Data Security CenterData Security Center

Compute
Elastic Cloud Server
Bare Metal Server
Auto Scaling
Image Management Service
Dedicated Host
FunctionGraph
Networking
Virtual Private Cloud
Elastic IP
Elastic Load Balance
NAT Gateway
Direct Connect
Virtual Private Network
Domain Name Service
VPC Endpoint
Cloud Connect
Enterprise Switch
Security & Compliance
Anti-DDoS
Web Application Firewall
Host Security Service
Data Encryption Workshop
Database Security Service
Advanced Anti-DDoS
Data Security Center
Container Guard Service
Situation Awareness
Managed Threat Detection
Compass
Cloud Certificate Manager
Anti-DDoS Service
Databases
Relational Database Service
Document Database Service
Data Admin Service
Data Replication Service
GaussDB NoSQL
GaussDB(for MySQL)
Distributed Database Middleware
GaussDB(for openGauss)
Developer Services
ServiceStage
Distributed Cache Service
Simple Message Notification
Application Performance Management
Application Operations Management
Blockchain
API Gateway
Cloud Performance Test Service
Distributed Message Service for Kafka
Distributed Message Service for RabbitMQ
Distributed Message Service for RocketMQ
Cloud Service Engine
DevCloud
ProjectMan
CodeHub
CloudRelease
CloudPipeline
CloudBuild
CloudDeploy
Cloud Communications
Message & SMS
Cloud Ecosystem
Marketplace
Partner Center
User Support
My Account
Billing Center
Cost Center
Resource Center
Enterprise Management
Service Tickets
HUAWEI CLOUD (International) FAQs
ICP License Service
Support Plans
Customer Operation Capabilities
Partner Support Plans
Professional Services
enterprise-collaboration
Meeting
IoT
IoT
Intelligent EdgeFabric
DeveloperTools
SDK Developer Guide
API Request Signing Guide
Terraform
Koo Command Line Interface
Help Center> Data Security Center> Best Practices> Quick Sensitive Data Identification and Masking
Updated at: Feb 22, 2022 GMT+08:00

Quick Sensitive Data Identification and Masking

HUAWEI CLOUD Data Security Center (DSC) provides you with dynamic and static data masking methods to help mask your sensitive data in different scenarios, keeping your data secure and reliable. DSC provides you with over 20 preset data masking rules such as Hash, encryption, character masking, keyword replacement, value change, and roundup. You can use the default masking rules or customize the masking rules to mask sensitive data in the specified database table.

Sensitive data refers to the data that may bring serious harm to the society or individuals after being leaked.

For individuals, privacy information, such as ID card numbers, home addresses, workplace information, and bank card numbers, is sensitive data. For enterprises or organizations, core information, such as customer information, financial information, technical information, and major decisions, is sensitive data.

Static data masking: DSC can help mask a large amount of data at one time based on the configured data masking rules. Static data masking is used when sensitive data in the production environment is delivered to the development, testing, or external environment for development and testing and data sharing and research. You can create an data masking task on the DSC console to quickly mask sensitive data in databases and big data assets.

Dynamic data masking: DSC provides dynamic data masking APIs to mask the data accessed from the external systems. Dynamic data masking applies to scenarios where data is queried from the external system, such as production applications, data exchange, O&M applications, and precision marketing. For details, see Dynamic Data Masking.

Data Masking Process

With DSC, you can implement dynamic and static data masking to fully protect your sensitive data.

Data Masking Algorithms

DSC has over 100 sensitive data identification and masking rules and can identify and mask the sensitive information such as personal information (ID card information, bank card information, names, mobile numbers, email addresses, and more), enterprise information (business license numbers, tax registration certificate numbers, and more), and key information (PEM certificates, HEY private keys, and more), device information (IP addresses, MAC addresses, IPv6 addresses, and more), location information (provinces/states, cities, GPS locations, addresses, and more), and common information (dates and others). Table 1 describes the data masking algorithms and application scenarios.

Table 1 Masking algorithms

Algorithm

Description

Application Scenario

Hash

Use Hash functions to mask sensitive data. DSC supports SHA-256 and SHA-512.

  • SHA-256

    SHA-256, a message-digest algorithm, is used by DSC to compute a digest from a string in the database table.

    It takes a block of data and returns a fixed-size bit string (hash value). As the value length may exceed the maximum column width allowed in the original table, you can adjust the column width to adapt to the returned SHA-256 hash values.

  • SHA-512

    SHA-512, a message-digest algorithm, is used by DSC to compute a digest from a string in the database table.

    It takes a block of data and returns a fixed-size bit string (hash value). As the value length may exceed the maximum column width allowed in the original table, you can adjust the column width to adapt to the returned SHA-512 hash values.

  • Sensitive data: Key information
  • Application scenario: data storage

Encryption

Use the encryption algorithms and master key to implement data masking. In the encryption and data masking result, the first 16 bytes of an encrypted string is the initialization vector (IV) and the rest is the enciphered text.

DSC supports three encryption algorithms: AES-128, AES-192, and AES-256.

  • Sensitive data:
    • Personal data
    • Enterprise data
  • Application scenario: data storage

Character Masking

Use the specified character * or random characters (including numbers, letters, and both number and letters) to cover part of the original content. The following six data masking approaches are supported:

  • Retain first N and last M
  • Retain from X to Y
  • Mask first N and last M
  • Mask from X to Y
  • Mask data ahead of special characters
  • Mask data followed by special characters
NOTE:

DSC has multiple character masking templates.

  • Sensitive data: Personal data
  • Application scenarios:
    • Data usage
    • Data sharing

Keyword Replacement

Search for keywords in a specified column and replace them.

For example, the specified characters are "Zhang San eats at home". After replacement, the characters become "Mr. Zhang eats at home". In the example, "Zhang San" is replaced with "Mr. Zhang".

After this algorithm is executed, the value length may exceed the maximum length allowed by the database. In this case, the excess part will be truncated and inserted into the database.

  • Sensitive data:
    • Personal data
    • Enterprise data
    • Device data
  • Application scenarios:
    • Data storage
    • Data sharing

Value Change

Set a specified field to Null or left it blank for data masking.

  • Masking Using the Null Value

    Set a field of any type to NULL.

    If a field is set to NOT NULL, this algorithm changes the attribute of the file to NULL when copying the column.

  • Masking Using a Custom Value

    Set the target field to a default value.

    Specifically, a character field is left blank, a numeric field is set to 0, a date field is set to 1970, and time field is set to 00:00.

  • Sensitive data:
    • Personal data
    • Enterprise data
    • Device data
  • Applicable scenarios
    • Data storage
    • Data sharing

Roundup

Round a date or number.

  • Date Roundup

    Roundup of fields after the year field

    Example: 2019-05-12 -> 2019-01-01 or 2019-05-12 08:08:08 -> 2019-01-01 00:00:00

    Roundup of fields after the month field

    Example: 2019-05-12 -> 2019-05-01 or 2019-05-12 08:08:08 -> 2019-05-01 00:00:00

    Roundup of fields after the day field

    Example: 2019-05-12 -> 2019-05-12 or 2019-05-12 08:08:08 -> 2019-05-12 00:00:00

    Roundup of fields after the hour field

    Example: 08:08:08 -> 08:00:00 or 2019-05-12 08:08:08 -> 2019-05-12 08:00:00

    Roundup of fields after the minute field

    Example: 08:08:08 -> 08:08:00 or 2019-05-12 08:08:08 -> 2019-05-12 08:08:00

    Roundup of fields after the second field

    Example: 08:08:08.123 -> 08:08:08.000 or 1575612731312 -> 1575612731000

  • Number roundup

    Rounds a specified number.

  • Sensitive data: General data
  • Applicable scenarios
    • Data storage
    • Data usage

Example:

Assume that the dsc_yunxiaoke table in the rsd-dsc-test database stores the information of the following bank employees:

To identify and mask sensitive data in the table, you can select the preset identification rule template for banking and finance data to identify sensitive data and generate the identification result, and then mask the identified sensitive data using the SHA256 algorithm in Hash.

Step 1 Identifying Sensitive Data

  1. Buy DSC.
  2. Log in to the management console.
  3. Click and choose Security & Compliance > Data Security Center.
  4. In the left navigation pane, choose Sensitive Data Identification > Identification Task.

    Figure 1 Identification task

  5. Click Create Task. In the displayed dialog box, configure the basic parameters.

    Figure 2 Creating a sensitive data identification task

  6. Click OK. The sensitive data identification task list is displayed.

    Figure 3 Sensitive data identification task list

  7. When the status of the identification task changes to Identification completed. Click View Result in the Operation column to go to the result details page.

    Figure 4 Lineage diagram

    In the preceding figure, the birthday dates and email addresses are identified as sensitive data.

  8. Click a sensitive field to view the risk details.

    Figure 5 Risk details

    Perform operations described in Step 2 Masking Sensitive Data to mask the sensitive data in the Birthday and Email columns of the dsc_yunxiaoke table in the rds-dsc-test database.

Step 2 Masking Sensitive Data

You can create data masking tasks for the database and Elasticsearch (the data masking methods are the same). The following describes how to create a database data masking task. For details about how to create a data masking task for Elasticsearch, see Creating a Data Masking Task for Elasticsearch.

  1. In the left navigation pane, choose Data Masking. The Data Masking > Sensitive Database Data Masking page is displayed by default.

    Figure 6 Accessing the Database Data Masking tab page

  2. Set Mask Sensitive RDS Data to .
  3. Click Create Task to configure the data source.

    Select all data types if you want a complete table that contains all types of data after the data masking is completed.

    Figure 7 Data source configuration

  4. Click Next to switch to Set Masking Algorithm.

    Figure 8 Configuring the data masking algorithm

  5. Click Next to switch to the Configure Data Masking Period page and configure the data masking period.

    Figure 9 Configuring the data masking period

  6. Click Next to the Set Target Data page and configure the storage location of the table generated after data masking.

    Figure 10 Configuring the storage location of the table generated after data masking

  7. Click Finish to return to the database data masking task list. Click to enable the masking task and then Execute in the Operation column to execute the task.

    If the status changes to Completed, the data masking task has been successfully executed.

Verifying the Result

Did you find this page helpful?

Failed to submit the feedback. Please try again later.

Which of the following issues have you encountered?







Please complete at least one feedback item.

Content most length 200 character

Content is empty.

OK Cancel