Data Security Center (Sensitive Data Protection) is a product of Data Security Center (DSC), and collects and analyzes information about data assets to classify sensitive data in the cloud by using data tags and grade the data by using sensitivity levels. This topic describes how to quickly perform sensitive data classification and grading in the DSC console.
Before you begin
-
You must have a database available to connect to DSC. For more information about the database types and regions that DSC supports, see Supported data asset types and Supported regions.
This example uses tables from an ApsaraDB RDS for SQL Server instance in the China (Zhangjiakou) region to scan for sensitive data. For more information about how to create an ApsaraDB RDS for SQL Server instance, a database management account, and a database, see Create an ApsaraDB RDS for SQL Server instance and Create accounts and databases.
-
If you use a RAM user to purchase and use DSC, you must grant the necessary permissions to the user. For more information, see Authorize a RAM user to access DSC.
Step 1: Activate DSC and grant permissions
DSC provides a Free edition instance that offers a fixed amount of resources each month. For more information, see Activate Data Security Center Free Edition. This example uses the Free edition.
-
DSC provides a 7-day free trial of the Enterprise edition. You can fill out the trial application form to activate it. After you activate the free trial, you can skip this step.
-
If your account is not eligible for the free trial or the Free edition, you can purchase a paid edition of Data Security Center. For more information, see Purchase Data Security Center.
-
Log on to the Data Security Center console and click Activate Free Edition.
-
Follow the instructions to authorize DSC to access your cloud resources. For more information, see Authorize DSC to access cloud resources.
Step 2: Connect your database to DSC
You can classify and grade sensitive data only after your data assets are connected to DSC. This topic uses an RDS database as an example to show how to connect a database for immediate classification and grading of sensitive data.
-
On the Authorization Management page, click Asset Authorization Management.
-
In the Asset Authorization Management panel, under Structured Data, select RDS and click Asset synchronization.
If the data asset is already in the list, skip this step.
-
On the Not authorized tab, find the target instance and click Authorization in the Actions column.
-
Return to the Authorization Management page. Find the target instance and click Connect in the Actions column.
NoteWhen you use the one-click connection feature, DSC automatically creates a read-only account in the target data asset. DSC uses this account to connect to the database and run identification tasks.
-
In the Connect dialog box, select Scan assets and identify sensitive data now. and click OK. DSC automatically creates and immediately runs a default task.
ImportantRun the scan during off-peak hours and monitor your services to prevent the data identification task from affecting your business operations.
-
Return to the Authorization Management page and click the refresh
icon. After the data is refreshed, confirm that the database's connection and feature statuses are normal.
Step 3: Check identification task status
Classification and grading results are available only after the identification task completes. If you select Scan assets and identify sensitive data now. when you authorize the connection, DSC automatically creates and immediately runs a default task. The default task uses the primary template (by default, the Classification Template for the Internet Industry) and a common template (compliant with personal information security specifications) to scan the connected database.
-
On the Tasks page, click the Identification Tasks tab, and then click Default Tasks.
-
On the Discovery Task Monitoring page, view the scan status of the default identification task created for your database.
The duration of an identification task depends on the amount of data being scanned and can be lengthy for large datasets.

Step 4: View classification results
-
On the Asset Insight page, click the Asset Type tab. Find the target database instance and the scanned database. DSC displays the identification results, including the detected Sensitivity Level and Tag.
A darker color indicates a higher sensitivity level. N/A indicates that no sensitive data was found. DSC applies tags only for the Personal Information (
) and Sensitive Personal Information (
) categories of sensitive data.
-
Find the database and click Table details in the Actions column. In the Table Details panel, view statistics about the sensitive information identified in the tables, such as sensitive columns.

Summary
Data Security Center (DSC) can identify sensitive data in your authorized data assets. It then classifies the data into categories such as Personal Information, Sensitive Personal Information, and General Information, and assigns a sensitivity level.
Connect to data assets
DSC supports various data assets, including ApsaraDB RDS, PolarDB, PolarDB for Xscale (PolarDB-X), PolarDB-X 2.0, ApsaraDB for Redis, ApsaraDB for MongoDB, ApsaraDB for OceanBase, Tablestore, AnalyticDB, AnalyticDB, Object Storage Service (OSS), MaxCompute, and self-managed databases on ECS. For more information about how to connect to different data assets, see Asset authorization management.
Select data identification templates
After authorization, DSC automatically creates a default task to scan your data assets. This task uses the primary template (by default, the Classification Template for the Internet Industry) and a common template (compliant with personal information security specifications).
The Classification Template for the Internet Industry is a built-in template that DSC uses to identify sensitive data. On the Identification Configuration page, you can change the primary template to another built-in template or a custom one. For custom templates, you can define your own identification models and rules. For more details, see View and configure identification templates.

Create custom identification tasks
You can enable two additional identification templates besides the primary one. To use them, create a new identification task on the Tasks page, as the default task only uses the primary template. For more information, see Scan for sensitive data by using an identification task.

References
To classify and grade data for Data Management (DMS), see Use DSC to classify and grade DMS data.

