跳转至

Download controls(下载控制(Download controls))

Foundry provides many ways to limit a user’s ability to download data. These controls should be used in conjunction with other security and data protection strategies.

Understand download controls

Foundry enables you to control user ability to download data in order to limit the unauthorized transfer or re-purposing of data. Since customers maintain responsibility over their data, who can access it, and how it is used as part of the shared security responsibility model, it is important to understand the benefits and limitations of download controls.

What is a download?

A download is an action a user can take in a platform to transfer data to their local machine. Typically, this involves selecting an Export or Download button within Foundry. For example, you can right-click on a dataset in a folder and choose Download as CSV in the Actions menu, download data with the Export board in Contour, and export objects to Excel or CSV in a Workshop application.

When is it helpful to restrict downloads?

Depending on your organization’s data governance requirements and policies, it might be helpful to limit which users can download certain data from Foundry. If users do not need to download data, limiting their ability to perform download actions can better uphold principles of least privilege and further guard against inadvertent data spills.

Why isn’t restricting downloads comprehensive?

Downloads are just one type of action a user can take to transfer data from the platform. Automated exports, calls to external systems, and webhooks are all methods of exporting data directly to another system, and they each have their own controls. It is worthwhile to note that copying to clipboard, taking a screenshot, or printing a browser page are other actions that could also be understood as data transfers out of the platform.

As such, restricting downloads alone will not protect against all forms of data transfer and repurposing. Download controls should always be coupled with other strategies, like implementing least-privilege access controls, ensuring data governance oversight, and monitoring audit logs.

Implement download controls

Foundry offers several capabilities to control and improve awareness around when downloads occur in the platform. While each feature has its limitations, when used in combination they provide a defense-in-depth approach that enables better control over download actions in Foundry.

  • Roles: Access controls are a first line of defense to prevent users from taking unauthorized download actions. Users can be assigned a Discoverer role that does not include the ability to perform download operations on a specific resource. However, you may also create custom roles that remove download-related workflows while preserving more privileged operations on that resource. Learn more in the section below.
  • Checkpoints: When authorized users perform a download, a checkpoint can remind them of any organizational policies or restrictions regarding data transfers out of Foundry. With checkpoints, you can require an acknowledgement or justification from the user before they proceed with the download. This reduces the likelihood of unintentional data downloads and limits instances where users accidentally download data. Learn more in the section below.
  • Cipher: Obfuscating sensitive data is yet another method to improve data protection, as it can limit the data’s usefulness if inadvertently downloaded while in its encrypted form. Cipher enables users to perform this obfuscation at a granular level on entire datasets or dataset columns. This ensures that the data remains obfuscated by default throughout the pipelines and in the Ontology, unless decrypted by authorized users. Learn more in the section below.
  • Audit logs: Audit logs are a resource that enables organizations to retrospectively analyze when downloads may have occurred and whether they were properly authorized and justified. Learn more in the section below.

Grant users roles that limit download operations

Roles are collections of permissions that define specific workflows that users can perform in the platform. Out of the default roles in Foundry, users with the Viewer, Editor, or Owner role on a resource are authorized to perform download actions on that resource. Only the Discoverer role lacks download operations and is generally granted if a user should not be able to view and download data.

In more advanced use cases, if users require additional privileges beyond the scope of the Discoverer role but are not authorized to download data, you can create a custom role based on an existing role to restrict specific operations that allow downloading data.

Limitation: Not all download actions in Foundry are governed by roles. Fore example, downloading SAML metadata is managed in Control Panel.

Use Checkpoints to remind users downloads are sensitive actions

Checkpoints require users to acknowledge or justify sensitive actions within Foundry and may be used to remind users of organizational policies before taking an action in the platform. To enable checkpoints for downloads, create a checkpoint configuration for all checkpoint types in the Download category. These checkpoint types typically include the word “Export” in their name (For example, Notepad Export).

Checkpoints can be set up to remind users of any organizational or governance policies regarding downloads. You can explicitly require users to acknowledge this policy or provide a justification for why a data download might be required. Enabling checkpoints for downloads helps ensure that downloads are intentional actions; it further lessens the risk of users inadvertently triggering a download action in the platform.

In addition, the Checkpoints application enables you to review submitted checkpoint records for download actions. This can provide data governance users with real-time information of downloads actions triggered across the platform.

Limitation: Not all download actions in Foundry are covered by a checkpoint.

Use Cipher to obfuscate data by default

Cipher enables you to obfuscate sensitive information by default, while still enabling its use in analytical or operational applications in Foundry. Obfuscating sensitive data by default can limit the repurposing of that data if accidentally downloaded, as downloaded Cipher-encrypted data will be saved in its encrypted form. Only users with the appropriate permissions on the algorithm keys are able to reveal Cipher-encrypted information within Foundry. Cipher uses standard encryption algorithms for obfuscation. Review the Cipher documentation for more information on algorithm selection to understand the benefits and limitations of each available algorithm.

Limitation: Not all downloadable information can be encrypted with Cipher. Only values in datasets and objects can be encrypted.

Review audit logs to understand where downloads occurred

Audit logs enable auditors to retrospectively understand what actions users have taken in Foundry. The dataExport audit category encompasses download actions in the platform. Review the monitoring audit logs documentation for more information on how to leverage these logs to monitor downloads and other related events from the platform.


中文翻译

下载控制(Download controls)

Foundry 提供了多种限制用户下载数据权限的方式。这些控制措施应与其他安全数据保护策略结合使用。

了解下载控制

Foundry 支持对用户的数据下载权限进行管控,以此限制数据的未授权传输或不当使用。作为安全共担责任模型(shared security responsibility model)的一部分,客户需对自身的数据、可访问数据的人员以及数据的使用方式负责,因此了解下载控制的优势与局限性十分重要。

什么是下载?

下载指用户在平台内执行的、将数据传输到本地设备的操作,通常是通过点击 Foundry 内的导出(Export)下载(Download)按钮触发。例如,你可以右键点击文件夹中的数据集,在操作(Actions)菜单中选择下载为CSV(Download as CSV),也可以在 Contour 中通过导出面板下载数据,或是在 Workshop 应用中将对象导出为 Excel 或 CSV 格式。

什么时候适合限制下载?

根据您组织的数据治理(data governance)要求和政策,限制特定用户从 Foundry 下载部分数据可能是有益的。如果用户不需要下载数据,限制其执行下载操作的权限可以更好地践行最小权限(least privilege)原则,进一步防范数据意外泄露风险。

为什么仅限制下载不足以实现全面防护?

下载只是用户将数据从平台转出的操作类型之一。自动导出(Automated exports)外部系统调用(calls to external systems)Web钩子(webhooks)都是将数据直接导出到其他系统的方式,每种方式都有对应的控制机制。需要注意的是,复制到剪贴板、截图或打印浏览器页面等操作,也属于将数据转出平台的行为。

因此,仅限制下载无法防范所有形式的数据传输和不当使用。下载控制必须始终与其他策略搭配使用,例如实施最小权限访问控制、确保数据治理监督到位、监控审计日志等。

实施下载控制

Foundry 提供了多项能力,用于管控平台内的下载行为并提升相关感知度。虽然每项功能都有其局限性,但组合使用时可以构建深度防御(defense-in-depth)体系,更好地管控 Foundry 内的下载操作。

  • 角色(Roles): 访问控制是防范用户执行未授权下载操作的第一道防线。你可以为用户分配Discoverer角色,该角色不具备特定资源的下载操作权限。你也可以创建自定义角色,在保留资源上更高权限操作的同时,移除与下载相关的工作流。详见下方章节
  • 检查点(Checkpoints): 当授权用户执行下载操作时,检查点可以提示用户遵守组织关于从 Foundry 转出数据的相关政策或限制。通过检查点,你可以要求用户在继续下载前确认知悉政策或提供下载理由,从而降低非故意数据下载的概率,减少用户意外下载数据的情况。详见下方章节
  • Cipher(Cipher): 对敏感数据进行模糊化处理是提升数据保护能力的另一种方法,因为如果加密状态的数据被意外下载,其可用性会受到限制。Cipher 支持用户对整个数据集或数据集的指定列进行细粒度的模糊化处理,确保数据在流水线(pipelines)和本体论(Ontology)中默认保持模糊状态,除非经授权用户解密。详见下方章节
  • 审计日志(Audit logs): 审计日志支持组织回溯分析下载行为发生的时间,以及相关操作是否经过适当授权、是否有合理理由。详见下方章节

为用户授予限制下载操作的角色

角色是权限的集合,定义了用户在平台内可执行的特定工作流。在 Foundry 的默认角色中,拥有资源的ViewerEditorOwner角色的用户有权执行该资源的下载操作。只有Discoverer角色没有下载操作权限,通常会授予不应查看和下载数据的用户。

在更复杂的使用场景中,如果用户需要Discoverer角色范围之外的额外权限,但未被授权下载数据,你可以基于现有角色创建自定义角色(custom role),限制允许下载数据的特定操作。

限制说明: 并非 Foundry 内所有下载操作都受角色管控。例如,下载 SAML 元数据的权限由控制面板(Control Panel)管理。

使用检查点提醒用户下载是敏感操作

检查点要求用户对 Foundry 内的敏感操作进行确认或提供理由,可用于在用户执行平台操作前提醒其遵守组织政策。要为下载行为启用检查点,请针对Download分类下的所有检查点类型(checkpoint types)创建检查点配置(create a checkpoint configuration)。这些检查点类型的名称中通常包含“Export”字样(例如,Notepad 导出)。

你可以配置检查点,提醒用户遵守任何与下载相关的组织或治理政策,明确要求用户确认知悉该政策,或提供需要下载数据的理由。为下载行为启用检查点有助于确保下载是用户的故意操作,进一步降低用户在平台内意外触发下载操作的风险。

此外,检查点应用(Checkpoints application)支持你查看已提交的下载操作检查点记录,可为数据治理人员提供全平台触发的下载操作的实时信息。

限制说明: 并非 Foundry 内所有下载操作都被检查点覆盖。

使用 Cipher 默认对数据进行模糊化处理

Cipher 支持你默认对敏感信息进行模糊化处理,同时不影响这些信息在 Foundry 的分析或运营应用中的使用。默认对敏感数据进行模糊化处理可以限制数据被意外下载后的不当使用,因为经 Cipher 加密的数据下载后会以加密形式保存,只有拥有算法密钥对应权限的用户才能在 Foundry 内解密查看 Cipher 加密的信息。Cipher 使用标准加密算法进行模糊化处理。请查阅Cipher 文档了解更多算法选择相关信息,明确每种可用算法的优势与局限性。

限制说明: 并非所有可下载的信息都能通过 Cipher 加密,只有数据集和对象中的值可以加密。

查看审计日志了解下载发生的位置

审计日志支持审计人员回溯了解用户在 Foundry 内执行的操作。dataExport审计类别(audit category)涵盖平台内的下载操作。请查阅监控审计日志文档,了解如何利用这些日志监控平台内的下载及其他相关事件。