data Breach 3. Data loss Next, we will focus on using the functions of MaxCompute to solve the above data risks. How to deal with data misuse To deal with data abuse, the most important response is to minimize the authorization of data use and strictly limit the scope of data access and use. Best Practices for Rights Management: • Data classification management: Classify and classify data based on MaxCompute's LabelSecurity. • Authorization approval process: Minimize authorization based on MaxCompute's column-level permission management and control capabilities. • Regular audit: Analyze the application, approval and usage of authority, so that there is approval beforehand and audit afterward. • Timely cleanup: Timely clean up expired permissions to reduce data risks. Relying on the fine-grained permission system of MaxCompute and using visualization tools such as Dataworks, we can implement the best practice of minimizing authorization and deal with the risk of data abuse. Currently, all users on the public cloud have enabled the data access control permission system. In particular, financial industry customers such as banks have also enabled data label classification management strategies. MaxCompute's fine-grained permission system provides refined permission management capabilities MaxCompute supports different authorization mechanisms to authorize users or roles, including: • Discretionary Access Control (DAC, Discretionary Access Control): ACL • Mandatory access control mechanism (MAC, Mandatory Access Control): LabelSecurity (label security policy) • Role based Access Control (RBAC, Role based Access Control): role management How to deal with data breaches Data breaches may occur at different stages of the data life cycle, such as data transmission, data storage, data processing, data exchange, etc. Therefore, we will cover the best practices for dealing with data breaches by combining the different stages of the data life cycle. 1. Deal with the risk of data leakage during data storage - use the data encryption (storage encryption) function MaxCompute has the storage encryption function and supports disk encryption of user data: • MaxCompute accesses the key management system KMS to ensure the security of keys, and supports service keys and user-selected keys (BYOK). • Support encryption algorithm: AES256, national secret algorithm, etc. • After the data is encrypted, it is transparent to the user, and various types of tasks do not require additional changes. For example, one of the world's largest diversified entertainment companies has enabled MaxCompute's storage encryption and function modules for automatic scanning and identification of sensitive data when data is uploaded to the cloud. 2. Dealing with the risk of data leakage during data processing - MaxCompute security isolation capability In the process of data processing, dealing with the risk of data leakage mainly lies in the security isolation capability of the big data platform. MaxCompute provides an independent isolation environment for executing data processing applications. It can support complete UDF types, Java and Python UDFs, and open source third-party computing engines such as Spark, Flink, and Tensorflow, providing diversified data processing capabilities. 3. Dealing with the risk of data leakage in the process of data exchange (sharing) - MaxCompute data isolation and permission system In the process of data exchange or data sharing, a complete data isolation capability and rights management system are required to ensure data security and prevent data leakage risks. MaxCompute provides data isolation and permission management mechanisms at different levels and dimensions to support multi-level data protection and data sharing scenarios. 4. Sensitive data protection in the data lifecycle An important topic in addressing data breach risk is sensitive data protection, and the risk response practices described above during storage, processing, and exchange apply equally to sensitive data protection. In addition, there are some best practices for the specific scenario of sensitive data protection, especially in the financial industry, domestic banks, insurance, securities funds and other companies have particularly high requirements for data security and leakage prevention, and with the improvement of laws and regulations, many Internet companies are strengthening the protection of private data. Data desensitization: Based on the desensitization implementation or application in the security industry, desensitization of sensitive data when data is output from different clients is realized. Desensitization implementation can also be used in combination with data classification and grading, and different desensitization implementations are performed for data of different classification and classification. For example, the largest Internet-focused insurance company in China uses the data desensitization function of MaxCompute to prevent data leakage. How to deal with data loss In addition to malicious data leakage, data abuse and other risks, various misoperations in the data development process, occasional equipment or computer room failures, and even rare disasters and accidents can all cause data loss. The best practices to deal with the risk of data loss mainly include backup and recovery, and disaster recovery capabilities. 1. MaxCompute backup and recovery MaxCompute has continuous backup and recovery capabilities. The system automatically backs up historical versions of data (such as data before deletion or modification) and retains them for a certain period of time. You can quickly restore data within the retention period to avoid data loss due to misoperations . 2. MaxCompute remote disaster recovery The remote disaster recovery capability of MaxCompute can better provide data security in extreme scenarios such as equipment room failures or unexpected disasters. After specifying the backup location for the MaxCompute project to the backup cluster, MaxCompute automatically replicates the data between the main cluster and the backup cluster, so that the data between the main cluster and the clustered data is consistent, and remote data disaster recovery is realized. When a fault occurs, after the MaxCompute project is switched from the primary cluster to the backup cluster, the computing resources of the backup cluster are used to access the data of the backup cluster to complete the service switching and recovery. summary As a cloud data warehouse, MaxCompute has leading security capabilities, and has passed a number of international, European and domestic security compliance certifications, such as international mainstream certification ISO series, SOC1/2/3, PCI, European mainstream certification C5, and domestic mainstream certification Security level protection 2.0. In addition to the above points, you can protect your own data security. At the same time, you can use MaxCompute's native Information Schema capability to audit each user's data processing process; you can also use ActionTrail's real-time event risk management platform to conduct data operations on each user's data. Monitor alerts or post-event audits. Data security not only requires perfect tool capabilities, but also requires a perfect organizational structure to support it, so that people from different departments such as data labeling management, data usage, and data auditing can work together to prevent data security incidents.

Related Articles

Explore More Special Offers

  1. Short Message Service(SMS) & Mail Service

    50,000 email package starts as low as USD 1.99, 120 short messages start at only USD 1.00