Help Center/ Data Security Center/ Getting Started/ Classification and Grading of Data Assets on the Cloud
Updated on 2024-10-09 GMT+08:00

Classification and Grading of Data Assets on the Cloud

Data asset classification and grading involve categorizing data based on identification rules and assigning it to different levels according to its sensitivity, importance, and potential impact of leakage. This ensures data is protected appropriately to its significance and impact, while also meeting compliance requirements.

DSC offers a sensitive data identification function and defines 10 sensitivity levels for refined data management. It assists enterprises or organizations in monitoring the flow of sensitive data, formulating corresponding data security policies, and quickly identifying and addressing issues when data leakage or other security events occur.

This section describes how to quickly classify and grade cloud data assets (DSC Standard Edition), including purchasing DSC, authorizing the database, creating a sensitive data identification task, and viewing the classification and grading result.

Procedure

Procedure

Description

Step 1: Purchase DSC and authorize DSC to access your cloud assets.

Purchase DSC and choose the version specifications (using the standard edition as an example) and the extension package. Complete the cloud asset authorization to streamline access policy permissions between other cloud services and DSC.

Step 2: Authorize DSC to access database assets for data identification.

Sensitive data identification, data masking, and database watermark injection/extraction can only be performed once the database and big data assets are authorized. Upon completion of database authorization, DSC can access the database to retrieve data for sensitive data identification and masking.

Step 3: Create a sensitive data identification task.

Create an identification task to identify sensitive data of assets and classify and grade data based on the selected identification template.

Step 4: View the classification and grading result.

View the classification and grading result to implement protection for data assets.

Preparations

  1. Before purchasing DSC, create a Huawei account and subscribe to Huawei Cloud. For details, see Registering a HUAWEI ID and Enabling HUAWEI CLOUD Services and Real-Name Authentication.

    If you have enabled Huawei Cloud services and completed real-name authentication, skip this step.

  2. Make sure that your account has sufficient balance, or you may fail to pay to your DSC orders.
  3. Make sure your account has DSC permissions assigned. For details, see Creating a User Group and Assigning DSC Permissions.
    Table 1 DSC system permissions

    Policy

    Description

    Type

    Dependency

    DSC DashboardReadOnlyAccess

    Read-only permissions for the overview page of DSC

    System-defined policy

    None

    DSC FullAccess

    All permissions for DSC

    System-defined policy

    To purchase a yearly/monthly RDS DB instance, you need to configure the following actions:

    bss:order:update

    bss:order:pay

    DSC ReadOnlyAccess

    Read-only permissions for Data Security Center

    System-defined policy

    None

Step 1: Purchase DSC and Authorize DSC to Access Your Cloud Assets

  1. Log in to the management console.
  2. Click in the upper left corner and select a region or project.
  3. In the navigation tree on the left, click . Choose Security & Compliance > Data Security Center .
  4. If you are a first-time user, click Buy DSC.
  5. On the Buy DSC page, set the purchase parameters listed in Figure 1 and complete the payment.

    Table 2 Parameters for purchasing an instance

    Parameter

    Example Value

    Description

    Edition and specifications

    Standard

    The standard edition supports the asset map, sensitive data identification, and data risk detection functions. If data masking and watermark injection/extraction are required, upgrade the edition by referring to section Upgrading Edition and Specifications.

    OBS expansion package

    1

    One OBS expansion package offers 1 TB (1024 GB) of OBS storage.

    Database expansion package

    1

    One database expansion package supports the addition of one database (RDS, DWS, self-built databases on ECS, DLI, Elasticsearch, and self-built big data on ECS). For details about the supported database types and versions, see section Constraints.

    Required duration

    1 month

    Select the required duration from one month to three years.

    Figure 1 Parameters for purchasing an instance

  6. After the purchase is complete, return to the console and go to the Asset Map page. In the upper left corner of the page, click Modify next to Cloud Asset Authorization to perform authorization, as shown in Figure 2.

    After you agree to the authorization, DSC will create agency polycies to access your cloud assets based on your choice. For details about the agency polycies, see Allowing or Disallowing Access to Cloud Assets.

    To stop authorization, ensure that your assets have no ongoing tasks. DSC will delete your authorization information and assets and all related data. Exercise caution when performing this operation.

    Figure 2 Authorizing access to assets

Step 2: Authorize DSC to Access Database Assets

DSC can automatically discover cloud assets and add self-built data assets. After connecting to DSC and authorizing DSC to access to cloud assets, you can delegate and manage your assets in the asset center.

Sensitive data identification, data masking, and database watermark injection and extrration can be performed only after databases and big data assets are authorized.

  1. Log in to the management console.
  2. Click in the upper left corner and select a region or project.
  3. In the navigation tree on the left, click . Choose Security & Compliance > Data Security Center .
  4. In the navigation tree on the left, choose Asset Management > Asset Center. The Asset Center page is displayed.
  5. On the asset type menu, choose Database < RDS. The Databases tab page is displayed.
  6. Click the Database Instances tab. In the Operation column of the target database instance, click Authorize and enter information according to Figure 3.

    Read-only permission: Only the sensitive data identification function can be used.

    Read and Write permission: The sensitive data identification and data masking functions can be used.

    DSC cannot scan and mask sensitive data in MySQL databases within RDS instances where SSL has been enabled.

    Figure 3 Authorizing databases

  7. After the authorization is complete, click the Databases tab to view the connection status of the authorized database.

    After the asset authorization is complete, the Connection Status of the asset is Checking, which means DSC is checking the database connectivity.

    DSC can access the added database normally if the Connection Status of the database is Succeeded.

Step 3: Create a Sensitive Data Identification Task.

DSC identifies sensitive asset data based on the data type and the identification template selected during the creation of the identification task, and then generates an identification result.

  1. Log in to the management console.
  2. Click in the upper left corner and select a region or project.
  3. In the navigation tree on the left, click . Choose Security & Compliance > Data Security Center .
  4. In the navigation pane on the left, choose Sensitive Data Identification > Identification Task.
  5. In the upper left corner of the task list, click Create Task.
  6. In the displayed dialog box, set required parameters based on Table 3.

    Table 3 Parameters for creating a task

    Parameter

    Example Value

    Description

    Task Name

    Test task_01

    You can customize the task name.

    The task name must meet the following requirements:

    • Contain 4 to 255 characters.
    • Consist of letters, digits, underscores (_), and hyphens (-).
    • The name must start with a letter.
    • Be unique.

    Data Type

    Database > pg-0530

    Type of data to be identified. You can select multiple types.

    • OBS: DSC is authorized to access your Huawei Cloud OBS assets and identify sensitive data in the assets. For details about how to add OBS assets, see Adding OBS Assets.
    • Database: DSC identifies sensitive data of authorized database assets. For details about how to authorize database assets, see Authorizing Access to a Database Asset.
    • Big Data: The DSC identifies sensitive data of authorized big data assets. For details about how to authorize big data source assets, see Authorizing Access to Big Data Assets.
    • MRS: DSC identifies sensitive data of authorized MRS assets. For details about authorized MRS assets, see Authorizing Access to Big Data Assets.

    Identification Template

    Huawei Cloud Data Security Classifying and Grading Template

    You can select a built-in or custom template. DSC displays data by level and category based on the template you select. For details about how to add a template, see Adding an Identification Template.

    Identification Period

    Once

    Set the execution policy of the data identification task.

    • Once: The task will be executed once at a specified time.
    • Daily: The task is executed at a fixed time every day.
    • Weekly: The task is executed at a specified time every week.
    • Monthly: The task is executed at a specified time every month.

    When to Execute

    Now

    This parameter is displayed when Identification Period is set to Once.
    • Now: Select the option and click OK, the system executes the data identification task immediately.
    • As scheduled: The task will be executed at a specified time.

    (Optional) Topic

    None

    • Select an existing topic from the drop-down list or click View Topic to create a topic for receiving alarm notifications.
    • If no notification topic is configured, you can view the identification result in the identification task list. For details, see .
    Figure 4 Parameters for creating a task

  7. Click OK. A message is displayed indicating the task is created successfully.

Step 4: View the Classification and Grading Result

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. In the navigation tree on the left, click . Choose Security & Compliance > Data Security Center .
  4. In the navigation pane on the left, choose Sensitive Data Identification > Identification Task.
  5. Click Identification Result in the Operation column of the target task. The result details page is displayed.

    Figure 5 Identification result details

  6. In the row containing the desired scan object, click View Classification and Grading Result Details in the Operation column. The Classification and Grading Result Details dialog box is displayed.

    View the result details and sample data. For details about how to download the identification result, see Downloading the Identification Result.

Related Operations

To protect sensitive information and privacy data after classification and grading and prevent unauthorized access or leakage, you can mask data and add watermarks to the data using the professional edition. For details about how to upgrade to the professional edition, see Upgrading Edition and Specifications.

  • For details about how to mask data, see Data Masking. The masked data can be used for development and test, data sharing, and data research.
  • For details about how to add data watermarks, see Data Watermarking. A data watermark uniquely identifies an asset to protect the copyright of the asset, helping you track the data leakage source.