Our MaxCompute integration offers critical security benefits by ensuring that sensitive data remains protected even if credentials are compromised. By encrypting data individually, we provide an additional layer of security that goes beyond MaxCompute's generic storage-layer encryption. This approach prevents unauthorized access and reduces the risk of data breaches, offering enhanced protection for your sensitive data.

The integration enables you to individually encrypt, tokenize, or mask your data with granular access controls natively in MaxCompute without changing how your users work with their data. This overview focuses specifically on how the MaxCompute library works and how to use it.

How does Ubiq Work on MaxCompute?

For some background on Ubiq and our approach to securing sensitive data, check out our whitepaper.

MaxCompute does not require any additional components (unlike Snowflake and BigQuery), so the only thing you need to do to empower your data users to encrypt and decrypt data directly from their MaxCompute SQL or jobs is to install the Ubiq libraries to MaxCompute.

Integration instructions are available in our public docs as you’d expect here, and once you’re ready you use it, you use the same, simple code just like our other libraries:

MaxCompute Integration vs. Other Ubiq Libraries

It’s all the same - the MaxCompute integration and its encrypt/decrypt is completely cross-compatible with all of the other libraries and languages.

All of the same features and values still hold true for using Ubiq on MaxCompute:

• Data never leaves your environment to encrypt or decrypt data
• No changes needed to your MaxCompute schema to store data encrypted vs. plaintext
• Data is encrypted before it gets persisted - so access from anyone else to your data will only see the ciphertext unless they have access to decrypt
• No key management required - just like our application library usage, keys “follow the data” and are managed in the Ubiq SaaS UI for seamless key rotation and revocation
• Flexible access controls; Ubiq API keys are used to authenticate the MaxCompute user to Ubiq, and that gives them access (or not) to encrypt or decrypt various sets of data
• Flexible key association - your key and dataset design in the Ubiq SaaS UI can enable granular key usage (like a unique key per table, per column or per MaxCompute database) without any implementation complexity - the SQL queries don’t need to change or even know about the keys
• Cross-library compatibility - our MaxCompute integration uses the same NIST-approved structured (format-preserving) encryption algorithm, so you can encrypt/decrypt with MaxCompute and then encrypt/decrypt with any other Ubiq library

Summary

The MaxCompute library works the same way as our datawarehouse integrations and application-language-specific libraries:

• Completely self-contained - no external dependencies or customizations in MaxCompute
• No change to your data flow (data never leaves MaxCompute to encrypt/decrypt)
• No encryption knowledge required to implement … simple exposure of an ubiq_encrypt() and ubiq_decrypt() function (UDF) that is directly callable from SQL
• Similar performance profile to application-language libraries and similar performance design considerations for authenticating to our backend and key caching
• Cross-compatible encryption/decryption with every other Ubiq library
• Total feature parity - including key management and key rotation features delivered and managed through the Ubiq UI