Best Practices of OBS Data Security Protection
This document describes how to use the Data Security Center (DSC) to identify, classify, and protect sensitive data stored in OBS.
Overview
Sensitive data includes personal privacy information, passwords, keys, sensitive images, and other high-value data. Such data is usually stored in your OBS bucket in different formats. Once the data is leaked, enterprises will suffer significant economic and reputation losses.
After you authorize DSC to perform identification on the data source, DSC quickly identifies sensitive data from your massive data stored in OBS, classify the sensitive data and display it. DSC also traces the usage of sensitive data, and protects and audits data based on predefined security policies. In this way, DSC allows you to learn about the security status of your OBS data assets at any time.
Application Scenario
- Sensitive data identification
OBS stores a large amount of data and files. However, it is difficult to have a clear knowledge of the sensitive information contained in OBS.
You can use the built-in algorithm rules of DSC or customize industry rules to scan, classify, and grade data stored in OBS, and take further security protection measures based on the scanning results. For example, you can use the access control and encryption functions of OBS.
- Anomaly detection and audit
The DSC can detect access, operation, and management anomalies related to sensitive data and send alarms to you for you to confirm and handle the anomalies. The following behaviors are regarded as anomalies:
- Unauthorized users access and download sensitive data.
- Authorized users access, download, and modify sensitive data, as well as change and delete permissions.
- Authorized users change or delete permissions granted for buckets that contain sensitive data.
- Users who accessed sensitive files fail to log in to the device.
Procedure
- Buy DSC.
- Log in to the management console.
- Click and choose .
- In the upper left corner of the Asset Map page, click Modify. The Allow Access to Cloud Assets page is displayed.
- Locate the row that contains the OBS asset, click in the Operation column to enable authorization.
- For details about how to add OBS assets, see Adding OBS Assets.
- In the navigation tree on the left, choose Create Task to configure a sensitive data scanning task.
. Click
Select OBS for Data Type and select the OBS asset added in section 6. For details about other configurations, see section Creating a Task.
Table 1 Parameters for creating a sensitive data identification task Parameter
Description
Example Value
Task Name
You can customize the task name.
The task name must:
- Contain 4 to 255 characters.
- Consist of letters, digits, underscores (_), and hyphens (-).
- Start with a letter.
- Be unique.
test
Data Type
Type of data to be identified. You can select multiple types.
- OBS: DSC is authorized to access your Huawei Cloud OBS assets and identify sensitive data in the assets. For details about how to add OBS assets, see Adding OBS Assets.
- Database: DSC identifies sensitive data of authorized database assets. For details about how to authorize database assets, see Authorizing Access to a Database Asset.
- Big Data: The DSC identifies sensitive data of authorized big data assets. For details about how to authorize big data source assets, see Authorizing Access to Big Data Assets.
- MRS: DSC identifies sensitive data of authorized MRS assets. For details about authorized MRS assets, see Authorizing Access to Big Data Assets.
- LTS: DSC will identify sensitive data of authorized LTS assets. For details about how to add a log stream, see Adding a Log Stream.
OBS
Identification Template
You can select a built-in or custom template. DSC displays data by level and category based on the template you select. For details about how to add a template, see Adding an Identification Template.
Huawei Cloud Data Security Classifying and Grading Template
Identification Period
Set the execution policy of the data identification task.
- Once: The task will be executed once at a specified time.
- Daily: The task is executed at a fixed time every day.
- Weekly: The task is executed at a specified time every week.
- Monthly: The task is executed at a specified time every month.
Once
When to Execute
This parameter is displayed when Identification Period is set to Once.- Now: Select the option and click OK, the system executes the data identification task immediately.
- As scheduled: The task will be executed at a specified time.
Now
- In the navigation pane, choose Sensitive Data Identification > Identification Task.
- Click Identification Result in the Operation column to view the Identification result.
In the upper left corner of the page, set Task Name to dsc-test, Data Type to OBS, and Asset types to All Assets to filter the OBS sensitive data identification result, as shown in Figure 1.
- In the row containing the desired scan object, click View Categorizing and Leveling Result Details in the Operation column. The Categorizing and Leveling Result Details dialog box is displayed, as shown in Figure 2.
- In the alarm list, view anomalies based on the risk level and check whether there are high-risk events. For operation details, see OBS Usage Auditing .
- On OBS Console, modify the read and write permissions of the risky buckets or files. For details, see Bucket Policy.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot