Unlocking MaxCompute: How Alibaba’s Big Data Platform Secures Your Data

MaxCompute is a multifunctional, low‑cost, high‑performance, highly reliable data‑warehouse and big‑data platform that supports massive scale, serverless operation, multi‑tenant capabilities, enterprise‑grade security, data protection, and secure sharing, meeting the needs of data‑warehouse/BI, data‑lake processing, federated computing, and machine‑learning scenarios.

Alibaba Cloud MaxCompute offers a fully managed PaaS service that is cloud‑native, enabling users to focus on business while the platform handles resource provisioning, multi‑engine support, elastic scaling, and cost‑effective TCO.

Product Architecture and Ecosystem

MaxCompute is built on a self‑developed distributed storage engine (Pangu), a resource scheduler (Fuxi), and a high‑performance SQL engine, surpassing open‑source equivalents such as HDFS, Yarn, Hive, and Spark. It supports both schema‑on‑write tables and the newer volume unstructured storage, and adopts a compute‑storage separation architecture for cost efficiency.

Data ingress is handled via a tunnel service that validates formats and collects metadata for optimization, providing performance advantages over Hive. Users can access MaxCompute through a web console, IDE Studio, command line, SDK, and tools like MMA migration and Lemming edge computing.

MaxCompute integrates with OSS object storage via DLF for lake‑warehouse federation, and can map external Hadoop metadata to internal projects, enabling seamless cross‑system queries.

Its ecosystem includes DataWorks for data integration and governance, Flink, Kafka, DataHub for real‑time ingestion, Hologres for interactive analytics, and third‑party tools such as Tableau and PowerBI.

Data Security Concerns

Four key questions are addressed: what data exists, where it resides, who can use it, and whether it can be misused. MaxCompute’s security system tackles data misuse, leakage, and loss.

Security System Overview

Security features include fine‑grained permission management (ACL/Policy/Role), label‑based security, authentication, tenant isolation, project‑space protection, and network isolation.

Authentication Process

Each Alibaba Cloud account must create an AccessKey (ID and Secret) for inter‑service authentication.

Requests are signed with the AccessKeySecret; MaxCompute verifies the signature using the stored secret.

Authentication includes identity verification, IP whitelist checks, project‑space status, and label/policy/ACL enforcement.

RAM Sub‑Accounts and Roles

RAM provides resource access management; main accounts can create sub‑accounts and assign permissions.

Both primary and sub‑accounts can be granted project access, with the platform verifying ownership and delegated rights.

Roles

Roles are collections of permissions that can be assigned to users, simplifying authorization management.

Tenants and Project Spaces

Each account represents a tenant; tenants are logically isolated and serve as billing entities.

Tenants can own multiple projects, and projects can be shared only with explicit authorization.

Project‑Space User Management

Project owners can add users, assign roles, and revoke access; permissions persist until explicitly removed.

IP Whitelist

MaxCompute supports project‑level IP whitelist configuration, allowing fixed IPs, CIDR ranges, or IP intervals to restrict access.

VPC Access

MaxCompute can be accessed from classic network, VPC, or internet, with endpoint restrictions based on VPC ID and whitelist settings.

Public Cloud External Network Access

Service mapping solutions (external, VPC, dedicated network, direct connection) enable secure access to external resources such as OSS, OTS, RDS, or Hadoop clusters.

Project Protection

Enabling ProjectProtection prevents data egress; exceptions or trusted projects can be defined to allow controlled flow.

Data Access Control Mechanisms

Permission Check Order

LabelSecurity → Policy (DENY) → ACL (bound to role) → cross‑project package checks.

Authorization Types

ACL (whitelist), Policy (condition‑based), and LabelSecurity (mandatory access control) provide layered control.

ACL

Defines which subjects (users/roles) can perform specific actions on objects (projects, tables, columns, functions, resources).

Policy

Uses an access‑policy language to express complex conditions (time windows, IP ranges, operation types) for fine‑grained control.

LabelSecurity

Imposes mandatory access control based on sensitivity levels (0‑9) for data and users, enforcing No‑ReadUp and No‑WriteDown rules.

Package (Cross‑Project Sharing)

Allows data and resource sharing across projects and organizations, with package permissions taking precedence over project protection.

System Security – Sandbox Defense

All compute runs in isolated sandboxes (KVM to kernel level) to prevent resource abuse, unauthorized file access, and data leakage.

Security Auditing

MaxCompute records fine‑grained data access logs from table/column level down to the distributed file system, integrating with ActionTrail for real‑time audit and alerting.

Encryption

Transport encryption uses HTTPS; storage encryption supports TDE with managed keys, BYOK via KMS, AES‑256, and SM4 for dedicated clouds.

Backup and Disaster Recovery

Continuous backup captures DDL/DML changes, retaining data for a configurable period (default 24 hours) with free storage; extended retention incurs usage‑based fees. Disaster recovery includes cross‑region replication and automatic failover for both public and dedicated clouds.

DataWorks Security Capabilities

DataWorks adds application‑level security: a security center for permission management, data classification, sensitive data detection, audit, and best‑practice diagnostics, as well as a data map for metadata navigation and a data protection umbrella offering discovery, masking, watermarking, and access control.

Q&A Summary

Answers to the four security questions are provided, linking data types, users, permissions, location, access paths, download destinations, authorized users, usage logs, misuse prevention, leakage mitigation, and loss prevention to the described MaxCompute features.