Help Center/ Well-Architected Framework/ Well-Architected Framework and Practices/ Security Pillar/ Data Security and Privacy Protection/ SEC07 General Data Security/ SEC07-01 Identifying Data in Workloads
Updated on 2025-05-22 GMT+08:00
View PDF
Share

SEC07-01 Identifying Data in Workloads

Evaluate data sensitivity and perform data classification and tiering based on business processes, data flow, distribution, and ownership in compliance with regulatory requirements.

  • Risk level

    High

  • Key strategies

    Follow the following steps to sort out and identify data:

    1. Analyze the service process.
      • Understand the service process, and determine the types and usage of data generated, processed, and stored in each phase based on the service process diagram.
      • Communicate with the business department, development team, and O&M engineers to obtain detailed information about data.
    2. Determine data distribution: Determine where data is stored, for example, on EVS disks, databases, or OBS.
    3. Evaluate data sensitivity.
      • Determine the type and content of data, for example, whether the data contains personal identity information (such as name, ID number, and address), financial data (such as bank account and transaction records), confidential business information (such as product R&D plan and customer list), or other data protected by laws and regulations.
      • Consider the potential impact of the data. Assess the potential impact of data leakage or misuse on individuals, organizations, or society, including financial losses, reputational harm, and legal risks.
      • Refer to related laws, regulations, industry standards, and internal compliance policies. The definition and requirements of sensitive data may vary depending on industries and regions. For example, patient data in the healthcare industry and customer transaction data in the financial industry are protected by specific regulations and standards.
      • Combine the business strategy and risk tolerance of the organization. For data related to key services, even if the data is not sensitive in common sense, it can still be considered as highly sensitive due to its importance to services.
    4. Use data detection and classification tools to automatically scan workloads to identify data. This can help you implement the proper control measures.
    5. Create and maintain a data inventory. Create a data inventory of classified and categorized information, including the data name, description, source, distribution, sensitivity, and category level.
  • Related cloud services and tools

    Data Security Center (DSC): DSC can accurately identify sensitive data in the database based on the sensitive data detection policy, automatically detect and analyze sensitive data usage from massive data, as well as scanning, classifying, and categorizing structured and unstructured data based on the data identification engine to eliminate data blind spots.