Data Security Center (DSC) scans your cloud data assets to identify sensitive data, classify it by type, and apply tags — giving your security team a clear view of where sensitive data lives across your environment.
This guide walks you through four steps: activate DSC, connect a database, run an identification task, and review results.
This guide uses an ApsaraDB RDS for SQL Server instance in the China (Zhangjiakou) region as an example.
Prerequisites
Before you begin, ensure that you have:
A supported database available to connect to DSC. For supported database types and regions, see Supported data asset types and Supported regions.
(If using a RAM user) Resource Access Management (RAM) user permissions to access DSC. See Authorize a RAM user to access DSC.
Step 1: Purchase DSC and complete authorization
DSC provides a free edition with fixed monthly resources. This guide uses the free edition.
If your account does not qualify for the free edition, purchase a paid edition instead. See Purchase DSC.
Log on to the DSC console and click Activate Free Edition.
Follow the prompts to authorize DSC to access other cloud resources. See Authorize DSC to access Alibaba Cloud resources.
Step 2: Connect a database to DSC
When you connect a database, DSC creates a read-only account on that database to run identification tasks. DSC has read-only permissions on the database. After the connection, DSC immediately runs a default identification task using the built-in classification template for the Internet industry.
Tip: To use a different identification template before scanning, go to the Identification Configuration page before proceeding. See View and configure identification templates.
On the Authorization Management page, click Asset Authorization Management.
In the Asset Authorization Management panel, click RDS in the Unstructured Data section, then click Asset synchronization. Skip this step if the ApsaraDB RDS database you want to connect is already in the asset list.
On the Not authorized tab, find the database and click Authorization in the Actions column.
Return to the Authorization Management page, find the database, and click Connect in the Actions column.
In the Connect dialog box, select Scan assets and identify sensitive data now. and click OK. DSC creates a read-only account for the database and immediately runs the default data identification task.
ImportantRun scans during off-peak hours to avoid affecting production workloads.
Back on the Authorization Management page, click the
icon to refresh the data, then confirm that the connection status and feature status of the database are both normal.
Step 3: Monitor the identification task
DSC automatically creates a default identification task when you connect a database. DSC uses the main identification template and the common identification template to scan the connected database. You can view identification results only after the task completes.
On the Tasks page, go to the Identification Tasks tab and click Default Tasks.
On the Identify task monitoring page, check the scan status of the default task for your database. Scan time varies by data volume. Wait until Scan Status shows Complete before proceeding.
Step 4: Review identification results
Before reading the results, note how DSC presents sensitivity information:
| Field | Meaning |
|---|---|
| Sensitivity level | Indicated by color — darker means higher sensitivity |
| N/A | No sensitive data was identified in this asset |
Personal information  | Tag for personally identifiable data |
Personal sensitive information  | Tag for highly sensitive personal data |
Only Personal information and Personal sensitive information tags can be added manually.
On the Asset Type tab of the Asset Insight page, find the scanned database instance. DSC displays the sensitivity level and data tag for each asset.
Find the database and click Table details in the Actions column to see statistics and sensitive columns for each identified table.
What's next
Now that DSC has identified and tagged sensitive data in your database, you can expand coverage and customize scan behavior:
Connect more data assets
DSC supports a wide range of data sources: ApsaraDB RDS, PolarDB, PolarDB for Xscale (PolarDB-X), PolarDB-X 2.0, ApsaraDB for Redis, ApsaraDB for MongoDB, ApsaraDB for OceanBase, Tablestore, AnalyticDB for MySQL, AnalyticDB for PostgreSQL, Object Storage Service (OSS), MaxCompute, and self-managed databases hosted on Elastic Compute Service (ECS) instances. See Asset authorization.
Customize identification templates
DSC uses the classification template for the Internet industry as the default main template, alongside a common identification template. Switch to a different built-in template or create a custom template with your own identification models and features on the Identification Configuration page. See View and configure identification templates.
Create custom identification tasks
DSC allows you to enable the main identification template and two other identification templates to identify, classify, and add tags to sensitive data. The default task uses the main identification template. Create additional tasks on the Tasks page and assign non-main templates to scan specific data assets. See Use identification tasks to identify sensitive data.
