How a Data Security Governance Platform Secures the Full Data Lifecycle

Background Introduction

Data security platform aims to protect data across the full lifecycle, covering data‑warehouse construction, data collection, and data‑application phases, with mechanisms for permission requests, encryption, masking, and user authentication.

Challenges of Data Security

Usability across 30+ systems requiring strong generality.

Fine‑grained control at resource, operation, and account levels.

High availability for authentication and authorization links.

Scalability to meet diverse business‑line requirements.

Data Security Construction Approach

Establish virtual organizations (data committee, security committee) and define data‑classification, permission, and privacy‑labeling standards. Adopt principles of safety and efficiency, with tiered approval processes and coordination mechanisms, following legal regulations and the principle of least privilege.

Platform Architecture

The platform uses a multi‑layer architecture: application layer for user services; core security layer consisting of plugin, interface, service, and storage layers; and dependency layer providing external tenant and resource systems.

Key modules include plugin layer for engine‑specific authentication, interface layer offering HTTP/RPC APIs, service layer for unified resource and account access, and storage layer for caching and acceleration.

Key Technologies

Authentication System

Designed to be lightweight, localized, and evolvable, based on a three‑step token exchange (client verification, token issuance, backend validation) with account types, token varieties, and downgrade mechanisms.

Permission Model

Combines RBAC, PBAC, and custom PRBAC models, defining subjects, resources (UIN), actions, and conditions (e.g., row‑level SQL WHERE clauses).

Unified Authorization

Supports both application‑system and big‑data‑engine scenarios, offering plugin‑based or remote authorization modes.

Full‑Link Audit Logs

Collects and normalizes logs from production, application, Hive, HDFS, etc., integrating lineage information for real‑time risk alerts.

Governance Practice

Data Classification and Grading

Classifies data into C1‑C4 (general) and P1‑P4 (privacy) levels, applying stricter approval, encryption, and masking for higher sensitivity.

Data Engine Security

Addresses missing account systems, lack of audit, and operational governance by establishing account and authentication frameworks, fine‑grained permissions, and dedicated work groups.

Sensitive Data Protection

Implements secure isolation warehouses, encryption, field‑level permissions, and automated identification, masking, and periodic scanning to safeguard sensitive information.

Results and Future Plans

Since inception, the system serves over 30 systems, handling millions of resources and thousands of daily permission requests, achieving stable operation without major incidents. Future work includes expanding coverage, enhancing situational awareness, exploring advanced privacy protection, and leveraging AI for smarter data governance.