Sensitive Data Identification - Database Autonomy Service

Database Autonomy Service (DAS) provides a Sensitive Data Identification feature to help you identify and classify sensitive information across various industries. You can use built-in templates for finance, energy, and more, or create custom templates to meet your specific compliance needs. This topic covers the related core concepts, and explains how to use them.

Models and templates

What is an identification template?

An identification template is the basis for classifying and grading sensitive data according to the specifications of different industries. You can use identification templates to check whether sensitive data meets security compliance requirements.

What are identification models and features?

Concept

Description

Identification model

An identification model is defined based on one or more identification features. The model is directly associated with the final result and can be configured.

DAS provides built-in models for typical sensitive data and lets you create custom identification models.

Identification feature

An identification feature supports content-based, metadata-based, and dictionary-based Identification. It combines regular expressions (regex) and operators, such as contains and does not contains, to detect sensitive data features and form Identification rules. This feature lets you associate multiple rules using the AND or OR logical operators to form complex Identification rules. This provides more flexibility for data feature detection.

DAS provides built-in features for common sensitive data types and lets you create custom Identification features.

Template classification and task rules

An identification task scans the data in the connected database to find sensitive data, generates scan results, and then classifies and grades the sensitive data.
An identification task must have an enabled template. Enabled templates are classified as primary, active, or general-purpose.
When you add a custom identification task, you can select only one primary template and up to two active templates.

Template type	Description
Built-in templates	You can select a built-in template based on your business scenario. DAS provides classification and grading templates for the finance industry, built-in templates for internal cloud security assurance, classification and grading templates for the power industry, classification and grading templates for the Internet of vehicles (IoV), and classification and grading templates for the Internet industry.
Custom templates	If the built-in templates cannot meet your requirements, you can add a maximum of 10 custom templates. You can create templates that meet your requirements by configuring identification features and models.

Template role	Description
Primary templates	The template that is used by the system default task. The default primary identification template in DAS is the classification and grading template for the Internet industry. The primary identification template cannot be disabled. You can have only one primary template. You can change an active template to the primary template. The results in the DAS console are all based on the primary template.
Active templates	You can enable a built-in template or a custom template as an active template. You can enable a maximum of two active templates.
General-purpose templates	A template that is formulated based on the Personal Information Security Specification `GB/T 35273-2020` published by the Standardization Administration of China (SAC) to protect personal information security and privacy. This template is used by default only when a built-in template is used in an identification task.

Sensitivity levels

DAS Sensitive Data Identification supports up to 10 sensitivity levels, from S1 to S10. A higher number indicates a higher sensitivity level.

You cannot add or delete sensitivity levels in a built-in template. You can only edit the description.
In a custom template, you can add, edit, and delete sensitivity levels.

Manage templates and models

Manage templates

Built-in templates

Log on to the DAS console.
In the navigation pane on the left, choose Data Security Center > Sensitive Data Identification > Identification Configuration.
On the Template Management tab of the Identification Configuration page, find the identification templates where the Type is Built-in in the template list at the bottom of the page.
Click the switch icon or in the Status column to enable or disable the template.
For an enabled template, click the Main Template or Disable switch to change the primary template or disable an active template.
Note
If you have not configured a template, the default primary template is the Classification And Grading Template For The Internet Industry.

Custom templates

Create a new template

Log on to the DAS console.
In the navigation pane on the left, choose Security Center > Sensitive Data Identification > Identification Configuration.
On the Template Management tab of the Identification Configuration page, click Create Template.
On the Create Template page, set the Basic Information parameters, such as Template Name and Template Description, and then click Next.
Under Template Node Configuration, click Add Category. In the dialog box that appears, enter a Category Name for the sensitive data and click OK.
- Click the manage icon to the right of the category you added, and then click Add Sibling Category or Add Subcategory to add the corresponding sensitive data category.
  Note
  You can repeat this operation to add multiple categories.
- Repeat the following steps to add the corresponding identification model under the sensitive data category that you added.
  1. Click the manage icon to the right of the added category and click Add Model.
  2. In the Add Model dialog box, select the check box next to the target identification model, set the status icon to enabled , and then click OK.
    Important
    After a model is enabled in a template, the model takes effect in identification tasks that use this template.

Copy a template

Log on to the DAS console.
In the navigation pane on the left, choose Security Center > Sensitive Data Detection > Identification Configuration.
On the Template Management tab of the Identification Configuration page, find the built-in or custom identification template that you want to copy and click Copy in the Actions column.
In the dialog box that appears, modify the Template Name and Remarks, and then click Confirm.
Note
You can click Edit in the Actions column of the template to modify the template name, model category, and identification model.

Manage models

Log on to the DAS console.
In the navigation pane on the left, choose Security Center > Sensitive Data Identification > Identification Configuration.
Click the Identification Model tab and then click Add Model.

In the Add Model panel, configure the model parameters and click OK.

Configuration Item Type	Configuration Item	Description
Basic Information	Model Name	The name of the model. The name must be unique.
	Model Description	The description of the model.
	Data Label	Select a data label for the model. Valid values: Sensitive Personal Information, Personal Information, and General Information.
	Data Classification	In the drop-down list, associate the new model with an identification template, a sensitive information category, and a risk level in sequence. You can associate the model only with custom identification templates.
Model Rule Configuration	Identification Feature	In the drop-down list, select the identification features to be used by the model. You can select built-in and custom identification features. You can select multiple identification features. The identification features have an OR relationship.
	Identification Scope	In the drop-down list, select the asset types to which the model applies. By default, the model applies to assets that are authorized to DAS and can be connected. You can select multiple asset types. The asset types have an OR relationship.
	Advanced Settings	Optional. The steps are as follows: In the drop-down list, select the asset type that you want to configure. Select the relationship between different conditions. Valid values: AND and OR. If you want to set multiple condition groups, you can click Add Group. The added condition group is a subset of the first condition group. Configure Identification conditions. If you want to add multiple conditions, you can click Add Condition.
Identification Threshold Configuration	Minimum Hits (Unstructured Data)	The minimum threshold for the number of times an identification feature is hit in a single file of unstructured data such as NOSQL. If the number of times an identification feature is hit in a single file reaches the minimum number of hits, the file is identified as sensitive data defined by this model.
Identification Threshold Configuration	Hit Rate (Structured Data)	The hit rate for structured data such as RDS. If the proportion of data that hits the model in 200 sample data entries reaches the specified hit rate, the corresponding data is identified as sensitive data defined by this model.

Other operations

View template details: Click Details in the Actions column for a template in the list to view the rule configuration and identification threshold.
Delete an identification template: You can delete only custom templates. You cannot delete built-in templates. In the Actions column of the target template, click the management icon and then click Delete.
Manage model categories: You can set model categories only for custom templates. You cannot modify the model categories of built-in templates. Click Edit in the Actions column of the target template.
Switch the enabled model: An identification task that is being executed is not affected. The change takes effect from the next execution.

Manage Sensitive Data Identification

Before you begin

Make sure the target asset is authorized in the Instances.

What is an identification task?

System default task

When you grant permissions on a database, you can select the default Sensitive Data Identification scan task. DAS then creates a default scan task for the incremental database using the primary identification template.

Task Configuration Item	Description
Identification template	The system default task uses the primary identification template. This cannot be modified. Note If the Primary identification template is a Built-in identification template, the task also uses the General-purpose identification template.
Scan epoch (default)	If you select the default Sensitive Data Identification scan task during Instance authorization, the corresponding system default task is immediately executed after you confirm the selection. Note You can configure the scan epoch for the system default task. The minimum interval between two scans is 24 hours.
Scan scope	For authorized Instance, Database, and Table names: Note The first scan of a database is a full scan of all authorized data. Subsequent scans or rescans only scan the incremental and modified parts. If you switch the primary identification template, a scan is not immediately triggered. The new identification template is used for scanning when the system default task is executed next time.
Scan limits	Structured data (such as ApsaraDB RDS for MySQL, ApsaraDB RDS for PostgreSQL, and PolarDB): By default, the first 200 rows of data in a table are sampled. You can also manually change this value to a maximum of 1,000 rows. Only the first 10 KB of data in each field of each row in the sample data is scanned. For large databases (with more than 1,000 tables), the scan speed is 1,000 columns/minute.
Scan result	Sensitivity levels of identification templates. `N/A` indicates that no sensitive data is identified.

Custom task

You can add a custom identification task to scan a specified database table using an enabled identification template. If the identification template that you want to use is not enabled, you must enable it first.

A full scan is performed for the first scan and for rescans based on the custom scan scope and scan epoch. During periodic scans, only new or modified data objects are scanned.
Sensitivity levels of identification templates. N/A indicates that no sensitive data was identified.

How to manage tasks

View default tasks

Log on to the DAS console.
In the navigation pane on the left, choose Security Center > Sensitive Data Identification > Task Management.
On the Task Management page, click the Identification Task tab and then click System Default Task.
On the Identification Task Monitoring page, view the list of default tasks.
You can perform the following operations in the Actions column for a system default task.
- Rescan: If the identification model is upgraded, you change the primary template, or the database content changes, you can perform a rescan operation to scan the full data.
- Pause: If the database service is abnormal, click Pause in the Actions column to temporarily stop the system default task that is being scanned.
- Stop: This operation stops the system default task from being executed in the next epoch. If the system default task is being scanned, stopping the task does not affect the current execution. However, the system default task will not be executed in the next epoch.
- Enable: This operation re-enables a stopped system default task.

Adjust settings

The system default task supports periodic scanning. We recommend that you set the scan epoch to be approximately the same as the database content update frequency to promptly detect sensitive information in the database. The minimum scan epoch is 24 hours.

On the Identification Task Monitoring page, select the check box for the desired task, click Scan Settings above the task list, and configure the epoch and scan time.

Important

To minimize the impact of scanning on the database, we recommend that you set the scan start time to off-peak hours.
During the execution of a scan task, if the CPU utilization or memory usage increases abnormally, we recommend that you pause or stop the identification task in a timely manner. You can go to the Task Management page and click Pause or Stop in the Actions column to stop the scan.

Create a custom task

Log on to the DAS console.
In the navigation pane on the left, choose Security Center > Sensitive Data Detection > Task Management.
On the Identification Task tab, select the asset type for which you want to create an identification task and click Create Identification Task.

In the Create Identification Task panel, configure the identification task configuration items and then click Confirm.

Configuration Item Category

Configuration Item

Description

Identification Scope

Identification Scope For Structured Data

Select the scan scope for structured data such as RDS and PolarDB. Valid values:

Global Scan: Scans your structured data assets.
Specified Scan: Configure Instance Name, Database Name, and Scan Limits.
- Configure the instance name and database name. To add multiple instances, click Add Identification Scope.
- Configure Scan Limits. The first 200 rows are scanned by default. The maximum value is 1,000 rows.

Other Configurations

Identification Overwrite

Specify how to handle sensitive data that has been corrected. Valid values:

Skip Manual Tagging Results: Retains the original manual correction results. This option is recommended.
Overwrite Manual Tagging Results: Overwrites the manual correction results with the new identification results.

You can perform the following operations in the Actions column for a custom identification task.
- Rescan: If the identification model is upgraded, you change the primary template, or the database content changes, you can perform a rescan operation to scan the full data.
- Pause: If the database service is abnormal, click Pause in the Actions column to temporarily stop the system default task that is in progress.
- Stop: This operation stops the system default task from being executed in the next epoch. If the system default task is being scanned, stopping the task does not affect the current execution. However, the system default task will not be executed in the next epoch.
- Enable: This operation re-enables a stopped system default task.

Manage custom tasks

A custom identification task supports scanning with a specified template. To use an enabled template that is not the primary one to scan a specified database, you can create an identification task.

Important

The system supports a maximum of five active identification tasks. Each periodic scan task occupies one active task slot. Therefore, after you configure five periodic tasks, you cannot create new identification tasks.

Correct the model hit

After you perform a recovery operation, the identification model is restored to its state before the correction.

Log on to the DAS console.
In the navigation pane on the left, choose Security Center > Sensitive Data Identification > Task Management.
On the Task Management tab, click the Correction Task tab.
In the left-side data type navigation pane, click the asset type that you want to correct.
Click Correct or Recover in the Actions column for the target sensitive data. Follow the on-screen instructions to modify the Corrected Model and click OK.

View, export, and download detection results

After a task is complete, you can view and export the results on the Asset Overview page. DAS lets you refresh and view the scan results every 5 minutes.

View results

Log on to the DAS console.
In the navigation pane on the left, choose Security Center > Sensitive Data Identification > Asset Overview.
On the Asset Type tab, click the data type that you want to view.
To view the details of sensitive data in a data asset instance, you can click Table Details in the Actions column.
In the details panel on the right, view the statistics information about sensitive data, as shown in the following figure.
In the sensitive data list, you can click Column Details in the Actions column to view the details of the rules that were hit by the data in each column.
If the Correct entry is available in the Actions column, you can correct the Sensitive Data Identification results.

Export results

Log on to the DAS console.
In the navigation pane on the left, choose Security Center > Sensitive Data Identification > Task Management > Export Task.
Click Create Export Task. Configure the export task and click OK.
1. In the Basic Information section, enter a task name and select a template for the task. You can select only enabled templates.
2. In the Export Dimension section, select Asset Type or Asset Instance.
  - Asset Type: Select all engine instances.
  - Asset Instance: Select the engine instances that you want to export.

After you create an export task, you can view its status in the export task list. The more data you need to export, the longer the export takes. Please wait.

Download the exported results

Wait until the Export Status changes to Completed, and then click Download in the Actions column of the target export task.

Important

After the export is complete, you must download the exported data within three days. After three days, the export task expires and you can no longer download the exported sensitive data.