The data leak detection feature of Data Security Center (DSC) can help you identify and prevent data leaks caused by identity fraud, unauthorized operations, invalid operations, accidental operations, uncontrollable infrastructures, intentional leaks, improper configurations, and security vulnerabilities. If an anomalous activity is detected, DSC triggers an alert. You must check whether the related data is proper based on the raw logs.

Common causes of data leaks

After you authorize DSC to access your data assets, you can use the data leak detection feature of DSC to deal with the following issues:
  • Internal data leaks
    • Laptops and mobile devices are lost or stolen.
    • Unauthorized users access and store sensitive data.
    • Sensitive data is stolen by active employees, employees who are about to depart their jobs, partners, or outsourced employees.
    • Employees send, print, or copy sensitive data.
    • Sensitive data is transferred by accident.
  • Data leaks caused by external attacks
    • Infrastructures are uncontrollable. This brings security vulnerabilities to the data storage system.
    • The system is attacked from outside due to improper configurations.
    • Unauthorized users access and store sensitive data.

Procedure

If a data leak occurs, perform the following operations to handle it. View the data leak detection results and the alerts triggered by anomalous activities in the DSC console. Then, check whether the related data is proper based on the raw logs.

  1. Log on to the DSC console.
  2. In the left-side navigation pane, choose Data asset authorization > Data asset authorization.
  3. On the Cloud hosting page, find the data asset that you want to authorize DSC to access. Then, turn on Identify permissions and Audit permissions for the data asset.

    For more information about how to authorize DSC to access a data asset, see Grant access to data assets.

  4. In the left-side navigation pane, choose Data Leak Prevention > Alerts on Data Leak Risks.
  5. On the Alerts on Data Leak Risks page, view the alerts triggered by anomalous activities.

    Find an alert event and click View Details in the Actions column. Take note of the information in the Event Description and Event Object sections. You can also click Original log to evaluate and determine the risks and impacts of the alert event.

  6. On the Alerts on Data Leak Risks page, click Process in the Actions column of the alert event. In the panel that appears, add an event processing record. Then, click Completed. To prevent the alert event from reoccurring, you can also specify whether to block the related account and IP address and modify the asset configurations.
  7. In the left-side navigation pane, choose Settings > Whitelist.
  8. On the Whitelist page, click Add Entry. In the Add Entry dialog box, add the accounts of the data assets on which you do not want to perform the auditing and anomaly detection operations to the whitelist.
  9. In the left-side navigation pane, choose Settings > Real-time alarm notification.
  10. On the Real-time Alert Notification page, click Create Alert Configuration. In the Create Alert Rule panel, specify the email address that is used to receive alert emails. If an alert event occurs, the system immediately sends an alert email to the specified email address.

Use cases

All alert snapshots in the following use cases are simulated.

Risks caused by improper configurations in a financial company

  • Issue description: DCS detects that the configurations of an Object Storage Service (OSS) bucket are improper. An alert is triggered and reported to the DCS console. An alert email is sent to the specified email address.
  • Cause diagnosis: The security administrator of the company determines and accesses the OSS bucket with improper configurations based on the alert information. The security administrator determines the related sensitive object in the OSS bucket based on the detection results of sensitive data. The security administrator determines that the access control list (ACL) for the object cannot be set to public. If the ACL for the object is set to public, data leaks may occur.
  • Troubleshooting: Migrate the sensitive object to a safe place and delete the sensitive object from the OSS bucket in the OSS console. Alternatively, go to the Alerts on Data Leak Risks page of the DSC console, find the alert event, and then click Process in the Actions column. In the panel that appears, turn on Set Bucket ACL to Private. This prevents the leaks of sensitive data caused by a public OSS bucket.

Accidental operations performed by a staff member of a bank

  • Issue description: DSC detects that the ACL for an OSS bucket is set to public and an AccessKey ID and an AccessKey secret are publicly available. An alert is triggered and reported to the DCS console. An alert email is sent to the specified email address.
  • Cause diagnosis: The Android Package (APK) file contains an AccessKey ID and an AccessKey secret and can be downloaded from the Internet. Users can use the AccessKey ID and AccessKey secret to access all of the OSS buckets. In this case, hundreds of TB of data may be leaked.
  • Troubleshooting: Log on to the User Management console and disable the AccessKey ID and AccessKey secret. Modify the APK file. This helps prevent data leaks.

Invalid operations performed by an employee of an Internet company

  • Issue description: DSC detects the use of an unusual User-Agent (UA) string. An alert email is sent to the specified email address.
  • Cause diagnosis: View the logs in the DSC console and verify that an employee of the company shared an object in an OSS bucket by using Telegram.
  • Troubleshooting: Cancel the download URL of the object in the OSS console. Configure a custom alert rule to trigger alerts when unusual UA strings are used to download objects from OSS buckets.

Identity fraud in an education company

  • Issue description: DSC detects that the account of a user is used to access a data asset from an unusual IP address.
  • Cause diagnosis: The user who owns the account does not initiate the access. The data asset is accessed from an egress IP address. The user who initiates the access cannot be determined based on the egress IP address.
  • Troubleshooting: Modify the AccessKey ID in the configuration file. Then, disable the AccessKey ID and AccessKey secret in the User Management console. This prevents abnormal access.

Stress testing performed by a logistics company

  • Issue description: DSC detects that an unusually large number of files are downloaded.
  • Cause diagnosis: Employees of the company perform stress testing. This results in a large number of alert events.
  • Troubleshooting: No violation is found.

File download by an outsourced employee of a manufacturing company who works from home

  • Issue description: DSC detects that an unusually large number of files are downloaded.
  • Cause diagnosis: The outsourced employee who works from home downloads a large number of files without approval.
  • Troubleshooting: Log on to the DSC console. In the left-side navigation pane, choose Cloud Native Data Audit > Original log. On the page that appears, check for violations from the subsequent behavior of the user based on the audit logs