All Products
Search
Document Center

Object Storage Service:Sensitive data protection

Last Updated:Feb 20, 2024

This topic describes how to combine Object Storage Service (OSS) and Data Security Center (DSC) to identify, classify, and protect sensitive data.

Prerequisites

Background information

Sensitive data is stored in various formats across different storage systems and can include high-value data, such as personal data, passwords, keys, and sensitive images. Identification, location, and protection of sensitive data are important. OSS provides multiple security measures to keep your data safe and secure. These security measures include data protection options such as fine-grained access control and data encryption, data protection mechanisms such as zone-redundant storage, cross-region replication and versioning, and monitoring and audit capabilities such as logging and real-time log query. You can use OSS together with DSC to better identify, classify, and protect sensitive data.

After you authorize DSC to scan your OSS buckets, DSC identifies sensitive data in the buckets, classifies sensitive data by sensitivity level, and tracks how sensitive data is used. In addition, DSC protects and audits sensitive data based on predefined security rules. This way, you can monitor the security status of your sensitive data assets at any time. For more information, see What is Data Security Center?

Note

After you authorize DSC to scan your OSS buckets, DSC performs an initial full scan to detect objects in the buckets and charges you for the full scan. After the initial full scan, DSC scans only new objects or modified objects in your buckets to minimize charges. For more information, see Billing.

Scenarios

This section describes common application scenarios in which OSS and DSC are combined.

  • Sensitive data discovery

    Enterprises that have large volumes of data may find it challenging to accurately identify and locate sensitive data. You can use OSS together with DSC to efficiently identify and protect your sensitive data. DSC identifies and classifies sensitive data stored in OSS based on built-in DSC rules or industry-specific custom rules. This helps you take further measures to protect your sensitive data. For example, you can use access control and encryption features of OSS to protect data.

  • Data masking

    Using unmasked data for analysis or processing can cause leaks of sensitive information. DSC supports built-in and custom masking algorithms. You can use these algorithms to mask sensitive production data in OSS and use masked data in non-production environments such as development and testing environments. This ensures that the sensitive data remains safe and maintains its essential characteristics and functionality.

  • Anomaly detection and audit

    DSC uses intelligent detection models to detect and audit access to sensitive data in OSS. If a risk is detected, DSC sends an alert to your data security team. This helps you improve risk prediction and prevention capabilities.

Benefits

  • Visualized

    • DSC displays sensitive data identification results on a graphical user interface (GUI), which allows you to view the security status of your data in a visualized manner.

    • DSC monitors data access and provides audit logs for you to trace anomalous activities, which reduces security risks to your data.

    • DSC increases the overall security and transparency of your data assets and improves data governance.

    • DSC reduces the cost of maintaining data security and provides fundamental data for you to configure security rules that are suitable for your enterprise.

  • Intelligent

    • Intelligent big data and machine learning capabilities are used to detect and monitor sensitive data and high-risk activities such as anomalous data access and potential data leaks. Additionally, security suggestions are provided to help you protect your data at ease.

    • DSC allows you to configure custom rules to detect sensitive data. This way, you can ensure that sensitive data is detected and protected more accurately and efficiently.

    • DSC integrates complex data formats and content into a unified data risk model and displays data in a standard manner for you to protect your key data assets.

  • Cloud native

    • The solution uses cloud services and supports multiple cloud data sources.

    • Compared with the traditional software deployment method, the OSS + DSC solution has a more robust service architecture, higher availability, and lower costs, and provides better system security.

Procedure

  1. Log on to the DSC console.
  2. In the left-side navigation pane, click Asset Center > Authorization Management.

  3. On the Authorization Management tab, click OSS in the left-side navigation tree and then click Asset Authorization Management.

  4. In the Asset Authorization Management panel, select the OSS buckets that you want to authorize DSC to scan and click Batch Authorize.

    To authorize DSC to scan a bucket, find the bucket and click Authorization in the Actions column on the right side of the bucket.

    After the authorization is complete, DSC scans the authorized OSS buckets for sensitive data. When DSC accesses an OSS bucket for the first time, DSC automatically scans all data in the bucket, and you are charged for the full scan. For more information, see Sensitive data scanning and detection.

    You can edit or revoke access to a bucket. If you revoke access to a bucket, DSC stops scanning the bucket.

    Note

    DSC scans only buckets that DSC is authorized to access to identify sensitive data and analyze risks.

  5. Configure a security policy.

    After sensitive data is identified, use security features, such as server-side encryption and access control to protect sensitive data.