DocsICP FilingConsole
官方文档
首页

Security baseline check

更新时间:
复制 MD 格式
产品详情
我的收藏

Data Security Center (DSC) performs security baseline checks to detect configuration risks in your Alibaba Cloud data assets. These checks assess security settings for authentication, access control, encryption, data backup and recovery, and more. A collection of these policies and items is called a security baseline. This feature helps you continuously monitor your database assets for configuration risks. This topic describes the security baseline check feature and how to use it.

Prerequisites

  • You have activated a Data Security Center Free Edition instance or purchased a paid DSC instance. If you purchase value-added services only, you must enable data discovery to check for configuration risks.

    The Free Edition of Data Security Center supports a subset of check items, whereas paid editions support all features. For more information, see Activate Data Security Center Free Edition and Purchase Data Security Center.

  • You have completed asset authorization. For more information, see Asset authorization.

Security baseline checks

Based on GB/T 37988-2019, Information Security Technology - Data Security Capability Maturity Model, Data Security Center provides checks against the PIPL-based Security Baseline Check and Alibaba Cloud Data Security Best Practices baselines. For complex database environments and various data types, such as structured and unstructured data, DSC offers seven categories of check policies and their corresponding check items. The Policies tab on the Risk Governance > Configuration Risks page lists all check items. DSC provides overviews and detailed lists of risks categorized by type and level, along with remediation suggestions. We recommend that you promptly handle detected configuration risks to strengthen your data asset security and prevent exploitation by attackers.

Baselines

  • PIPL-based Security Baseline Check: Based on personal information protection regulations, this baseline provides full-lifecycle security risk detection for data assets that contain personal information.

    This baseline check is performed on database instances and OSS buckets that data discovery tasks have found to contain personal information or sensitive personal information.

  • Alibaba Cloud Data Security Best Practices: A detection baseline derived from Alibaba Cloud's data security best practices. It provides full-lifecycle security risk detection for data assets.

    This baseline check is performed on all authorized database instances and OSS buckets.

Supported policies

Policy

Description

Log auditing and monitoring

The entire data processing lifecycle must be logged and monitored to ensure all activities are auditable and traceable. Assets must have features such as log auditing or log storage enabled.

This policy checks whether features such as security log auditing and log storage are enabled for your databases.

Identity and permission management

Data access and usage must follow the principle of least privilege. The access permissions of relevant personnel should be clearly defined to prevent unauthorized access.

This policy checks whether database permissions are managed appropriately, for example, whether standard accounts are used for routine database logon operations.

Sensitive data protection

Implement strict access control for assets that store sensitive data to prevent data leaks.

This policy checks for data leakage risks such as public read/write access to databases, and whether access control is enabled for projects that contain sensitive data.

Note

This policy applies only to database instances and OSS buckets that data discovery tasks have found to contain personal information or sensitive personal information.

If data discovery is not performed on the database instances and OSS buckets, or if the scan results do not contain personal information or sensitive personal information, the check items under this policy pass by default.

Access control

Access sources for data should be restricted based on business needs to prevent public exposure of data assets.

This policy checks whether your databases are publicly exposed.

Data backup and recovery

A regular data backup and recovery mechanism must be established to manage data redundancy and protect data availability.

This policy checks whether the backup feature is enabled for your databases.

Data storage security

Security measures such as encryption must be used for data at rest to ensure confidentiality and integrity.

This policy checks whether encryption is enabled for your databases.

Data transmission encryption

Security measures such as encryption must be used for data transmission to ensure the security of data in transit.

This policy checks whether transport encryption is enabled for your databases.

Supported databases

Security baseline checks detect configuration risks in the following Alibaba Cloud databases that are connected to Data Security Center:

Category

Database type

Relational database

RDS MySQL

RDS SQL Server

RDS PostgreSQL

RDS MariaDB

ApsaraDB for OceanBase in MySQL mode

ApsaraDB for OceanBase in Oracle mode

PolarDB-X 1.0

PolarDB for MySQL

PolarDB for PostgreSQL

PolarDB for Oracle

Non-relational database

MongoDB

Redis

Big data

TableStore

MaxCompute

AnalyticDB for MySQL

AnalyticDB for PostgreSQL

Unstructured database

OSS

Enable or disable check items

By default, Data Security Center (DSC) enables all check items in a check policy for risk detection. You can enable or disable specific check items based on your business requirements.

  1. Log on to the DSC console.

  2. In the navigation pane on the left, select Risk Governance > Configuration Risks.

  3. On the Policies tab, click the Alibaba Cloud Data Security Best Practices or PIPL-based Security Baseline Check tab to view the baseline check policies.

  4. In the policy list, toggle the switch in the Status column to enable or disable a specific check item.

    You can also enable or disable an entire check policy to manage all its check items in bulk.

Run checks

Last check time

On the Policies tab, click the Alibaba Cloud Data Security Best Practices or PIPL-based Security Baseline Check tab to view the Last Checked Time.

Automatic checks

Data Security Center (DSC) automatically performs a security baseline check on your connected data assets at approximately 01:00 (UTC+8) every day.

Manual checks

If you have connected new assets or changed database configurations, you can scan all assets immediately by using the Re-check feature. A re-check typically takes about 10 minutes to complete.

  1. In the navigation pane on the left, select Risk Governance > Configuration Risks.

  2. On the Risk Trends page, click the Alerts tab. Find the target policy and click Details in the Actions column.

  3. On the Risk Situation or Assets tab, click Re-check to re-scan for risks on specific assets or for specific check items.

    The Risk Situation tab lists each check item with columns for Check item, Number of Risky Assets, Associated Assets, Status, and Actions. You can click Check in the Actions column to run a scan for a single check item.

Asset risk trends

Data Security Center combines results from security baseline checks and sensitive data detection to provide charts and statistics, including the security posture of data assets by sensitivity level, the security posture of personal data, risk governance progress, and sensitive data detection results, to give you a clear view of your asset security posture.

  1. In the navigation pane on the left, select Risk Governance > Configuration Risks.

  2. On the Risk Trends tab, select a security baseline type from the drop-down list on the right.

  3. On the Asset Risks tab, review the following information to understand the risk posture of your business assets:

    • Security posture of data assets by sensitivity level

      A bar chart that shows the number of assets with high, medium, and low risks, categorized by data sensitivity level.

    • Security posture of personal data

      A bar chart that shows the number of assets with high, medium, and low risks, categorized by whether they contain sensitive personal information, personal information, or general data.

    • Risk governance progress

      • The number in the Progress column shows the ratio of passed check items to the total number of applicable check items for an asset. For example, 2/3 indicates that an asset passed 2 out of 3 applicable check items. If Completed is displayed, the asset has passed all related checks.

      • The Risk Level indicates the highest risk level among the failed check items for an asset. If a failed check item corresponds to multiple risk levels, Data Security Center displays only the highest risk level.

Handle configuration risks

Data Security Center (DSC) provides multiple ways to view and handle configuration risks. The risk data is consistent across all views, allowing you to choose the most suitable method.

Important

We recommend that you promptly handle detected configuration risks to prevent data breaches or other security incidents caused by misconfigurations.

By asset

To review the check results for a specific asset, go to the Asset Risks tab, which is on the Risk Trends tab of the Risk Governance > Configuration Risks page. This view lists all supported database assets, their detailed check results, and provides options for remediation.

  1. In the navigation pane on the left, select Risk Governance > Configuration Risks.

  2. On the Risk Trends tab, click the Asset Risks tab to handle configuration risks.

    • Handle risks

      Data Security Center provides only remediation guidance. You must handle the risks yourself. Click Handle in the Actions column for a target data asset instance to view the failed check items and remediation steps.

      In the Risk Details area, you can click Handle to go to the corresponding page to resolve the risk.

      For example, the Risk Details area shows that the medium-risk item OSS-Enable hotlink protection for the bucket and the low-risk item OSS-Enable server-side encryption for the bucket have failed. The Re-check, Add to Whitelist, and Handle actions are available for each item. The remediation guidance is to go to the OSS console, select the target bucket, and click Data Security > Hotlink Protection to enable hotlink protection. Alternatively, click Data Security > Server-Side Encryption, click Settings, and select an appropriate encryption method.

  • Add an entire asset to the whitelist

    If a security engineer determines that a database asset does not require security baseline checks, you can click Add to Whitelist in the Actions column for the database instance. This action adds all check items for that asset to the whitelist. After the asset is added to the whitelist, its governance progress is updated to Completed.

  • Add a specific check item for an asset instance to the whitelist

    If a security engineer determines that a specific check item can be excluded for an asset, click Handle in the Actions column for the target database instance. In the Risk Remediation panel, click Add to Whitelist next to the target check item. The status of the check item changes to Added to Whitelist.

By policy

To review the check results for different policies, go to the Alerts tab, which is on the Risk Trends tab of the Risk Governance > Configuration Risks page. This view lists all policies. On a policy's details page, you can view its check items and the associated asset list.

  1. In the navigation pane on the left, select Risk Governance > Configuration Risks.

  2. On the Risk Trends tab, click the Alerts tab to view the policy list.

    • The Number of alarms indicates the number of assets that have failed check items.

    • Associate Asset refers to the total number of assets scanned by the check items. An asset is counted once for each check item that scans it.

  3. Click Details in the Actions column for the target policy.

  4. On the Details page, view the Risk Situation and Assets tabs.

    • The Risk Situation tab displays all check items within the policy and their details, including the number of at-risk assets, the number of associated assets, and the status of each check item. To re-scan a specific check item, click Check in the Actions column.

    • The Assets tab displays all assets covered by the check items in the policy. You can re-scan an asset for specific check items, add it to or remove it from the whitelist, or click Handle to go to the corresponding console to resolve the current risk.

By check item

To view the risks detected by a specific check item, go to the Policies tab under Risk Governance > Configuration Risks and perform the following steps.

  1. In the policy list, click the expand icon (image.png) next to a target policy name to view the check items under it.

  2. Click Details or Configure Whitelist in the Actions column for a target check item to go to its details page. On this page, you can view the assets associated with the check item and perform corresponding actions.

    The following actions are supported:

    • If you confirm that a check result can be ignored for an asset, click Add to Whitelist in the Actions column for the target asset. This adds the asset to the whitelist for that check item.

    • Click Handle in the Actions column for the target asset to go to the corresponding console to resolve the current risk.

    • After you resolve the risk, you can click Verification in the Actions column for the target asset to verify the fix.

Previous:Risk governanceNext:Mask sensitive data in OSS images