This topic describes how to integrate Alibaba Cloud Object Storage Service (OSS) with Sensitive Data Discovery and Protection (SDDP) to identify, classify, and protect sensitive data.

Prerequisites

  • SDDP is activated.

    For more information, see Quick start.

  • OSS is activated.

    For more information, see Activate OSS.

Background information

Sensitive data is stored in a variety of forms across different storage systems, and can include high value data such as personal data, passwords, keys, and sensitive images. How an enterprise choose to store, locate, and protect sensitive data is essential. OSS provides a number of options to secure data, such as fine-grained access control and data encryption. OSS also provides data protection mechanisms such as Zone-redundant storage, cross-region replication, and versioning, as well as monitoring and audit capabilities such as Logging and Real-time log query. You can also integrate OSS with SDDP to better identify, classify, and protect sensitive data.

After you authorize SDDP to scan your OSS buckets, SDDP identifies sensitive data from your large amounts of data, classifies and displays sensitive data by risk level, and tracks how sensitive data is used. In addition, SDDP protects and audits sensitive data based on predefined security rules so that you can obtain the security status of your data assets in OSS buckets at any time. For more information, see What is Sensitive Data Discovery and Protection?.
Note After you authorize SDDP to scan your OSS buckets, SDDP scans all objects stored in your OSS buckets at the first scan and charges you for a full scan. If you add new objects to or modify objects in your OSS buckets after the first scan, SDDP will only scan the new or modified objects to minimize charges. For details about billing methods, see Pay-as-you-go.

Scenarios

  • Sensitive data identification

    Enterprises have large amounts of data, but they cannot accurately identify whether their data contains sensitive information or where the sensitive data is located. You can integrate OSS with SDDP to scan and classify data stored in OSS by using the built-in algorithm rules of SDDP or by using custom rules that meet your industry requirements. You can also make further protection arrangements based on scan results. For example, OSS provides access control and encryption features to protect data.

  • Data masking

    If you share data for analysis or use without first masking it, sensitive data may be leaked. Built-in and custom masking algorithms are available when OSS is integrated with SDDP. You can use these algorithms to mask sensitive data in the production environment before transferring the data to other environments such as the development and testing environments. This ensures that the sensitive data remains secure while being usable in other environments.

  • Anomaly detection and audit

    SDDP uses an intelligent model to analyze and audit access to sensitive data in OSS. If a risk is detected, SDDP sends an alert to your data security team. This helps you improve risk prediction and prevention capabilities.

Benefits

  • Visual
    • SDDP displays sensitive data detection results on a graphical user interface (GUI), allowing you to clearly view the security status of your data.
    • SDDP monitors data access and provides audit logs for you to trace anomalous activities, reducing security risks to your data.
    • SDDP increases the overall security transparency of your data assets and enhances data governance.
    • SDDP reduces the cost of maintaining data security and provides fundamental data for you to formulate security rules that are suitable for your enterprise.
  • Intelligent
    • SDDP uses big data and machine learning technologies as well as intelligent algorithms to detect and monitor sensitive data and high-risk activities such as anomalous data access and potential data leaks. Additionally, SDDP provides suggestions to resolve detected issues.
    • SDDP allows you to customize the rules to detect sensitive data so that you can ensure that sensitive data is detected and protected more accurately and efficiently.
    • SDDP integrates complex data formats and content to a unified data risk model and presents data in a standard manner for you to protect your key data assets.
  • Cloud-native
    • SDDP takes advantage of cloud services and supports multiple cloud data sources.
    • Compared with traditional sensitive data protection software, SDDP provides a more robust service architecture and higher availability at lower costs and features higher system security.

Procedure

  1. Log on to the SDDP console.
  2. In the left-side navigation pane, choose Security Configuration > Authorization Configuration.
  3. On the Asset Authorization and Status page that appears, click Configure Asset Authorization.Configure Asset Authorization dialog box
  4. In the Configure Asset Authorization dialog box, click the OSS bucket Access Authorization tab and authorize SDDP to access your OSS buckets in one of the following ways:OSS bucket Access Authorization tab
    • Click One-click batch authorization to authorize SDDP to access all OSS buckets in the OSS bucket list.
    • Select one or more OSS buckets and click Batch authorization at the bottom of the bucket list to authorize SDDP to access the selected OSS buckets. If the SDDP has been authorized to access the selected OSS buckets, clicking this button cancels the authorization.
    • Find the target OSS bucket and turn on or off the switch in the Enable authorization column to authorize SDDP to access the OSS bucket or cancel the authorization.
    In the Configure Asset Authorization dialog box, you can also perform the following operations on OSS buckets:
    • Enable or disable the audit feature for multiple OSS buckets at a time
      Select one or more OSS buckets and click Batch audit at the bottom of the bucket list to enable or disable the audit feature for these OSS buckets at a time.Enable or disable the audit feature for multiple OSS buckets at a time
    • Set the log retention period for multiple OSS buckets at a time
      Select one or more OSS buckets and click Batch setting log storage time at the bottom of the bucket list to set the log retention period for these OSS buckets at a time. You can set the log retention period to 30, 90, 180, or 365 days.Log retention period
  5. Click Complete Authorization.
    After the authorization is completed, the OSS buckets will appear in the list of authorized projects in the SDDP console. SDDP scans data in the OSS buckets for sensitive data.
    Note
    • SDDP only scans data in authorized OSS buckets and analyzes risks of sensitive data detected in these OSS buckets.
    • You can edit or delete OSS buckets in the list. After you click Edit in the Actions column corresponding to an OSS bucket, the Edit Connection Authorization dialog box appears. In this dialog box, you can manage the OSS buckets that SDDP is authorized to access. After you delete an OSS bucket from the list, SDDP will no longer scan data in this bucket.
    • SDDP will start to scan objects in your OSS buckets within two hours of being authorized. The amount of time required to scan objects in your OSS buckets depends on the total size of the objects. Scans will take longer to perform if a data source contains a large number of tables (over 10,000) or if the total size of objects in your OSS bucket is large (over 1 PB).
    • During a scan, the scan results are progressively updated on the Overview page in the SDDP console. For more information, see Use the Overview page.
    • In left-side navigation pane of the SDDP console, choose Sensitive Data Identification > OSS to view the scan results for sensitive data in OSS buckets. For more information, see View statistics on sensitive data detected in OSS and query the sensitive data.
  6. Add a security policy.
    • After sensitive data is scanned, you can start to take measures to harden security, such as configuring data encryption and adding access control based on the scan results.
    • You can also enable the OSS security audit feature in the SDDP console based on your requirements to detect anomalous activities and perform intelligent security audit on sensitive objects stored in your OSS buckets. For more information, see Create an anomalous activity rule.