Updated on 2024-11-19 GMT+08:00

Policy Management

The administrator creates policies for database audit, encryption, watermarking, static masking, and dynamic masking on the policy management page of the policy center, and then deploys these policies to the relevant services or instances.

Creating a Policy

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. In the navigation tree on the left, click . Choose Security & Compliance > Data Security Center .
  4. Choose Policy Center > Policy Management.
  5. Click Create Policy in the upper left corner. The Create Policy page is displayed.
  6. Select a policy type and configure policy information.

    • Database audit: Monitor and records database activities to ensure data integrity, security, and compliance.

      Set the parameters by referring to Configuring a Database Audit Policy.

    • Database encryption: Encrypt data to ensure data confidentiality and integrity and prevent unauthorized access and data leakage.

      Set the parameters by referring to Configuring the Database Encryption Policy.

    • Database watermarking: Embed invisible identifiers into data to verify data authenticity and ownership and trace data leakage sources.

      Perform watermark injection and extraction by referring to sections Injecting Watermarks to Databases and Extracting Watermarks from Databases.

    • Static database masking: Mask sensitive data to ensure privacy and security while retaining the data structure and statistics features.

      Perform watermark injection and extraction by referring to Database Static Masking.

    • Dynamic database masking: Mask sensitive data in real time to ensure that unauthorized data cannot be accessed.

      Set the parameters by referring to Configuring a Database Dynamic Masking Policy.

Configuring a Database Audit Policy

DBSS has been enabled and an instance has been added.

  1. Click Start configuring. The page for configuring the database audit policy type is displayed.
  2. Set the parameters by referring to Table 1.

    Table 1 Parameters for configuring a database audit policy

    Parameter

    Description

    Policy Name

    Enter a policy name. The name can contain a maximum of 255 characters, including letters, digits, underscores (_), and hyphens (-).

    Associated Instance

    Select a database audit instance from the drop-down list.

    Target Data Source

    Select the target data source from the drop-down list. Only database instances that do not require agent audit are supported.

    Display Result Set

    When the function for recording result sets is enabled, the system logs the SQL result content. You can view this content in the logs. If the function is disabled, the SQL result in the log details will be empty.

    Recording result sets may lead to information leakage. Therefore, it is recommended not to enable this function.

    Mask Privacy Data

    You are advised to set masking rules to prevent sensitive data leakage.

  3. Click Save and Deliver. The policy list is displayed, showing the newly created policy.

Configuring the Database Encryption Policy

You have purchased the data encryption and access control service on DBSS.

  1. Click Start configuring. The page for configuring a database encryption policy is displayed.
  2. Set the parameters by referring to Table 2.

    Table 2 Parameters for configuring a database encryption policy

    Parameter

    Description

    Policy Name

    Enter a policy name. The name can contain only letters, digits, underscores (_), and hyphens (-).

    Associated Instance

    Database encryption gateway

    Target Data Source

    Select a target data source from the drop-down list box.

    Proxy Port

    The port numbers range from 14000 to 14999. Different database instances (sharing the same address and port) utilize distinct proxy ports. A single database instance consistently uses the same proxy port. When a data source for the same database instance is added, the proxy port is automatically populated.

    Encryption Algorithm

    Select an encryption algorithm from the drop-down list box. The options are AES128 and SM4.

    Encrypted Table

    Select an encrypted table from the drop-down list.

    The same target table cannot be selected repeatedly.

    Encrypted table information

    Information about the encrypted table, including Field Name, Field Type, and Data Level.

  3. Click Save and Deliver. The policy list is displayed, showing the newly created policy.

Configuring a Database Dynamic Masking Policy

  1. Click Start configuring. The page for configuring a dynamic database masking policy is displayed.
  2. Set the parameters by referring to Table 3.

    Table 3 Parameters for configuring a dynamic database masking policy

    Parameter

    Description

    Policy Name

    Enter a policy name. The name can contain only letters, digits, underscores (_), and hyphens (-).

    Associated Instance

    Database encryption gateway

    Target Data Source

    Select a target data source from the drop-down list box.

    Masking Service Port

    The port numbers range from 14000 to 14999. Different database instances (sharing the same address and port) utilize distinct proxy ports. A single database instance consistently uses the same proxy port. When a data source for the same database instance is added, the proxy port is automatically populated.

    Table

    Select a table from the drop-down list.

    Table Information

    This parameter is displayed after you select a table.

    Table information, including Field Name, Field Type, Data Level, and Masking Algorithm.

  3. Click Save and Deliver. The policy list is displayed, showing the newly created policy.

Related Operations

  • Disabling a policy: You can click Disable in the Operation column of a policy that is enabled and successfully delivered to disable the policy. After you click Disable, the policy status changes to Disabled (Delivering). When the policy status changes to Disabled (Delivered), the policy is disabled.

    After an encryption policy is enabled and delivered, it cannot be disabled or deleted. You can click Decrypt under Operation > More to decrypt the corresponding encryption policy. After decryption, a suffix is appended to the encryption policy name. A new decryption policy will not be generated.

  • Deleting a policy: Click Delete in the Operation column of a policy that is successfully delivered to delete the policy. After you click Delete, a message is displayed in the upper right corner of the page, indicating that the policy is successfully deleted.