Classification and Grading of Data Assets on the Cloud

Procedure

Preparations

1. Before purchasing DSC, create a Huawei account and subscribe to Huawei Cloud. For details, see Registering a HUAWEI ID and Enabling HUAWEI CLOUD Services and Real-Name Authentication.

   If you have enabled Huawei Cloud services and completed real-name authentication, skip this step.

2. Make sure that your account has sufficient balance, or you may fail to pay to your DSC orders.
3. Make sure your account has DSC permissions assigned. For details, see Creating a User Group and Assigning DSC Permissions.

   Table 1 DSC system permissions

   Policy	Description	Type	Dependency
   DSC DashboardReadOnlyAccess	Read-only permissions for the overview page of DSC	System-defined policy	None
   DSC FullAccess	All permissions for DSC	System-defined policy	To purchase a yearly/monthly RDS DB instance, you need to configure the following actions: bss:order:update bss:order:pay
   DSC ReadOnlyAccess	Read-only permissions for Data Security Center	System-defined policy	None

Step 1: Purchase DSC and Authorize DSC to Access Your Cloud Assets

1. Log in to the management console.
2. Click in the upper left corner and select a region or project.
3. In the navigation tree on the left, click . Choose Security & Compliance > Data Security Center .
4. If you are a first-time user, click Buy DSC.
5. On the Buy DSC page, set the purchase parameters listed in Figure 1 and complete the payment.

   Table 2 Parameters for purchasing an instance

   Parameter	Example Value	Description
   Edition and specifications	Standard	The standard edition supports the asset map, sensitive data identification, and data risk detection functions. If data masking and watermark injection/extraction are required, upgrade the edition by referring to section Upgrading Edition and Specifications.
   OBS expansion package	1	One OBS expansion package offers 1 TB (1024 GB) of OBS storage.
   Database expansion package	1	One database expansion package supports the addition of one database (RDS, DWS, self-built databases on ECS, DLI, Elasticsearch, and self-built big data on ECS). For details about the supported database types and versions, see section Constraints.
   Required duration	1 month	Select the required duration from one month to three years.

   Figure 1 Parameters for purchasing an instance
   

6. After the purchase is complete, return to the console and go to the Asset Map page. In the upper left corner of the page, click Modify next to Cloud Asset Authorization to perform authorization, as shown in Figure 2.

   After you agree to the authorization, DSC will create agency polycies to access your cloud assets based on your choice. For details about the agency polycies, see Allowing or Disallowing Access to Cloud Assets.

   To stop authorization, ensure that your assets have no ongoing tasks. DSC will delete your authorization information and assets and all related data. Exercise caution when performing this operation.

   Figure 2 Authorizing access to assets
   

Step 2: Authorize DSC to Access Database Assets

DSC can automatically discover cloud assets and add self-built data assets. After connecting to DSC and authorizing DSC to access to cloud assets, you can delegate and manage your assets in the asset center.

Sensitive data identification, data masking, and database watermark injection and extrration can be performed only after databases and big data assets are authorized.

1. Log in to the management console.
2. Click in the upper left corner and select a region or project.
3. In the navigation tree on the left, click . Choose Security & Compliance > Data Security Center .
4. In the navigation tree on the left, choose Asset Management > Asset Center. The Asset Center page is displayed.
5. On the asset type menu, choose Database < RDS. The Databases tab page is displayed.
6. Click the Database Instances tab. In the Operation column of the target database instance, click Authorize and enter information according to Figure 3.

   Read-only permission: Only the sensitive data identification function can be used.

   Read and Write permission: The sensitive data identification and data masking functions can be used.

   

   DSC cannot scan and mask sensitive data in MySQL databases within RDS instances where SSL has been enabled.

   Figure 3 Authorizing databases
   

7. After the authorization is complete, click the Databases tab to view the connection status of the authorized database.
   Figure 4 Connection status
   

   After the asset authorization is complete, the Connection Status of the asset is Checking, which means DSC is checking the database connectivity.

   DSC can access the added database normally if the Connection Status of the database is Succeeded.

Step 3: Create a Sensitive Data Identification Task.

DSC identifies sensitive asset data based on the data type and the identification template selected during the creation of the identification task, and then generates an identification result.

1. Log in to the management console.
2. Click in the upper left corner and select a region or project.
3. In the navigation tree on the left, click . Choose Security & Compliance > Data Security Center .
4. In the navigation pane on the left, choose Sensitive Data Identification > Identification Task.
5. In the upper left corner of the task list, click Create Task.
6. In the displayed dialog box, set required parameters based on Table 3.

   Table 3 Parameters for creating a task

   Parameter	Example Value	Description
   Task Name	Test task_01	You can customize the task name. The task name must meet the following requirements: Contain 4 to 255 characters. Consist of letters, digits, underscores (_), and hyphens (-). The name must start with a letter. Be unique.
   Data Type	Database > pg-0530	Type of data to be identified. You can select multiple types. OBS: DSC is authorized to access your Huawei Cloud OBS assets and identify sensitive data in the assets. For details about how to add OBS assets, see Adding OBS Assets. Database: DSC identifies sensitive data of authorized database assets. For details about how to authorize database assets, see Authorizing Access to a Database Asset. Big Data: The DSC identifies sensitive data of authorized big data assets. For details about how to authorize big data source assets, see . MRS: DSC identifies sensitive data of authorized MRS assets. For details about authorized MRS assets, see . LTS: DSC will identify sensitive data of authorized LTS assets. For details about how to add a log stream, see Adding a Log Stream.
   Identification Template	Huawei Cloud Data Security Classifying and Grading Template	You can select a built-in or custom template. DSC displays data by level and category based on the template you select. For details about how to add a template, see Adding an Identification Template.
   Identification Period	Once	Set the execution policy of the data identification task. Once: The task will be executed once at a specified time. Daily: The task is executed at a fixed time every day. Weekly: The task is executed at a specified time every week. Monthly: The task is executed at a specified time every month.
   When to Execute	Now	This parameter is displayed when Identification Period is set to Once. Now: Select the option and click OK, the system executes the data identification task immediately. As scheduled: The task will be executed at a specified time.
   (Optional) Topic	None	Select an existing topic from the drop-down list or click View Topic to create a topic for receiving alarm notifications. If no notification topic is configured, you can view the identification result in the identification task list. For details, see Identification Results.

   Figure 5 Parameters for creating a task
   

7. Click OK. A message is displayed indicating the task is created successfully.

Step 4: View the Classification and Grading Result

1. Log in to the management console.
2. Click in the upper left corner of the management console and select a region or project.
3. In the navigation tree on the left, click . Choose Security & Compliance > Data Security Center .
4. In the navigation pane on the left, choose Sensitive Data Identification > Identification Task.
5. Click Identification Result in the Operation column of the target task. The result details page is displayed.
   Figure 6 Identification result details
   

6. In the row containing the desired scan object, click View Classification and Grading Result Details in the Operation column. The Classification and Grading Result Details dialog box is displayed.

   View the result details and sample data. For details about how to download the identification result, see .

Related Operations

To protect sensitive information and privacy data after classification and grading and prevent unauthorized access or leakage, you can mask data and add watermarks to the data using the professional edition. For details about how to upgrade to the professional edition, see Upgrading Edition and Specifications.

• For details about how to mask data, see Data Masking. The masked data can be used for development and test, data sharing, and data research.
• For details about how to add data watermarks, see Data Watermarking. A data watermark uniquely identifies an asset to protect the copyright of the asset, helping you track the data leakage source.