Help Center/ Data Security Center/ User Guide/ Policy Center/ Policy Management
Updated on 2024-12-27 GMT+08:00
View PDF
Share

Policy Management

The administrator creates policies for database audit, encryption, watermarking, static masking, and dynamic masking on the policy management page of the policy center, and then deploys these policies to the relevant services or instances.

Database Types and Versions That Support Database Encryption

Data Source Type

Version

MySQL

5.6, 5.7, 5.8, and 8.0

SQL Server
  • 2019_SE, 2019_EE, and 2019_WEB
  • 2017_SE, 2017_EE, and 2017_WEB
  • 2016_SE, 2016_EE, and 2016_WEB
  • 2014_SE and 2014_EE
  • 2012_SE, 2012_EE, and 2012_WEB
  • 2008_R2_EE and 2008_R2_WEB

Oracle

11 and 12

PostgreSQL

13, 12, 11, 10, 9.6, 9.5, and 9.4

Kingbase

V8

DMDBMS (Dameng)

7 and 8

TDSQL

10.3.X

DWS

8.1.X

Policy Type

  • Database audit: Monitor and records database activities to ensure data integrity, security, and compliance.
  • Database encryption: Encrypt data to ensure data confidentiality and integrity and prevent unauthorized access and data leakage.
  • Database watermarking: Embed invisible identifiers into data to verify data authenticity and ownership and trace data leakage sources.
  • Static database masking: Mask sensitive data to ensure privacy and security while retaining the data structure and statistics features.
  • Dynamic database masking: Mask sensitive data in real time to ensure that unauthorized data cannot be accessed.

Creating a Policy

The following part describes how to create a policy.

Connect to the DBSS service to monitor and record database instances that do not require agent audits, ensuring data integrity, security, and compliance.

Prerequisites

DBSS has been enabled and an instance has been added.

  1. Log in to the management console.
  2. Click in the upper left corner and select a region or project.
  3. In the navigation tree on the left, click . Choose Security & Compliance > Data Security Center .
  4. Choose Policy Center > Policy Management. The Policy Management page is displayed.
  5. Click Create Policy in the upper left corner. The Create Policy page is displayed.
  6. Select the Database audit policy type.
  7. Click Start configuring. The page for configuring the database audit policy type is displayed.
  8. Set the parameters by referring to Table 1.

    Table 1 Parameters for configuring a database audit policy

    Parameter

    Description

    Policy Name

    Enter a policy name. The name can contain a maximum of 255 characters, including letters, digits, underscores (_), and hyphens (-).

    Associated Instance

    Select a database audit instance from the drop-down list.

    Target Data Source

    Select the target data source from the drop-down list. Only database instances that do not require agent audit are supported.

    Display Result Set

    When the function for recording result sets is enabled, the system logs the SQL result content. You can view this content in the logs. If the function is disabled, the SQL result in the log details will be empty.

    Recording result sets may lead to information leakage. Therefore, it is recommended not to enable this function.

    Mask Privacy Data

    You are advised to set masking rules to prevent sensitive data leakage.

  9. Click Save and Deliver. The policy list is displayed, showing the newly created policy.

Encrypt data to ensure data confidentiality and integrity and prevent unauthorized access and data leakage.

Prerequisites

You have purchased the data encryption and access control service on DBSS.

Sensitive data in the data source to be encrypted has been identified.

  1. Log in to the management console.
  2. Click in the upper left corner and select a region or project.
  3. In the navigation tree on the left, click . Choose Security & Compliance > Data Security Center .
  4. Choose Policy Center > Policy Management. The Policy Management page is displayed.
  5. Click Create Policy in the upper left corner. The Create Policy page is displayed.
  6. Select the Database encryption policy type.
  7. Click Start configuring. The page for configuring a database encryption policy is displayed.
  8. Set the parameters by referring to Table 2.

    Table 2 Parameters for configuring a database encryption policy

    Parameter

    Description

    Policy Name

    Enter a policy name. The name can contain only letters, digits, underscores (_), and hyphens (-).

    Associated Instance

    Database encryption gateway

    Data Source

    Select the target data source from the drop-down list. For details about the supported database versions, see Database Types and Versions That Support Database Encryption.

    Proxy Port

    The port numbers range from 14000 to 14999. Different database instances (sharing the same address and port) utilize distinct proxy ports. A single database instance consistently uses the same proxy port. When a data source for the same database instance is added, the proxy port is automatically populated.

    Schema

    Select a value from the drop-down list. This parameter is displayed when you select a DWS data source.

    Encryption Algorithm

    Select an encryption algorithm from the drop-down list box. The options are AES128 and SM4.

    Encrypted Table

    Select an encrypted table from the drop-down list.

    The same target table cannot be selected repeatedly.

    Encrypted Table Information

    This parameter is displayed after you select a table.

    Information about the encrypted table, including Field Name, Field Type, and Data Level.

  9. Click Save and Deliver. The policy list is displayed, showing the newly created policy.

Embed invisible identifiers into data to verify data authenticity and ownership and trace data leakage sources.

  1. Log in to the management console.
  2. Click in the upper left corner and select a region or project.
  3. In the navigation tree on the left, click . Choose Security & Compliance > Data Security Center .
  4. Choose Policy Center > Policy Management. The Policy Management page is displayed.
  5. Click Create Policy in the upper left corner. The Create Policy page is displayed.
  6. Select the Database Watermark policy type.
  7. Click Start configuring. On the Database Watermarking page that is displayed, create a watermark injection or watermark extraction task. For details, see Injecting Watermarks to Databases and Extracting Watermarks from Databases.

Mask sensitive data to ensure privacy and security while retaining the data structure and statistics features.

  1. Log in to the management console.
  2. Click in the upper left corner and select a region or project.
  3. In the navigation tree on the left, click . Choose Security & Compliance > Data Security Center .
  4. Choose Policy Center > Policy Management. The Policy Management page is displayed.
  5. Click Create Policy in the upper left corner. The Create Policy page is displayed.
  6. Select the Static database masking policy type.
  7. Click Start configuring. On the displayed data masking page, create a data masking task. For details, see Static Data Masking.

Mask sensitive data in real time to ensure that unauthorized data cannot be accessed.

  1. Log in to the management console.
  2. Click in the upper left corner and select a region or project.
  3. In the navigation tree on the left, click . Choose Security & Compliance > Data Security Center .
  4. Choose Policy Center > Policy Management.
  5. Click Create Policy in the upper left corner. The Create Policy page is displayed.
  6. Select the Dynamic database masking policy type.
  7. Click Start configuring. The page for configuring a dynamic database masking policy is displayed.
  8. Set the parameters by referring to Table 3.

    Table 3 Parameters for configuring a dynamic database masking policy

    Parameter

    Description

    Policy Name

    Enter a policy name. The name can contain only letters, digits, underscores (_), and hyphens (-).

    Associated Instance

    Database encryption gateway

    Target Data Source

    Select a target data source from the drop-down list box.

    Masking Service Port

    The port numbers range from 14000 to 14999. Different database instances (sharing the same address and port) utilize distinct proxy ports. A single database instance consistently uses the same proxy port. When a data source for the same database instance is added, the proxy port is automatically populated.

    Table

    Select a table from the drop-down list.

    Table Information

    This parameter is displayed after you select a table.

    Table information, including Field Name, Field Type, Data Level, and Masking Algorithm.

  9. Click Save and Deliver. The policy list is displayed, showing the newly created policy.

Related Operations

  • Disabling a policy: You can click Disable in the Operation column of a policy that is enabled and successfully delivered to disable the policy. After you click Disable, the policy status changes to Disabled (Delivering). When the policy status changes to Disabled (Delivered), the policy is disabled.

    After an encryption policy is enabled and delivered, it cannot be disabled or deleted. You can click Decrypt under Operation > More to decrypt the corresponding encryption policy. After decryption, a suffix is appended to the encryption policy name. A new decryption policy will not be generated.

  • Deleting a policy: Click Delete in the Operation column of a policy that is successfully delivered to delete the policy. After you click Delete, a message is displayed in the upper right corner of the page, indicating that the policy is successfully deleted.
Parent Topic: Policy Center