Data Transmission Service (DTS) lets you mask sensitive fields read from a source database before they are written to a destination database. Configure a sensitive data scan and masking task as part of a data synchronization task to prevent sensitive data from flowing downstream in plaintext.
This feature is in invitational preview and is available only to select users in the China (Chengdu), China (Beijing), China (Hong Kong), and Singapore regions.
Prerequisites
Before you begin, make sure you have:
A DTS data synchronization task using a supported database combination (see Supported links)
Access to the Advanced Configurations step of the synchronization task
Supported links
| Source database | Destination database | Task type |
|---|---|---|
| MySQL | MySQL | Data synchronization (full and incremental synchronization), including bidirectional synchronization and Serverless tasks |
| PostgreSQL | PostgreSQL | Data synchronization (full and incremental synchronization), including bidirectional synchronization and Serverless tasks. Sensitive data can be masked only in the public schema. |
Information that can be masked
DTS scans source data and classifies sensitive fields into sensitivity levels S1, S2, and S3 in ascending order of security risk. The sensitivity level is determined by the scan results from the Sensitive Data Scan and Desensitization module (Sensitivity Level).
The following categories of information can be masked:
| Category | Examples |
|---|---|
| Personal information | Names, genders, ages, dates of birth, marital statuses, fertility statuses, past medical histories, symptoms, and hospitalization histories |
| Company information | Business license numbers, organization codes, and tax registration numbers |
| Technical management | Operational log fields such as creation time, update time, start time, completion time, task ID, and remarks |
| Business data | Loan types |
| Marketing services | Product names and product IDs |
| General management | Invoice codes |
Masking algorithms
DTS supports the following masking algorithms. The default algorithm applied to detected sensitive fields is Replacement.
| Algorithm | Behavior |
|---|---|
| No masking | Keeps the original data without masking. |
| Replace | Randomly replaces the data while ensuring it matches the field type and range. |
| Mask | Replaces characters from position X to position Y (left to right) with #. |
Algorithm constraints
| Field type | Constraint |
|---|---|
| TIMESTAMP | Masking is not supported. |
| BIGINT | Masking may produce unexpected results. Masked BIGINT data written to the destination may be 0, or the write operation may fail. |
Configure sensitive data scan and masking
The overall flow is:
Enable the feature and configure scan objects during the synchronization task setup.
After the synchronization task is created, DTS scans the selected tables and identifies sensitive fields automatically.
Configure the masking algorithm for each detected field, then start the masking task.
Step 1: Enable the feature
In the synchronization task wizard, go to the Advanced Configurations step.
In the Sensitive Data Scanning And Desensitization area, select Enable.
(Optional) Select a Sensitive Data Compliance Scan Template.
Currently, only the Internet Industry Compliance Template v1.0 is available. Keep the default setting.
Step 2: Configure scan objects
In the Selected Objects box, select the tables to scan and click 
to move them to the Selected Objects To Scan box.
After the scan object is saved (for example, by clicking Next, Save Task And Precheck or Save And Return To List), the scan object cannot be modified.
Step 3: Complete the synchronization task setup
Complete the remaining configuration and purchase steps for the synchronization task.
Step 4: Configure and start the masking task
After the synchronization task is created, DTS scans the selected tables and automatically identifies sensitive fields. Fields detected as sensitive are listed in the Configure Desensitization Columns area with Replacement as the default masking algorithm. Review the detected fields and adjust the algorithm as needed before starting the masking task.
Configure the masking algorithm
Quick configuration
In the Data Masking Configuration column for the target field, click the current algorithm name and select a new one from the list.
If you select Mask, also set the Masking Range (start position X to end position Y). See the standard configuration procedure below.
Standard configuration
On the sync task list page, find the destination instance and click its ID.
(Optional) On the Task Management page, click the Sensitive Data Scan And Desensitization module.
In the Configure Desensitization Columns area, do one of the following:
To configure a single field: click Modify Configuration in the Data Masking Configuration column.
To configure multiple fields with the same algorithm: select the fields, click Batch Configuration, and select a Data Masking Algorithm.
In the Data Masking Configuration dialog box, set the Masking Algorithm. If you select Masking, also set the Masking Range (start position X to end position Y).
Click OK.
Start the masking task
Below the Sensitive Data Scan And De-identification module, click Configure And Start De-identification Task.
In the dialog box, click OK.
Limits
DTS scans only the tables specified for synchronization in the synchronization task.
The scan operates on source data. Table and database names displayed in the Selected Objects box use the original names before any object name mapping is applied.
The Incremental Data Collection module does not start automatically. It starts only after a data masking task is configured and started.
Enabling sensitive data scanning may reduce data transmission speed below the theoretical maximum.
Scan object granularity is at the table level only. Column-level granularity is not supported.
Billing
This feature is free of charge during the public preview period.