Help Center/ Data Security Center/ Best Practices/ Best Practices of OBS Data Security Protection
Updated on 2024-10-31 GMT+08:00

Best Practices of OBS Data Security Protection

This document describes how to use the Data Security Center (DSC) to identify, classify, and protect sensitive data stored in OBS.

Overview

Sensitive data includes personal privacy information, passwords, keys, sensitive images, and other high-value data. Such data is usually stored in your OBS bucket in different formats. Once the data is leaked, enterprises will suffer significant economic and reputation losses.

After you authorize DSC to perform identification on the data source, DSC quickly identifies sensitive data from your massive data stored in OBS, classify the sensitive data and display it. DSC also traces the usage of sensitive data, and protects and audits data based on predefined security policies. In this way, DSC allows you to learn about the security status of your OBS data assets at any time.

Application Scenario

  • Sensitive data identification

    OBS stores a large amount of data and files. However, it is difficult to have a clear knowledge of the sensitive information contained in OBS.

    You can use the built-in algorithm rules of DSC or customize industry rules to scan, classify, and grade data stored in OBS, and take further security protection measures based on the scanning results. For example, you can use the access control and encryption functions of OBS.

  • Anomaly detection and audit
    The DSC can detect access, operation, and management anomalies related to sensitive data and send alarms to you for you to confirm and handle the anomalies. The following behaviors are regarded as anomalies:
    • Unauthorized users access and download sensitive data.
    • Authorized users access, download, and modify sensitive data, as well as change and delete permissions.
    • Authorized users change or delete permissions granted for buckets that contain sensitive data.
    • Users who accessed sensitive files fail to log in to the device.

Procedure

  1. Buy DSC.
  2. Log in to the management console.
  3. Click and choose Security > Data Security Center.
  4. In the upper left corner of the Asset Map page, click Modify. The Allow Access to Cloud Assets page is displayed.
  5. Locate the row that contains the OBS asset, click in the Operation column to enable authorization.
  6. For details about how to add OBS assets, see Adding OBS Assets.
  7. In the navigation tree on the left, choose Sensitive Data Identification > Identification Task. Click Create Task to configure a sensitive data scanning task.

    Select OBS for Data Type and select the OBS asset added in section 6. For details about other configurations, see section Creating a Task.

    Table 1 Parameters for creating a sensitive data identification task

    Parameter

    Description

    Example Value

    Task Name

    You can customize the task name.

    The task name must:

    • Contain 4 to 255 characters.
    • Consist of letters, digits, underscores (_), and hyphens (-).
    • Start with a letter.
    • Be unique.

    test

    Data Type

    Type of data to be identified. You can select multiple types.

    • OBS: DSC is authorized to access your Huawei Cloud OBS assets and identify sensitive data in the assets. For details about how to add OBS assets, see Adding OBS Assets.
    • Database: DSC identifies sensitive data of authorized database assets. For details about how to authorize database assets, see Authorizing Access to a Database Asset.
    • Big Data: The DSC identifies sensitive data of authorized big data assets. For details about how to authorize big data source assets, see Authorizing Access to Big Data Assets.
    • MRS: DSC identifies sensitive data of authorized MRS assets. For details about authorized MRS assets, see Authorizing Access to Big Data Assets.
    • LTS: DSC will identify sensitive data of authorized LTS assets. For details about how to add a log stream, see Adding a Log Stream.

    OBS

    Identification Template

    You can select a built-in or custom template. DSC displays data by level and category based on the template you select. For details about how to add a template, see Adding an Identification Template.

    Huawei Cloud Data Security Classifying and Grading Template

    Identification Period

    Set the execution policy of the data identification task.

    • Once: The task will be executed once at a specified time.
    • Daily: The task is executed at a fixed time every day.
    • Weekly: The task is executed at a specified time every week.
    • Monthly: The task is executed at a specified time every month.

    Once

    When to Execute

    This parameter is displayed when Identification Period is set to Once.
    • Now: Select the option and click OK, the system executes the data identification task immediately.
    • As scheduled: The task will be executed at a specified time.

    Now

  8. In the navigation pane, choose Sensitive Data Identification > Identification Task.
  9. Click Identification Result in the Operation column to view the Identification result.

    In the upper left corner of the page, set Task Name to dsc-test, Data Type to OBS, and Asset types to All Assets to filter the OBS sensitive data identification result, as shown in Figure 1.

    Figure 1 Identification result details

  10. In the row containing the desired scan object, click View Categorizing and Leveling Result Details in the Operation column. The Categorizing and Leveling Result Details dialog box is displayed, as shown in Figure 2.

    Figure 2 Categorizing and leveling results
    1. In the alarm list, view anomalies based on the risk level and check whether there are high-risk events. For operation details, see OBS Usage Auditing .
    2. On OBS Console, modify the read and write permissions of the risky buckets or files. For details, see Bucket Policy.