This topic answers frequently asked questions about sensitive data scanning and identification.
Does data scanning affect my database performance?
Data Security Center (DSC) uses full, incremental, and scheduled scans to examine your databases. A full scan has a minimal impact on your database performance and does not affect your normal business operations. An incremental scan processes only modified files and has a negligible impact on performance.
DSC performs a full scan on your assets only after you authorize them, manually trigger a rescan, or at the start of a configured full scan cycle. When data in your database changes, only the modified files or tables are scanned. To minimize the performance impact of scans on your database, you can configure the full scan cycle based on the following recommendations:
-
Extend the full scan cycle to reduce the performance impact of DSC scans.
-
Schedule scans to run during off-peak hours when database traffic is low.
What types of data assets does DSC support for scanning?
DSC can scan both structured and unstructured data. The supported data asset types are as follows:
-
Structured data: ApsaraDB RDS, PolarDB, PolarDB for Xscale (PolarDB-X), PolarDB-X 2.0, ApsaraDB for Redis, ApsaraDB for MongoDB, ApsaraDB for OceanBase, and self-managed databases.
-
Unstructured data: Object Storage Service (OSS) and Log Service (SLS).
-
Big data: Tablestore, MaxCompute, AnalyticDB, and AnalyticDB.
For more information, see Supported data asset types.
How long does a scan take to complete after a data asset is authorized?
After DSC is authorized to access a data asset, a scan starts within 2 hours. The scan duration depends on the amount of data to be scanned and is extended if you have a large number of data tables (for example, more than 10,000 tables) or a large volume of OSS files (for example, more than 1 PB). While DSC scans your data, partial results are displayed on the Overview page of the DSC console. For more information, see Data Security Center overview.
How does DSC scan unstructured data assets (OSS and SLS)?
DSC scans the content stored in unstructured data assets and identifies sensitive data based on the scan results.
|
Asset type |
Scan scope |
Scanned data object |
|
OSS |
|
<OSS Bucket>/<Object Name>. Each object is treated as a single data object for a scan task. |
|
SLS |
Each time a scan runs, it processes all data stored in the authorized asset from 00:00 to 24:00 on the day before yesterday. If you need to scan more data in SLS, you can create a custom identification task and configure the scan scope. For more information, see Create a custom identification task. |
<SLS Project>/<Logstore>/<Time Period>. The data stored within each 5-minute period is treated as a single data object for a scan task. |
DSC: What Are the Billing Rules for Scans of Unstructured Data Sources (OSS and SLS)?
DSC is a subscription-based service. Data identification scans consume your purchased resource quotas. The deduction rules vary by edition:
-
Enterprise Edition: Billing is based on the data protection volume. The consumed quota is calculated as: Size of authorized OSS buckets + (Size of authorized SLS projects × 0.5). The result is deducted from your storage protection capacity.
-
Value-added Service Plan: The data scanning and identification feature is not supported.
For more information, see Billing.
Rescanning OSS objects
If an object has not been modified, DSC does not rescan it. If an object is modified, DSC automatically rescans it within 24 hours.
If needed, you can also manually rescan an OSS asset. For more information, see Rescan an identification task.
How does DSC scan structured data, such as MaxCompute?
DSC scans field names and their values in databases and tables to identify sensitive data. For example, to evaluate age-related data, DSC analyzes both the column name and its values if the values alone are not conclusive.
-
Initial scan: After authorization, DSC performs a full scan of all tables in the entire database or data project.
-
Incremental scan: When a new table is added to a database or data project, DSC scans the new table. If the schema (columns) of an existing table changes, DSC also rescans that table.
Does DSC log in to the database to retrieve data?
With proper authorization, DSC logs in to your database and uses data sampling to identify sensitive data. DSC does not store any data from your MaxCompute projects or databases.
What scenarios trigger a rescan?
DSC automatically triggers a rescan of an authorized data asset in the following scenarios.
|
Scenario |
Scan logic |
Impact on billing |
|
A data asset is authorized for the first time. |
DSC performs a full scan on all data in the data asset. |
You are billed for a full scan of all data in the data asset. |
|
Data in an authorized data asset changes after an initial scan. |
After the schema of a table in MaxCompute or a database changes (specifically, when a column is added or deleted), DSC automatically scans the modified columns. Changes to rows do not trigger an automatic scan. |
You are billed for scanning the modified table. |
|
An object is added to or modified in an OSS bucket. Note
Deleting an object from an OSS bucket does not trigger an automatic scan. |
You are billed only for scanning the new or modified object. |
|
|
The configuration of sensitive data identification rules changes (for example, a rule is added, enabled, disabled, or deleted). |
DSC automatically scans all data in all authorized data assets. |
You are billed for a full scan of all authorized data assets. |
Scanning encrypted data
Yes, if the data is encrypted by using transparent data encryption (TDE).
Performance impact of MongoDB scans
A full-collection scan has a minimal impact on your database performance and typically does not disrupt normal business operations.
To further reduce the performance impact of asset scans, you can increase the scan interval or schedule scans to run during off-peak hours when database traffic is low.
Scanning archives and documents in OSS
Yes. You can view the full list of supported OSS data types on the File Type tab of the Identification Rules page in the Data Security Center console.
DSC supports a wide range of file categories, including text files (109 types, such as .txt, .xml, and .vcf), office documents (144 types), image files (86 types), design documents (10 types), code files (91 types), binary files (23 types), data files (25 types), signature verification files (18 types), and archive files (50 types, such as .7z, .zip, .rar, and .tar).
Exporting identification results
Yes. For instructions, see View and export sensitive data identification results.
Field-level scan results for MongoDB
No. ApsaraDB for MongoDB is a document-oriented database where the smallest unit of storage is a document. Therefore, scan results cannot be narrowed down to a specific field.
Details in API query results
Yes.
|
API |
Description |
|
Returns the instance ID (InstanceId), bucket name (BucketName), object ID (FileId), and risk level ID (RiskLevelId) for an OSS object. |
|
|
Returns the ID (Id) and name (Name) of a data asset instance. |
|
|
Returns table information (Items), including the table name (Name) and risk level ID (RiskLevelId). |
|
|
Returns column information (Items) for a data table, including the column name (ColumnName) and risk level ID (RiskLevelId). |
Sensitive data identification for Redis
No. Currently, DSC provides only the baseline check feature for ApsaraDB for Redis. For more information, see Security baseline checks.
Selecting the common identification template
You do not need to configure the common identification template separately. If an identification task uses a built-in template, the common template is used by default. For more information, see View and configure identification templates and Scan sensitive data by using an identification task.
Free edition tasks in waiting state
The free quota for data identification (5 GB of stored data and 100 database tables) is exhausted. As a result, the identification task cannot run and remains in the waiting state. To continue using the sensitive data identification feature, purchase a Data Security Center plan. For more information, see Purchase Data Security Center.
Full scan tasks reported as partial
-
Problem description: A scheduled scan task is configured to scan all data in a database instance, but the Last Scanned At column indicates that only some databases were scanned.
On the Sensitive Data Identification page, you expand a MySQL instance that contains four databases. The Last Scanned At time is different for each database, with some being significantly older than others.
-
Cause: For a custom periodic identification task, the initial scan is a full scan based on the configured scope. However, subsequent scans process only incremental data within that scope.
-
Solution: If you need to update the identification rules or run a full scan, reconfigure the custom scan task.