Data tracing analyzes leaked data files to extract embedded watermark information, identifying who accessed the data and when. Use this feature after a data breach to pinpoint the source and take targeted remediation.
Limitations
-
Edition: DataWorks Professional Edition or Enterprise Edition. You must also enable the new data security features in Security Center.
-
Supported regions: China (Hangzhou), China (Shanghai), China (Beijing), China (Zhangjiakou), China (Ulanqab), China (Shenzhen), China (Chengdu), China (Hong Kong), and Japan (Tokyo).
-
Supported compute engines: MaxCompute and Hologres.
Prerequisites
Before you begin, ensure that you have:
-
An Alibaba Cloud account or RAM user with one of the following:
-
The AliyunDataWorksFullAccess policy attached
-
The tenant security administrator role in DataWorks
-
The tenant administrator role in DataWorks
-
-
Completed the new user guide
How it works
Data tracing relies on digital watermarks embedded in masked data. For a file to be traceable, complete the following three steps in order — each step builds on the previous one.
Step 1: Classify the data as sensitive
In Sensitive Data Protection > Data classification grading, run a detection task on the target data field (for example, user_phone) and mark it with a data type (for example, Phone Number).
For more information, see Data classification and grading.
Step 2: Configure a masking rule
In Sensitive Data Protection > Data Desensitization, configure a masking rule for the data type (for example, Phone Number) and define a masking policy to set its scope.
For more information, see Data masking.
Step 3: Enable digital watermarking in the masking rule
When configuring or editing a data desensitization rule, set the Data Watermark option to enabled.
Digital watermarking is disabled by default. Without this step, the system cannot embed watermark information in masked data, and tracing will not work.
When all three steps are complete, the system embeds an invisible watermark — containing the operator, operation time, and SQL query — into the data each time it is masked. After a masked and watermarked CSV file is queried and exported from a module such as Data Analysis or Data Development, the data tracing feature can parse the file to identify the breach source.
Create a data tracing task
-
Log on to the DataWorks console. In the top navigation bar, select the target region. In the left-side navigation pane, choose Data Governance > Security Center, then click Go to Security Center.
-
In the left navigation pane, choose Sensitive Data Protection > Data Traceablity.
-
On the Data Tracing page, click New Task in the upper-left corner.
The uploaded file must meet all of the following requirements:
-
Format:
.csvfiles only -
Maximum size: 200 MB
-
Minimum entries: more than 500
View data tracing results
This feature can only trace data from operations for which digital watermarking was enabled during masking configuration.
When a task's Task Status changes to Completed, click View in the Operation column to see the results.
If a potential breach source is detected, the results include the following fields:
Confidence
| Field | Description |
|---|---|
| Watermark similarity | The probability that this operation caused the data breach. Higher similarity indicates a higher probability. |
Operation facts
| Field | Description |
|---|---|
| Operator | The account used for the operation. This can be the logon account, or the RAM user or Alibaba Cloud account specified as the default access identity for the data source. |
| Operation time | The time when the operation occurred. |
| Behavior | The type of operation. If the operation is an SQL statement, you can copy the full statement. |
Scope
| Field | Description |
|---|---|
| Project | The name of the project or database that was accessed. |
Delete a data tracing task
Delete a single task from the Actions column, or select multiple tasks and delete them in bulk.
After a task is deleted, the tracing file can no longer be downloaded and the results can no longer be viewed.