05-15-2014 03:05 PM
What type of access to the data your users are having?
If they are responsible to have that data available, how would you prevent data-leaks by preventing some usage?
There are two mitigations:
- define your security controls in way that only
a/ personal keys are used by your users and
b/ those personal keys are limited to access just the data they are needing.
This is part of the RBAC process. It includes the whole path of the used stack. (OS layer . external DBM, SAS metadata)
- Make the activities of the users traceable and auditable by using logging
This is SIEM Security Information and Event Management.
part of the "standard of good practice" included with ISO27k hipaa sox-404 and many more.
05-15-2014 03:49 PM
I see little point in trying to block SAS's export capabilities as anyone with reasonable SAS knowledge can bypass them, for example using a DATA step with PUT statements to write external files.
If this is a data security issue, then it could be approached more from the who has access to what point of view - if you trust users to access the data, why can't you trust them to not export inappropriately?
05-15-2014 04:52 PM
Good points by all -- it can be a struggle to give users the tools they need to do their jobs, and then still try to lock down the capabilities that could potentially be abused.
SAS does have some options for this:
Even with these options, I wouldn't consider this a substitute for clear policies, diligent monitoring, and OS-level permissions that reflect who should be able to do what...
05-16-2014 02:55 AM
If you want additional info see: SIEM or Security information management - Wikipedia, the free encyclopedia . You need a BI tool for log - analyses. SAS is not mentioned in this world although they could do or. The name popping up is Splunk.
05-16-2014 03:20 AM
Any user who can see data can simply copy/paste it. Trust your users or not. If not, don't let them work with the data at all.
The only reasonable thing you can do is set logging to a level that lets you see all requests that were handled by the SAS system, so you can at least make a valid attempt to find out who accessed the relevant data at a given time, if something was leaked.