Get started with Data Security Guard

更新时间:
复制 MD 格式

Data Security Guard is a data security management product that provides features such as data discovery, data masking, watermarking, risk detection, and data tracing. It helps you quickly identify and securely manage sensitive data to ensure data security. This topic provides an example of using a built-in rule to mask the xc_dpe_e2_dev project's phone data and setting up an export risk audit to demonstrate the basic usage workflow of Data Security Guard.

Go to Data Security Guard

  1. Log on to the DataWorks console. In the target region, click Data Governance > Security Center in the left-side navigation pane. On the page that appears, click Go to Security Center.

  2. In the left-side navigation pane, click Data Security > Sensitive Data Management and then click Try Now to access Data Security Guard.

    Note
    • If your Alibaba Cloud account is already authorized, you are directed to the Data Security Guard homepage.

    • If your Alibaba Cloud account is not authorized, you are redirected to the Data Security Guard authorization page. To use Data Security Guard features for the first time, go to Data Security > Sensitive Data Management, select Data Security Guard in the pop-up dialog, and then complete the authorization.

Procedure

  1. Step 1: Configure data classification and grading

    Classify your data by sensitivity level based on its value, content sensitivity, scope of impact, and scope of distribution. Different sensitivity levels have different governance principles and data development requirements.

  2. Step 2: Configure sensitive data detection rules

    Define data categories and configure sensitive field types based on the data source and purpose to identify sensitive data within your workspace. DataWorks provides built-in data categories and detection rules. You can also create custom data categories and sensitive data detection rules.

  3. Step 3: Configure data masking rules

    Configure data masking rules for identified sensitive data. Data masking controls vary based on the sensitivity level and business requirements.

  4. Step 4: Configure risk detection rules

    Use intelligent analysis and risk detection rules to detect risky operations and trigger alerts. This helps you effectively identify and mitigate risks.

  5. Step 5: View data

    After you complete the configuration, you can view the results in the relevant modules of Data Security Guard.

Step 1: Configure data classification and grading

Classify your data assets by sensitivity level based on their value, content sensitivity, scope of impact, and scope of distribution. Different sensitivity levels have different governance principles and data development requirements. DataWorks provides built-in templates for data classification and grading. You can also edit the classification and grading settings based on your business needs. On the Data Security Guard page, in the left-side navigation pane, choose Rule Setting > Data classification grading. This example uses the default data grades provided by DataWorks. For more information, see Configure data classification and grading.

Step 2: Configure sensitive data detection rules

DataWorks allows you to define sensitive field types based on their sensitivity level and category to help you identify sensitive data in your workspace. You can use built-in or custom rules to configure sensitive field types. For more information, see Configure data detection rules and run detection tasks.

This article provides an example of how to configure the phone sensitive field type. In this example, a built-in identification rule is used to define phone numbers as sensitive data and identify them in the xc_dpe_e2_dev workspace.

  1. On the Data Security Guard page, choose Rule Setting in the left-side navigation pane to go to the Sensitive Data Detection page.

  2. Configure data classification and grading.

    In the Data classification configuration area, default data classifications are provided. You can also create new classifications as needed. This example uses the default classification Basic Information.

  3. Configure a sensitive field type.

    1. Click + Sensitive Field Type to create a sensitive field type.

    2. Configure the basic information for the sensitive field type.

      The following table describes the key parameters.

      Parameter

      Description

      Sensitive field type

      Customize the name of the sensitive field type based on your business requirements. In this example, the name is set to phone.

      Data category

      The data category to which the sensitive field type belongs. You can define data categories in the classification and grading configuration section.

      The example configuration in this topic is for the default Basic Information category in DataWorks.

      Sensitivity level

      The sensitivity level to which the sensitive field type belongs. You can define sensitivity levels in Step 1: Configure data classification and grading.

      In this example, the configuration level is set to 3.

    3. Click Next Step.

    4. Configure the rule for the sensitive field type.

      This topic uses the rule configuration shown in the following figure.

      image

      The following table describes the parameters.

      Parameter

      Description

      Hit criteria

      Defines the matching logic for the detection rule. Valid values:

      • Satisfy any rule: A match occurs if any of the configured conditions (data content, field comment, or field name) are met.

      • Match all rules: A match occurs only if all configured conditions are met.

      Note

      This topic describes only how to configure a Data Content Identification rule. For more information about rule configurations, see Configure data detection rules and run detection tasks.

      This example uses Satisfy any rule.

      Data Content Identification

      Defines the content pattern that is used to match sensitive data. The pattern is based on the selected rule type.

      In this example, the rule type is set to Built-in Rule, and the content to identify is Mobile Phone Number. Data is identified as sensitive if its content matches the characteristics of a phone number.

      Hit ratio configuration

      The minimum percentage of non-empty values in a column that must match the conditions to trigger a hit. If the percentage exceeds the threshold, the column is classified as this sensitive field type.

      In this example, the threshold is set to 50%. This means that if more than 50% of the data in a column meets the specified conditions, the column is identified as sensitive data.

    5. After the configuration is complete, click Publish to activate the rule.

      The start time of a sensitive data detection task varies by task type.

      Note
      1. A real-time task starts immediately.

      2. A scheduled task starts at the configured scan time after you enable it. At the specified time, the platform performs sensitive data detection based on the task configuration.

      3. A new detection task starts immediately after it is created, and its status is displayed as a progress bar. The task is complete when the progress reaches 100%. The progress is calculated by using the following formula: (Number of tables scanned in the current task / Total number of tables to be scanned in the current task) × 100%.

Step 3: Configure data masking rules

Configure data masking rules for the sensitive data that you have identified. Data masking controls vary based on the sensitivity level and your business requirements. DataWorks currently supports dynamic data masking and static data masking. For more information, see Create a data masking rule.

This topic provides an example of configuring a phone data masking rule for the sensitive data that is identified by the phone rule in Step 2.

  1. On the Data Security Guard page, choose Rule Setting in the left-side navigation pane to go to the Data Masking Management page.

  2. Configure a data masking rule.

    1. Click the image icon to create a masking rule.

    2. Configure the rule information.

      This topic uses the rule configuration shown in the following figure.

      image

      Parameter

      Description

      Sensitive field type

      Select the sensitive field type to desensitize. In this example, select the phone sensitive field type that you configured in Step 2.

      Masking Rule Name

      Specify a name for the data masking rule. This topic uses phone as an example.

      Data masking scenario

      Select the scenarios where this masking rule applies. By default, the scenario selected in Step 1 is used. You can also change the scenario or add multiple scenarios as required.

      Masking Method

      The method used to mask the data. This example uses Mask > Show only the first three and the last two.. For a phone number, this method shows the first three and last two digits, and replaces all other digits with asterisks (*).

      For more information about masking rule configuration, see Create a data masking rule.

  3. Enable data masking for the workspace.

    After configuring a masking rule, ensure that query result masking is enabled for the target workspace. The rule takes effect only after it is enabled.

    1. Go to DataStudio.

    2. In the lower-left corner, click the 设置 icon to open the settings page.

    3. On the Security Settings and Others tab, in the Data Security section, enable data masking for page query content.

  4. Verify that the data masking rule is in effect.

    In DataStudio, create an ad hoc query to query the relevant phone number data and verify the masking effect in the query results. The specific table data and query statements depend on your business configuration. The following figure shows an example of the masking effect.验证脱敏

Step 4: Configure risk detection rules

Risk detection management uses advanced analytics to identify high-risk operations and trigger alerts, providing centralized and visual auditing. DataWorks provides built-in risk detection rules for various scenarios, and you can also create custom rules based on your business scenarios. For more information, see Risk detection management.

This topic provides an example of creating a custom rule to perform risk detection on sensitive data that is identified by the phone rule configured in Step 2. If the number of data exports that match the phone rule from the xc_dpe_e2_dev project is greater than or equal to 10 within 10 minutes, the export operation is identified as a high-risk operation.

  1. On the Data Security Guard page, choose Rule Setting in the left-side navigation pane to go to the Risk Detection Management page.

  2. Configure a risk detection rule.

    1. Click the 风险识别规则 icon to create a risk detection rule.

    2. Configure the rule information.

      This topic uses the rule configuration shown in the following figure.风险识别规则配置 The following table describes the parameters.

      Section

      Parameter

      Description

      Basic Information

      Rule Name

      Specify a custom rule name. In this example, the name is set to Phone Data Export Risk.

      Rule Type

      The type of data risk, such as data access, data export, or data operation.

      This example selects data export risk, meaning any export of phone data is considered a risky operation.

      Rule Level

      The risk level of the operation. In this example, the export of phone data is defined as a high risk.

      Rule Definition

      Conditions

      Defines the conditions for the risk detection rule. You can configure rules based on conditions such as data location, data properties, user information, and operation time.

      In this example, a data attribute is selected to configure a rule that is triggered if sensitive data of the phone type in Step 2 is exported 10 or more times within 10 minutes.

      Alert settings

      Alert Notification Method

      You can choose to send alerts by email or webhook.

      This example uses a webhook. For information about how to configure a DingTalk robot webhook, see Send alert messages to a DingTalk group.

      For more information about risk detection configurations, see Risk detection management.

  3. Enable the rule.

    Because a custom rule is disabled by default after creation, you must go to the risk detection management page, find the phone data export risk rule, and click Re-enable to manually enable it.

Step 5: View data

After you configure sensitive data and risk detection rules, you can view the resulting risk data in the various modules of Data Security Guard. Risk data is generated on the next day (T+1).

Module

Description

Sensitive data overview

This page visualizes your data assets from different dimensions, such as workspace and sensitivity level. It shows the total number and proportion of fields and tables that hit detection rules, as well as the distribution and inventory of fields by sensitivity level and project.

Sensitive data access and export

Displays the access volume, access trends, export volume, and export details for sensitive data identified by your rules. This helps you monitor every access to sensitive data.

View data risks

Presents risk events identified by your rules from multiple dimensions. This module helps you understand risk distribution, trends over time, and project risk rankings to identify high-risk periods and projects. You can also view details of a risk event, such as the user, time, and operation, allowing for timely identification and remediation.

Data tracing

Extracts watermark information from leaked data files to trace the source of a data leak.