Desktop productivity for business analysts and programmers

Blocking file export

Reply
Occasional Contributor
Posts: 5

Blocking file export

Can i block the export file feature to avoid data leak?

Super User
Posts: 19,057

Re: Blocking file export

I think we need more details.

What type of export? PDF, Excel, SAS datasets?

Valued Guide
Posts: 3,208

Re: Blocking file export

What type of access to the data your users are having?
If they are responsible to have that data available, how would you prevent data-leaks by preventing some usage?

There are two mitigations:

- define your security controls in way that only

    a/ personal keys are used by your users and

    b/ those personal keys are limited to access just the data they are needing.

   This is part of the RBAC process. It includes the whole path of the used stack. (OS layer . external DBM, SAS metadata)
- Make the activities of the users traceable and auditable by using logging

This is SIEM Security Information and Event Management.

part of the "standard of good practice" included with ISO27k hipaa sox-404 and many more. 

---->-- ja karman --<-----
Super User
Posts: 3,233

Re: Blocking file export

I see little point in trying to block SAS's export capabilities as anyone with reasonable SAS knowledge can bypass them, for example using a DATA step with PUT statements to write external files.

If this is a data security issue, then it could be approached more from the who has access to what point of view - if you trust users to access the data, why can't you trust them to not export inappropriately?

Community Manager
Posts: 2,887

Re: Blocking file export

Good points by all -- it can be a struggle to give users the tools they need to do their jobs, and then still try to lock down the capabilities that could potentially be abused.

SAS does have some options for this:

New superpowers for SAS administrators - SAS Users Groups

Even with these options, I wouldn't consider this a substitute for clear policies, diligent monitoring, and OS-level permissions that reflect who should be able to do what...

Chris

Valued Guide
Posts: 3,208

Re: Blocking file export

If you want additional info see: SIEM  or Security information management - Wikipedia, the free encyclopedia . You need a BI tool for log - analyses. SAS is not mentioned in this world although they could do or. The name popping up is Splunk.     

---->-- ja karman --<-----
Super User
Posts: 7,405

Re: Blocking file export

Any user who can see data can simply copy/paste it. Trust your users or not. If not, don't let them work with the data at all.

The only reasonable thing you can do is set logging to a level that lets you see all requests that were handled by the SAS system, so you can at least make a valid attempt to find out who accessed the relevant data at a given time, if something was leaked.

---------------------------------------------------------------------------------------------
Maxims of Maximally Efficient SAS Programmers
Ask a Question
Discussion stats
  • 6 replies
  • 321 views
  • 0 likes
  • 6 in conversation