An API data security protection instance is deployed on an independent system. To log in to an API data security protection instance using a browser, you must bind an EIP to the instance. For details, see Logging In to the Instance Web Console.
API Data Security Protection provides basic and professional editions. For details about the differences between editions, see Edition Differences.
- Basic edition: applicable to basic protection requirements.
- Professional edition: applicable to medium protection requirements.
This document describes the functions supported by the API Data Security Protection system.
Feature Description
Table 1 Functions
Feature |
Description |
Reference |
Home Page Overview |
- Asset Overview: Collects statistics on the number of assets such as applications, interfaces, accounts, and sensitive data.
- Access Popularity: Displays access information for the last 7 or 30 days from various dimensions.
|
Viewing the Home Page |
Log Center |
Records alarm logs and traffic logs, supporting log queries based on multiple conditions.
- Alarm Logs: Allow you to view details about matched blacklist, risk protection, and blocking access control rules.
- Log Search: Allows you to view access traffic to a specific service.
|
Log Center |
Asset Center |
- Application Assets: Gateways can be deployed as proxies by configuring domain names or IP addresses and ports. Multiple proxy types (e.g., HTTP, HTTPS) are available to meet various security and application requirements.
- API Assets: After the proxy is used, the system automatically scans APIs in application assets based on the access status to ensure no API is missing.
- Account Assets: Accounts and sessions can be identified based on account parsing rules to facilitate targeted management. Various protection rules can be configured based on identified accounts.
- Built-in sensitive data identification algorithms detect multiple types of sensitive data such as passwords, ID card numbers, and bank card numbers.
|
Assets |
Security Policy |
- Whitelist: Allows you to configure whitelists with different effective scopes based on conditions such as client IP address, account, and sensitivity label.
- Access Control: Allows you to configure security protection rules for applications based on different combinations of conditions.
- Risk Prevention: Supports built-in attack identification rules and performs blocking or log audit based on the set actions. Custom attack blocking policies can also be defined for automatic attack handling.
- Blacklist: Allows you to configure a blacklist to blocked access based on any combination of client IP addresses, accounts, and sensitive labels.
- Masking: Provides built-in common sensitive data labels and corresponding masking algorithms and allows you to add masking templates and configure sensitive data labels and algorithms in batches. Sensitive data returned by APIs can be masked based on different conditions to prevent sensitive data leakage.
- Watermarking: Allows you to add different types of watermarks to application services, including web page watermarks, dot matrix watermarks, document watermarks, and traceless watermarks. In case of a data leakage incident, the leakage source can be traced based on the watermark content.
|
Security Policies |
Service Configuration |
- Sensitive Data Labels: Allow you to manage sensitive data labels by specifying keys, values, and regular expressions. You can manually add exceptions and sensitive data.
- Client IP Address Parsing: By configuring client IP parsing rules, you can parse the identified content at the corresponding identification location to obtain the client IP address.
- Certificate Management: Allows you to manage SSL certificates in the system.
- Classification and Grading: The system provides built-in sensitive data classification and grading rules, which can be customized.
|
Service Configuration |
System Management |
- Network Management: Allows you to configure the NIC, route, and DNS information via a web page, or enable bypass status by one click for system troubleshooting.
- Backup and Restoration: Allows you to back up audit logs and configuration files, which can be restored in case of issues or misoperations.
- Data Clearance: Service logs and system logs can be cleared periodically or manually.
|
System Management |
User Management |
A system administrator, audit administrator, and security administrator are built in.
- System Administrator: Responsible for routine system operation and maintenance.
- Security Administrator: Handles routine security management, including granting and revoking user permissions.
- Audit Administrator: Responsible for auditing, tracing, analyzing, and supervising the actions of the system administrator and security administrator.
|
User Management |
System O&M |
- System Monitoring: Displays device status and system resource usage in real time to facilitate troubleshooting.
- System Overload: Allows you to configure the system to bypass some traffic when the API data security system is overloaded to reduce pressure.
|
System O&M |