DataArts Studio Security Best Practices
Security is a responsibility shared between you and Huawei Cloud. Huawei Cloud ensures the security of cloud services for a secure cloud. As a tenant, you should utilize the security capabilities provided by cloud services to protect data and use the cloud securely. For details, see Shared Responsibilities.
This section provides actionable best practices for enhancing DataArts Studio security. This section helps you evaluate the security status of DataArts Studio and use the security capabilities provided by DataArts Studio to improve the security protection capability of DataArts Studio and prevent engine data from being disclosed or tampered with during data integration, data development, and data governance.
This section provides suggestions from the following dimensions. You can evaluate the usage of DataArts Studio and configure security capabilities as needed.
- Minimizing Permissions of IAM and Workspace Roles
- Controlling the Excessive Permissions of the Default Agency
- Enabling All-Round Data Security Protection
- Enabling Security Capabilities for Engines
Minimizing Permissions of IAM and Workspace Roles
Figure 1 shows the permission system of DataArts Studio. The IAM system roles of DataArts Studio include DAYU Administrator, DataArts Studio User, and DAYU User. The workspace roles are assigned based on the IAM role DAYU User or DataArts Studio User.
- The IAM user has more permissions on dependent services than required.
The DAYU Administrator and DAYU User system roles have the administrator permissions of dependent services, such as MRS and GaussDB(DWS). If either of the two system roles is assigned to a user, the user has the administrator permissions of dependent services.
- Permissions of other components in a workspace are not controlled.
Preset roles (such as the admin, developer, and operator) of a workspace have operation permissions on all components in the workspace by default. If the developer role of the workspace is assigned to a user, the user also has the permissions to perform operations on unnecessary components.
To prevent IAM users from having excessive permissions, you need to grant them the minimum permissions. For details, see Minimizing User Permissions.
Controlling the Excessive Permissions of the Default Agency
Cloud service agencies allow DataArts Studio to perform operations such as task scheduling and resource O&M on cloud services on the behalf of tenants. In earlier versions, the dlg_agency automatically created by DataArts Studio has the administrator permissions of the following services by default: DLI, GaussDB(DWS), MRS, RDS, OBS, SMN, and KMS.
To prevent the dlg_agency from having excessive permissions, you need to grant it the minimum permissions. For details, see Minimizing Agency Permissions.
Enabling All-Round Data Security Protection
The DataArts Security module of DataArts Studio can help you build a full-link data lake security solution and manage service resources to ensure data lake security. For security purposes, you are advised to configure the following data security capabilities:
- Configure data access permissions based on roles, users, and user groups to ensure secure access to data. For details, see Controlling Data Access Using Permissions.
- Configure service resource access control. You can manage resources, such as queue permissions, data connections, and agencies, and control the permissions for accessing directories and downloading data of each module to prevent resources from being abused. For details, see Controlling Service Resource Access.
- Configure sensitive data identification policies. Sensitive data can be automatically discovered based on built-in or customized rules. Data security levels, classifications, and tags are supported. For details, see Sensitive Data Governance.
- Configure privacy data protection policies. Data masking, data watermarking, and file watermarking can be used to prevent sensitive data from being abused, leaked, or stolen intentionally or unintentionally. For details, see Sensitive Data Protection.
After configuring data security capabilities, you are advised to diagnose data security risks to ensure data security and reliability.
Enabling Security Capabilities for Engines
As a one-stop platform for data governance and data-AI convergence, DataArts Studio can ensure end-to-end data flow security based on its security configuration and also related security configurations on engines.
For details about how to perform security configurations on engines, see the corresponding engine documentation. The following are some common engines:
- DLI: DLI Security Best Practices
- GaussDB(DWS): GaussDB(DWS) Security Best Practices
- RDS for MySQL: RDS for MySQL Security Best Practices
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot