This topic describes how to use Sensitive Data Discovery and Protection (SDDP) to detect, classify, and protect sensitive data stored in Object Storage Service (OSS).

Background information

Sensitive data includes personal privacy information, passwords and keys, and images that contain sensitive content. Such data is of high value and is stored in your OSS buckets in different formats. The leaks of sensitive data can incur serious economic and brand losses to your enterprise.

After you authorize SDDP to scan your OSS buckets, SDDP identifies sensitive data in your OSS buckets, classifies and displays sensitive data by risk level, and tracks the use of sensitive data. In addition, SDDP protects and audits sensitive data based on built-in security rules, so that you can obtain the security status of your data assets in OSS buckets at any time.


SDDP is applicable to the following scenarios:

  • Sensitive data detection

    You store a large amount of data in OSS. You cannot determine whether objects stored in your OSS buckets contain sensitive data and where sensitive data is stored.

    SDDP scans objects stored in your OSS buckets for sensitive data and classifies sensitive data based on built-in or custom rules. Then, you can use OSS features such as access control and encryption to protect sensitive data.

  • Data de-identification

    You share data with another person without de-identifying sensitive data, which may compromise the sensitive data.

    SDDP supports built-in and custom de-identification algorithms. You can use these algorithms to de-identify sensitive data in the production environment before transferring the sensitive data to other environments such as the development and testing environments. This guarantees that the sensitive data is usable in other environments and protects the security of the sensitive data.

  • Anomaly detection and audit

    When your OSS buckets store a large amount of data, you do not know who have used the sensitive data stored in your OSS buckets and whether anomalous activities or data leaks occur during the use.

    SDDP uses an intelligent model to detect and audit anomalous activities when users access the sensitive data stored in your OSS buckets. If an anomalous activity is detected, SDDP triggers an alert to notify the data security management team of the anomalous activity. SDDP also improves its risk prediction and aversion capabilities based on the detection results.


  • Visual: SDDP displays sensitive data detection results on a graphical user interface (GUI), allowing you to clearly view the security status of your data.
    • Monitors data access and provides audit logs for you to trace anomalous activities, reducing security risks to your data.
    • Increases the overall security transparency of your data assets and enhances data governance.
    • Reduces the cost of maintaining data security and provides fundamental data for you to formulate security rules suitable for your enterprise.
  • Intelligent: SDDP uses big data and machine learning technologies as well as intelligent algorithms to detect and monitor sensitive data and high-risk activities such as anomalous data access and potential data leaks. In addition, SDDP provides suggestions on resolving detected issues.
    • Allows you to customize the rules to detect sensitive data so that you can ensure that sensitive data is detected and protected more accurately and efficiently.
    • Integrates complex data formats and content to a unified data risk model and presents data in a standard manner for you to protect your key data assets.
  • Cloud-native: SDDP takes the advantages of cloud services and supports multiple cloud data sources.

    Compared with traditional sensitive data protection software, SDDP provides a more robust service architecture and higher availability in a cost-effective way, and features higher system security.


You can activate SDDP in the pay-as-you-go mode for free. After you authorize SDDP to scan your OSS buckets, SDDP charges you at a price of USD 0.6 per GB for scanning objects stored in your OSS buckets.

SDDP scans all objects stored in your OSS buckets at the first scan and charges you for a full scan. After the first scan, if you add new objects to or modify objects in your OSS buckets, SDDP only charges you for scanning the new or modified objects, reducing the expense to a large extent.

  1. Log on to the SDDP console and activate SDDP.
  2. In the SDDP console, authorize SDDP to access your OSS buckets. For more information, see Authorize SDDP to access OSS buckets.
    SDDP starts to scan objects stored in your OSS buckets within 2 hours after it is authorized to do so. The amount of time required to scan objects in your OSS buckets depends on the total size of the objects. For more information, see How long does it take to scan data in my data asset after I authorize SDDP to access the data asset?.

    During a scan, the scan results are progressively updated on the Overview page in the SDDP console. For more information, see View summary information.

  3. In the left-side navigation pane, choose Sensitive Data Identification > Sensitive Data Assets. On the OSS tab, view statistics on the sensitive data detected in your OSS buckets. For more information, see View statistics on sensitive data.
  4. Optional: Query or de-identify sensitive data based on the sensitive data detection results.