topic Blocking file export in SAS Enterprise Guide

Blocking file export

JoaoM — Thu, 15 May 2014 18:32:42 GMT

Can i block the export file feature to avoid data leak?

Re: Blocking file export

Reeza — Thu, 15 May 2014 18:51:46 GMT

I think we need more details.

What type of export? PDF, Excel, SAS datasets?

Re: Blocking file export

jakarman — Thu, 15 May 2014 19:05:35 GMT

What type of access to the data your users are having?
If they are responsible to have that data available, how would you prevent data-leaks by preventing some usage?

There are two mitigations:

- define your security controls in way that only

a/ personal keys are used by your users and

b/ those personal keys are limited to access just the data they are needing.

This is part of the RBAC process. It includes the whole path of the used stack. (OS layer . external DBM, SAS metadata)
- Make the activities of the users traceable and auditable by using logging

This is SIEM Security Information and Event Management.

part of the "standard of good practice" included with ISO27k hipaa sox-404 and many more.

Re: Blocking file export

SASKiwi — Thu, 15 May 2014 19:49:46 GMT

I see little point in trying to block SAS's export capabilities as anyone with reasonable SAS knowledge can bypass them, for example using a DATA step with PUT statements to write external files.

If this is a data security issue, then it could be approached more from the who has access to what point of view - if you trust users to access the data, why can't you trust them to not export inappropriately?

Re: Blocking file export

ChrisHemedinger — Thu, 15 May 2014 20:52:52 GMT

Good points by all -- it can be a struggle to give users the tools they need to do their jobs, and then still try to lock down the capabilities that could potentially be abused.

SAS does have some options for this:

New superpowers for SAS administrators - SAS Users Groups

Even with these options, I wouldn't consider this a substitute for clear policies, diligent monitoring, and OS-level permissions that reflect who should be able to do what...

Chris

Re: Blocking file export

jakarman — Fri, 16 May 2014 06:55:16 GMT

If you want additional info see: SIEM or Security information management - Wikipedia, the free encyclopedia . You need a BI tool for log - analyses. SAS is not mentioned in this world although they could do or. The name popping up is Splunk.

Re: Blocking file export

Kurt_Bremser — Fri, 16 May 2014 07:20:17 GMT

Any user who can see data can simply copy/paste it. Trust your users or not. If not, don't let them work with the data at all.

The only reasonable thing you can do is set logging to a level that lets you see all requests that were handled by the SAS system, so you can at least make a valid attempt to find out who accessed the relevant data at a given time, if something was leaked.