The data traceability feature in DataWorks lets you extract watermark information from a leaked data file to identify the likely source of the leak. This topic shows you how to create and run a data tracing task to find the source of a data leak.
Prerequisites
-
You have created a sensitive data identification rule. For more information, see Configure a sensitive data identification rule and run a detection task.
-
You have enabled the Data watermark feature for the target sensitive data identification rule. For more information, see Create a data masking rule.
Background
After you enable the Data watermark feature for a sensitive data identification rule in data masking management within Data Security Guard, DataWorks automatically adds watermarks to all operations, such as queries and downloads, on data that matches the rule. A watermark is a unique identifier that records user access activities. If this data is leaked, you can use data traceability to extract the watermark from the leaked data and identify the likely source of the leak.
Limitations
-
DataWorks supports data traceability only for CSV files smaller than 200 MB.
-
You must have the security administrator role to perform data traceability.
-
DataWorks can trace only data access operations that occur after the Data watermark feature is enabled.
NoteFor example, if you query Table A before the Data watermark feature is enabled, then even if you enable the Data watermark feature and start a data tracing task for that data file, you still cannot trace this query operation by using the Data Traceability feature.
Create and run a data tracing task
-
In the left-side navigation pane, click Data Traceability to go to the Data Traceability page.
-
Create a data tracing task.
-
Click Create Data Traceability Task.
-
In the Data Traceability Task dialog box, click Upload File to upload the file that you want to trace.
Note-
DataWorks supports data traceability only for CSV files smaller than 200 MB.
-
You can export or download a data file from DataWorks to your local machine and then upload it to the data tracing task. Alternatively, you can save data from an external system to a CSV file and upload it for tracing.
After the file is uploaded, you can Replace or Download the file.
-
-
-
Click Start Traceability to run the task.
NoteThe tracing process can take some time.
View possible leak sources
On the Data Traceability page, you can view the Trace Date and Traceability Document for all completed tasks. You can also view the details of a task to find possible leak sources.
-
All data tracing tasks are sorted by Trace Date from newest to oldest.
-
You can search for a task by its file name. The search supports fuzzy matching. This displays all tasks with file names that contain the keyword.
Click the
icon in the Actions column of the target task to view its details. Use the probability, Operation Time, and command information from the analysis to identify the user most likely responsible for the data leak.
FAQ
After a data tracing task is complete, if the possible leak sources section shows No Data Found, refer to the following possible causes and solutions:
-
Cause 1: The traced file contains insufficient data to restore the watermark information.
Solution: The watermark information generated by the Data watermark feature requires a sufficient amount of data to ensure that a data tracing task can restore reliable watermark information, which allows you to identify the user responsible for a potential data leak. We recommend that you use a file that contains more than 500 records and no duplicate data for data tracing.
-
Cause 2: The leaked data is not from the current tenant.
Solution: Confirm that the traced data is from the current tenant.
-
Cause 3: The traced file does not contain watermark information.
Solution:
-
Check whether the Data watermark feature was enabled for the data source. DataWorks can trace only data access operations that occur after the Data watermark feature is enabled. To view and enable the Data watermark feature, see Create a data masking rule.
-
The file you are tracing may not be from a data leak. The leak may have originated from operations in an external system.
-