Functions
DSC offers basic data security capabilities such as data classification and grading, data masking, and data watermarking. It also displays the overall security posture of data on the cloud through an asset map and implements one-stop data security operations.
Common Data Security Protection offers the standard and professional editions for you to choose.
- Standard Edition: On Asset Center, you can add data assets and view the asset map and dashboard. You can also perform data classification and grading using the sensitive data identification function.
- Professional Edition: For data assets that have been classified and graded, you can perform static masking via console or data masking via APIs, as well as injecting and extracting data watermarks.
Asset Map
You can view multiple aspects of your asset security, such as asset overview, categories and levels, permission configuration, data storage, and sensitive data. This helps you quickly detect risky assets and handle them. For details, see Viewing the Data Security Situation on the Asset Map.
- Asset visualization
- Data service assets: All data assets on the cloud and on-premises, including OBS, RDS, CSS, Hive, and HBase.
- Data risks: The categorization and leveling results display the risk levels of data.
- Region display: The region where each asset is located is displayed based on the cloud and on-premises resource VPC and associated with the service region.
- Egress visualization
- Data egresses: All data egresses on the cloud and on-premises are identified, including EIP, NAT, API Gateway, and ROMA.
- Asset and egress association: Cloud and on-premises egresses are associated with data assets and data asset categorization and leveling results.
- Cascading association: Egresses and the cascading egresses are displayed.
- Policy visualization
- Data security policies: All security policies of data assets are detected based on cloud native capabilities and policy risks are displayed.
- Policy recommendation: Different security policy configurations are recommended based on the data asset level.
Asset Management
- Asset center: You can manage data assets from OBS, databases, big data, Log Tank Service (LTS), and MRS. For details, see Asset Center.
- Asset catalog: You can view statistics about different service domains or data types (structured and unstructured data). For details, see Managing Asset Catalogs.
- Data exploration: You can view details about all the added data assets and add descriptions, tags, sensitivity levels, and classifications to databases, tables, and data views to manage data assets by level and classification. For details, see Implementing Asset Classification and Grading Through Data Exploration.
- Metadata tasks: You can create metadata tasks to collect data assets as metadata. In this way, you can manage data assets by level and classification. For details, see Implementing Asset Classification and Grading Through Data Exploration.
- Asset group management: Data can be managed by group. For details, see Managing Asset Groups.
Sensitive Data Identification
- Sensitive data identification leverages a data identification engine to scan, classify, and grade structured data (e.g., RDS, DWS) and unstructured data (e.g., OBS).
- File types: Nearly 200 types of unstructured files are supported. For details, see What Types of Unstructured Files Can DSC Identify?
- Data types: Dozens of personal privacy data types are supported, including Chinese and English. For details, see Viewing Built-in Rules.
- Image types: DSC is able to identify sensitive words (Chinese and English) in eight types of images, including PNG, JPEG, x-portable-pixmap, TIFF, BMP, GIF, JPX, and JP2.
- Automatic identification of sensitive data
- Automatic identification of sensitive data and personal privacy data
- Visualized identification results are provided and can be downloaded to your local PC. For details, see Creating an Identification Task.
The identification duration depends on the data volume, number of identification rules, and scan mode. For details, see How Long Does It Take for DSC to Identify and Mask Sensitive Data?
Data Masking
DSC data masking supports static masking and API-based masking. For details, see Creating a Static Data Masking Task.
Data masking has the following features:
- Zero impact: DSC reads data from original databases, statically masks sensitive data using precise masking engines, and saves the masked data separately without affecting your data assets.
- Various data sources: Data of various sources on the cloud, such as RDS, user-built databases on ECSs, or big data, can be masked to meet security requirements.
- Custom data masking policies: DSC provides you with over 20 preset data masking rules. You can use the default masking rules or customize the masking rules to mask sensitive data in the specified database table. For details about the data masking algorithms supported by DSC, see Configuring and Viewing Masking Rules.
- Easy configuration of masking rules: Data masking rules can be easily configured based on the scan results.
In addition, DSC provides APIs for data masking. For details, see Dynamic Data Masking.
DSC uses preset and customized masking algorithms to mask sensitive data stored in RDS, Elasticsearch, MRS, Hive, HBase, DLI, and OBS. For details about the masking duration, see How Long Does It Take for DSC to Identify and Mask Sensitive Data?
Data Watermarking
Watermarks can be injected and extracted for databases, documents, and images. For details, see Data Watermarking.
- Copyright proof: The owner information is added to the assets to specify the ownership, achieving copyright protection.
- Automated monitoring: The user information is added to the assets for tracing data leak.
DSC provides APIs for dynamically adding data watermarks and extracting watermarks from data. For details, see DSC API Reference.
Policy Center
- Policy baseline: The policy baseline is a structured set of data security policies, encompassing data security management regulations, data classification and grading requirements, cross-border data transfer management regulations, and requirements for important and core data. DSC provides preset policy templates based on Huawei Cloud's data security governance experience and supports policy addition, deletion, modification, query, structured display, filtering, and querying. For details, see Policy Baseline Overview.
- Transfer log collection: DSC collects logs from applications, such as DBSS and API Data Security Protection. It can dynamically collect the paths of user accesses, facilitate source tracing and locating, helping you understand data flow and promptly identify exceptions and risks. For details, see Transfer Log Collection.
- Policy management: The administrator creates policies for database audit, watermarking, and static masking on the policy management page of the policy center, and then deploys these policies to the relevant services or instances. For details, see Policy Management.
API Data Security Protection
API data security protection is a comprehensive API security protection system for enterprises.
It automatically sorts application APIs to implement fine-grained access control, API exception risk detection, API sensitive data detection, masking, and watermarking. API data security protection instances must be purchased separately. For details, see Purchasing an API Data Security Protection Instance and Binding It to an EIP.
Security Awareness Dashboard
By default, DSC provides an integrated security awareness dashboard that presents a thorough analysis of risky assets, identification, masking, and watermarking tasks, as well as events and alarms in the cloud. This dashboard facilitates swift recognition and response to the overall status of assets, including addressing risky assets and urgent alarms. For details, see Viewing the Security Awareness Dashboard.
Alarm Management
When a system or service risk alarm is generated for DBSS, the alarm event is sent to DSC. You can view the alarm event on the DSC console. For details, see Alarm Management.
Event Management
DSC integrates with key security components such as database audit and CBH, enabling centralized event management and real-time event delivery to DSC. This allows you to promptly verify and handle events. You can also convert alarms on the Alarm Management page to events. For details, see Event Management.
OBS Usage Audit
DSC detects OBS buckets based on sensitive data identification rules and monitors identified sensitive data. After abnormal operations of the sensitive data are detected, DSC allows you to view the monitoring result and handle the abnormal events as required. For details, see OBS Usage Audit.
Viewing Data Transfer Details
- Call chain data collection: DSC collects log data of each application.
- Call chain data storage and query: DSC stores the massive collected data and provides quick query capabilities.
- Call chain data generation: DSC performs data link transfer analysis on the collected and reported logs, and generates a transfer diagram.
- Metric calculation, storage, and query: DSC calculates various metrics based on the collected log data, and stores the calculation results. For details, see Viewing Data Transfer Details.
Multi-Account Management
After the multi-account management function is enabled, the security administrator can protect the data of all member accounts without logging in to them. For details, see Multi-Account Management.
Alert Notifications
DSC sends notifications through the notification method configured by users when sensitive data identification is completed or abnormal events are detected. For details, see Alarm Notifications.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
