Security Marking Auditability

Hi

When a marking is applied to a resource (dataset, data connection, project, etc.) all the child resources inherit the security marking automatically. Conversely, when the propagation of a marking is stopped downstream resources become visible.

It would be very useful if in one-click users/admins could map and identify:

  1. the parent resource(s) where the marking is applied
  2. the resource(s) where stop propagating takes place
  3. the data connections were exports of marked data for a given security marking is enabled
  4. markings that are combined and the respective projects

This information in the Access Graph App would help monitoring and improve marking auditability. The benefits are:

1- Often users protect raw datasets and not the data sources. In turn, any editor in the project can create a batch sync and bypass the marking. This would provide us a tool to quickly identify these scenarios.

2-3. Enable the different marking membership groups to keep track where the marking has been applied, removed, and marked data is being exported in data connections without having to unfold large data lineages and finding needles in a haystack. In addition, with the current setup there’s room for a scenario wherein one member of the remove marking group approves a security change in a PR without others knowing nor being able to easily spot it.

4- With the project constrains it is possible to block joining datasets with certain markings. This is typically used to prevent users from accidentally joining data that should not be joined and is relevant in situations where users might need access to multiple markings though specific combinations of marked data should not be allowed. The above hinges on the fact that the project is well-orchestrated and users know in advance that specific markings cannot be combined, and add the project constrains before any work takes place. However, a scenario where engineers unawarely join marked data and later on officers realize there’s an issue is equally likely. When amendments are needed, it would be great to trace which markings are being combined and in which projects.

This feature would also cover for the fact that it is only possible to prevent combining different marked data at a project level - not at platform level. With this feature, users can easily trace markings and understand whether a breach might be inadvertently taking place.

Hope the diagrams help and there’s enough food-for-thought.

8 Likes