Sensitive data scan and masking - Data Transmission Service

Data Transmission Service (DTS) lets you mask high-risk sensitive data that is read from a source database before it is written to a destination database. This topic describes how to configure a sensitive data scan and masking task.

Important

This feature is in invitational preview and is available only to select users.
This feature is available only in the China (Chengdu), China (Beijing), China (Hong Kong), and Singapore regions.

Supported links

Source database type	Destination database type	Task type
MySQL	MySQL	Data synchronization (full and incremental synchronization) Note Includes bidirectional synchronization tasks and Serverless tasks.
PostgreSQL	PostgreSQL	Data synchronization (full and incremental synchronization) Note Data synchronization includes bidirectional synchronization tasks and Serverless tasks. Sensitive data can be masked only in the `public` schema.

Billing information

This feature is in public preview and is free of charge during the preview period.

Information that can be masked

Note

The sensitivity levels for sensitive information are S1, S2, and S3, in ascending order of security risk. A higher level indicates a greater security risk.
The sensitivity level of sensitive data is determined by the scan results from the Sensitive Data Scan and Desensitization module (Sensitivity Level).

Personal information
Names, genders, ages, dates of birth, marital statuses, fertility statuses, past medical histories, symptoms, and hospitalization histories.
Company information
Business license numbers, organization codes, and tax registration numbers.
Technical management
Operational log information, such as creation time, update time, start time, completion time, task ID, and remarks.
Business data
Loan types.
Marketing services
Product names and product IDs.
General management
Invoice codes.

Supported masking algorithms

Masking algorithm	Description
No masking	Keeps the original data without masking.
Replace	Randomly replaces the data while ensuring it matches the field type and range.
Mask	Replaces the characters that need to be masked (from position X to position Y, from left to right) with `#`.

Precautions

You can scan only the objects that are specified for synchronization in the sync task.
This feature scans the source data. Therefore, when you configure Databases And Tables To Scan, the database and table names displayed in the Selected Objects box are the original names before mapping.
Enable sensitive data scanning and desensitization:
- This task (the Incremental Data Collection module) does not run automatically. It can be run only after a data masking task is configured and started.
- The data transmission speed may be reduced and may not reach the theoretical maximum.
When you configure scan objects, the only supported granularity is the table level.
After the scan object is configured and the task is saved (for example, after you click Next, Save Task And Precheck or Save And Return To List), you cannot modify the scan object.
Masking for fields of the TIMESTAMP data type is not supported.
If a field of the BIGINT type is masked, the data written to the destination database may be 0, or the write operation may fail.

Procedure

Enable the sensitive data scan and masking feature.
1. Go to the Advanced Configurations step of the sync task.
2. In the Sensitive Data Scanning And Desensitization area, select Enable.
3. Optional: Select a Sensitive Data Compliance Scan Template.
  Note
  Currently, only the Internet Industry Compliance Template v1.0 is supported. You can keep the default setting.
Configure scan objects.
In the Selected Objects box, select the tables to scan and click to move them to the Selected Objects To Scan box.
Complete the subsequent configuration and purchase steps as needed.
Configure and start the masking task.
1. Configure the masking algorithm.
  1. On the sync task list page, find the destination instance and click its ID.
  2. Optional: On the Task Management page, click the Sensitive Data Scan And Desensitization module.
  3. In the Configure Desensitization Columns area, configure a data masking algorithm in the Desensitization Configuration column.
    Note
    The default data masking algorithm for fields that contain sensitive data is Replacement.
    Quick configuration
    In the Data Masking Configuration column for the target field, click the name of the current data masking algorithm and select a new one.
    Important
    If you select Mask, you must also set the Masking Range. For more information, see Standard configuration.
    Standard configuration
    In the Data Masking Configuration column for the target field, click Modify Configuration.
    In the Data Masking Configuration dialog box, modify the Masking Algorithm.
    Note
    You can also select multiple fields that require the same data masking algorithm, click Batch Configuration, and then select Data Masking Algorithm.
    If you select Masking, you also need to set the Masking Range (from the start position X to the end position Y).
    Click OK.
2. Start the masking task.
  1. Below the Sensitive Data Scan And De-identification module, click Configure And Start De-identification Task.
  2. In the dialog box that appears, click OK.