This topic describes how to use Sensitive Data Discovery and Protection (SDDP) to detect, classify, and protect sensitive data stored in Object Storage Service (OSS).
Sensitive data includes personal privacy information, passwords and keys, and images that contain sensitive content. Such data is of high value and is stored in your OSS buckets in different formats. The leaks of sensitive data can incur serious economic and brand losses to your enterprise.
After you authorize SDDP to scan your OSS buckets, SDDP detects sensitive data in your OSS buckets, classifies and displays sensitive data by risk level, and tracks the use of sensitive data. In addition, SDDP protects and audits sensitive data based on predefined security rules, so that you can obtain the security status of your data assets in OSS buckets at any time.
SDDP is applicable to the following scenarios:
- Sensitive data detection
You store a large amount of data in OSS. You cannot determine whether objects stored in your OSS buckets contain sensitive data and where sensitive data is stored.
SDDP scans objects stored in your OSS buckets for sensitive data and classifies sensitive data based on built-in or custom rules. Then, you can use OSS features such as access control and encryption to protect sensitive data.
- Data de-identification
You share data with another person without de-identifying sensitive data, which may compromise the sensitive data.
SDDP supports built-in and custom de-identification algorithms. You can use these algorithms to de-identify sensitive data in the production environment before transferring the sensitive data to other environments such as the development and testing environments. This guarantees that the sensitive data is usable in other environments while protecting the security of the sensitive data.
- Anomaly detection and audit
When your OSS buckets store a large amount of data, you do not know who have used the sensitive data stored in your OSS buckets and whether anomalous activities or data leaks occur during the use.
SDDP uses an intelligent model to detect and audit anomalous activities when users access the sensitive data stored in your OSS buckets. If an anomalous activity is detected, SDDP triggers an alert to notify the data security management team of the anomalous activity. SDDP also improves its risk prediction and aversion capabilities based on the detection results.
- Visual: SDDP displays sensitive data detection results on a graphical user interface (GUI),
allowing you to clearly view the security status of your data.
- Monitors data access and provides audit logs for you to trace anomalous activities, reducing the security risks of your data.
- Increases the overall security transparency of your data assets and enhances data governance.
- Reduces the cost of maintaining data security and provides fundamental data for you to formulate security rules suitable for your enterprise.
- Intelligent: SDDP uses big data and machine learning technologies as well as intelligent algorithms
to detect and monitor sensitive data and high-risk activities such as anomalous data
access and potential data leaks. In addition, SDDP provides suggestions on resolving
- Allows you to customize sensitive data detection rules. In this way, you can define your own detection standards to detect and protect sensitive data more accurately and efficiently.
- Integrates complex data formats and content to a unified data risk model and presents data in a standard manner for you to protect your key data assets.
- Cloud-native: SDDP takes the advantages of cloud services and supports multiple cloud data sources.
Compared with traditional sensitive data protection software, SDDP provides a more robust service architecture and higher availability at lower costs, and features higher system security.
You can activate SDDP in pay-as-you-go mode for free. After you authorize SDDP to scan your OSS buckets, SDDP charges you at a price of RMB 0.6 per GB for scanning objects stored in your OSS buckets.
SDDP scans all objects stored in your OSS buckets at the first scan and charges you for a full scan. After the first scan, if you add new objects to or modify objects in your OSS buckets, SDDP only charges you for scanning the new or modified objects, reducing the expense to a large extent.
- Log on to the SDDP console and activate SDDP.
- In the SDDP console, specify the OSS buckets that you authorize SDDP to scan. For
more information, see Authorize SDDP to access an OSS bucket.
SDDP starts to scan objects stored in your OSS buckets within 2 hours after it is authorized to do so. The time taken to scan objects stored in your OSS buckets depends on the total size of the objects. For more information, see How long does it take to scan data in my data source after I authorize SDDP to scan the data source?.
During a scan, the scan results are progressively updated on the Overview page in the SDDP console. For more information, see Use the Overview page.
- In the left-side navigation pane, choose OSS Sensitive Data page. For more information, see View statistics on sensitive data identified in OSS and query the sensitive data. and view statistics on sensitive objects on the
- Optional: Process anomalous activities or de-identify sensitive data based on the sensitive data detection results.