Security Features Overview
Singdata Lakehouse provides security capabilities across five layers — identity authentication, access control, network isolation, data protection, and backup & recovery — covering mainstream compliance scenarios from enterprise security baselines to Classified Protection Level 3 and industry-specific regulations.
Security Capability Landscape
| Security Layer | Core Capabilities | Problems Addressed |
|---|---|---|
| Identity Authentication | MFA multi-factor authentication, SSO single sign-on | Account takeover, password leaks |
| Access Control | RBAC role system, fine-grained GRANT/REVOKE | Excessive privileges, unauthorized access |
| Network Isolation | IP allowlist, Private Link, private storage BYOS | Public internet exposure, traffic egress |
| Data Protection | Dynamic data masking, AES-256 storage encryption | Sensitive column leaks, static data exposure |
| Backup & Recovery | Time Travel, RESTORE TABLE, UNDROP | Accidental deletion or modification |
Typical Compliance Scenarios and Feature Combinations
Enterprise Internal Security Baseline
For teams just starting to build a data platform, prioritize the following three items:
- Establish a role system and use RBAC instead of direct grants for centralized permission management → Access Control
- Enable MFA on administrator accounts to prevent account compromise due to password leaks → Identity Authentication
- Configure an IP allowlist (network policy) to restrict access to corporate network segments → Network Policy
Classified Protection Level 3
Level 3 has explicit technical requirements across five control domains: identity verification, access control, security auditing, data confidentiality, and communication network security. The corresponding Lakehouse features are:
| Control Domain | Lakehouse Feature | Reference |
|---|---|---|
| Identity Verification (two-factor authentication) | MFA / SSO | Identity Authentication |
| Access Control (least privilege) | RBAC + GRANT/REVOKE | Access Control |
| Security Audit (operation records) | Job history query, operation logs | Security Compliance Audit Guide |
| Data Transmission Confidentiality | SSL/TLS (enabled by default) | — |
| Data Storage Confidentiality | AES-256 storage encryption | Storage Encryption |
| Communication Network Security | Private network connection (Private Link) | Private Network Connection Overview |
Finance, Healthcare, and Other Sensitive Industries
Scenarios handling personal information and transaction data require additional data protection measures on top of the baseline:
- Dynamic Data Masking: Controls the visibility of sensitive columns such as phone numbers, ID numbers, and amounts by role, without touching the original data → Dynamic Data Masking
- Storage Encryption (Custom KMS): Uses your own KMS key (ARN) so that key lifecycle is under your control; currently supports Alibaba Cloud and AWS → Storage Encryption
- Private Network Connection: All data traffic stays on the internal network, never traversing the public internet → Private Network Connection Overview
- Private Storage BYOS: Data is written to your own object storage bucket; Singdata Lakehouse holds no data copies → Private Storage BYOS
Data Disaster Recovery and Business Continuity
Scenarios that must meet RPO/RTO targets or guard against accidental operations:
- Time Travel: Retains 1 day of historical versions by default, configurable up to 90 days per table; supports querying historical snapshots at any point in time → Backup and Recovery
- RESTORE TABLE: Rolls back table data to a specified point in time to recover from accidental overwrites
- UNDROP TABLE: Recovers a table after an accidental
DROP TABLE
Security Module Overview
Access Control
Supports both ACL (direct grants) and RBAC (role-based grants); RBAC is recommended. Assign permissions to roles, then grant roles to users. Permission changes only require modifying the role definition rather than updating each user individually. There is no superuser in the system; all operations require explicit authorization.
- Access Control Overview
- Configure Access Control
- Roles · Metadata Objects and Privilege Points
- Explanation of Permissions for Built-in Workspace-Level Roles
- User Authorization Getting Started Guide
Identity Authentication
- MFA: Bind a virtual MFA device (any TOTP-compatible authenticator app); a dynamic verification code is required at login to prevent single-point password compromise
- SSO: Integrate with enterprise IdPs (such as Okta, Azure AD) so the enterprise manages account creation, deactivation, and permission lifecycle centrally
Reference: Identity Authentication · Bind a Virtual MFA Device · SSO Configuration
Network Isolation
Three methods can be layered as needed, with increasing protection depth:
| Method | Protection Scope | Applicable Scenario |
|---|---|---|
| Network Policy (IP allowlist) | Blocks access requests from unauthorized IPs | Restricting connections to corporate network segments |
| Private Network Connection (Private Link) | Access via cloud provider internal network; traffic stays within the VPC | Production environments that prohibit public internet access |
| Private Storage (BYOS) | Data written to your own object storage bucket | Data sovereignty requirements; data must not reside on third-party infrastructure |
- Private Network Connection Overview · Alibaba Cloud Private Network Connection Configuration
- Private Storage BYOS · Alibaba Cloud BYOS Configuration · Tencent Cloud BYOS Configuration
Dynamic Data Masking
A masking function is bound to a column. At query time the system dynamically rewrites the returned values based on the current user's identity or role, while the original data is always stored in full. Applicable to sensitive columns such as phone numbers, ID numbers, bank card numbers, and salary amounts. Masking policies can be bound at table creation time or added to or removed from existing table columns.
Storage Encryption
Enables AES-256 server-side encryption for data in newly created tables within a workspace. Two key modes are supported:
- Managed Encryption: Uses managed keys from the cloud provider's object storage service; no additional configuration required
- Custom KMS Encryption: Uses your own KMS key (ARN); the key lifecycle is under your control. Currently supports Alibaba Cloud and AWS
Backup and Recovery
Data protection is provided through the Time Travel mechanism:
- Retains 1 day of historical versions by default; configurable up to 90 days per table
- Historical data snapshots at any point in time within the retention window can be queried
RESTORE TABLErolls the table back to a specified point in time, overwriting current dataUNDROP TABLErecovers a table after an accidentalDROP TABLE
Related Documentation
- Security and Compliance — Navigate all security features by scenario
- Security Compliance Audit Guide
- Permission System Inventory Best Practices