Best Practices of OBS Data Security Protection

Overview

Sensitive data includes personal privacy information, passwords, keys, sensitive images, and other high-value data. Such data is usually stored in your OBS bucket in different formats. Once the data is leaked, enterprises will suffer significant economic and reputation losses.

After you authorize DSC to perform identification on the data source, DSC quickly identifies sensitive data from your massive data stored in OBS, classify the sensitive data and display it. DSC also traces the usage of sensitive data, and protects and audits data based on predefined security policies. In this way, DSC allows you to learn about the security status of your OBS data assets at any time.

Application Scenario

• Sensitive data identification

  OBS stores a large amount of data and files. However, it is difficult to have a clear knowledge of the sensitive information contained in OBS.

  You can use the built-in algorithm rules of DSC or customize industry rules to scan, classify, and grade data stored in OBS, and take further security protection measures based on the scanning results. For example, you can use the access control and encryption functions of OBS.

• Anomaly detection and audit
  The DSC can detect access, operation, and management anomalies related to sensitive data and send alarms to you for you to confirm and handle the anomalies. The following behaviors are regarded as anomalies:

  • Unauthorized users access and download sensitive data.
  • Authorized users access, download, and modify sensitive data, as well as change and delete permissions.
  • Authorized users change or delete permissions granted for buckets that contain sensitive data.
  • Users who accessed sensitive files fail to log in to the device.

Procedure

1. Buy DSC.
2. Log in to the management console.
3. In the left navigation page, click , and choose Security > Data Security Center.
4. In the navigation pane, choose Assets, and click Allow Access to Cloud Assets in the upper right corner of the page.
5. Locate the row that contains the OBS asset, click in the Operation column to enable authorization.
6. For details about how to add OBS assets, see Adding OBS Assets.
7. In the navigation tree on the left, choose Sensitive Data Identification > Identification Task. Click Create Task to configure a sensitive data scanning task.

   Select OBS for Data Type and select the OBS asset added in section 6. For details about other configurations, see section Creating a Task.

   Figure 1 Creating an identification task
   

8. In the navigation pane, choose Sensitive Data Identification > Identification Task.
9. Click Identification Result in the Operation column to view the Identification result.

   In the upper left corner of the page, set Task Name to dsctest, Data Type to OBS, and Asset types to All Assets to filter the OBS sensitive data identification result, as shown in Figure 2.

   Figure 2 Identification result details
   

10. In the row containing the desired scan object, click View Categorizing and Leveling Result Details in the Operation column. The Categorizing and Leveling Result Details dialog box is displayed, as shown in Figure 3.
    Figure 3 Categorizing and leveling results
    
    1. In the alarm list, view anomalies based on the risk level and check whether there are high-risk events. For details, see Viewing Abnormal Behaviors Through Data Usage Audit.
    2. On OBS Console, modify the read and write permissions of the risky buckets or files. For details, see Bucket Policy.