Asset Center (New)

Step 1: Onboard assets

1. Log on to the Data Security Center console.

2. In the navigation pane on the left, select Asset Center.

3. In the asset list on the left, click the type of asset that you want to onboard.

   General assets

   Data Security Center supports automatic synchronization for most data asset types. If you cannot find the target asset, click Asset synchronization and then refresh the page.

   Note

   • Automatic synchronization: After you authorize the service-linked role, the system creates the AliyunServiceRoleForSDDP service-linked role and attaches the AliyunServiceRolePolicyForSDDP policy to it. Every day at 00:00, Data Security Center uses this role to automatically scan and synchronize cloud assets in your account by calling OpenAPI.

   • Manual synchronization: You can click Asset synchronization to synchronize assets immediately.

   After asset synchronization is complete, Data Security Center adds an allowlist group named ali_sddp_group to the asset instance. This group allows Data Security Center to access the database information of the asset. The allowlist contains the IP addresses of the Data Security Center server, which vary by region.

   Self-Managed Database

   Data Security Center supports onboarding self-managed databases that are deployed on ECS instances or as external assets.

   1. Log on to the database and run the following command to create a user and grant Data Security Center access to the database. Replace <allowed_ip_range> in the command with the IP address range that corresponds to the region of your instance. The following example is for MySQL 8.0. Adjust the syntax for other database types.

      CREATE USER '<username>'@'<allowed_ip_range>' IDENTIFIED BY '<password>';
      GRANT SELECT ON <database_name>.* TO '<username>'@'<allowed_ip_range>';

   2. Go to the Asset Center page in the Data Security Center console. If you have subscribed to Security Center Enterprise or Ultimate Edition, click Sync Assets to complete asset synchronization. Otherwise, click Add Self-built Asset and provide the following parameters.

      Parameter	Description
      Database Engine Type	Select from the supported database types.
      Server Type	Supports onboarding ECS Instance and External Assets.
      Region and Instance ID (ECS Instance)	Select the region and instance ID of the target ECS instance. If the target ECS instance is not listed, click ECS Asset Sync to update the instance list.
      Region and Instance name (External Assets)	Select the region of the VPC that is connected to your external network, and enter an easy-to-identify instance name.
      IP/Domain and Port	Enter the IP address or domain name and the database port of the asset. You can add multiple entries.

   ADB-PG

   AnalyticDB for PostgreSQL does not support automatic asset synchronization. To add an asset, click Add Asset and provide the following parameters.

   Parameter	Description
   Region	Select the region where the instance is located.
   Instance Name	Select the target instance in the specified region.
   Database Name	Enter the name of the database that you want to onboard.
   Username	Enter the username for connecting to the database. Select the permission level (Read/Write or Read-only) that corresponds to the user's actual access rights in the database.
   Password	Enter the password for the specified username.

Supported features by asset type

The following table lists the asset types that can be connected to DSC and their supported features. Additionally, assets in certain regions have feature limitations. For a complete list of these limitations, see Supported regions.

Configuration Risks

• Feature description: This feature detects configuration risks by analyzing the configurations of your Alibaba Cloud databases, storage, and big data assets. The risks cover areas such as permission management, access control, encrypted transmission, and disaster recovery. This feature also continuously monitors your configuration security.

• How to enable: Locate the target asset and click the toggle in the Configuration Risks column to enable this feature. After it is enabled, you can go to the Risk Governance > Configuration Risks page to manage these risks. For more information, see security baseline check.

Data Auditing

• Feature description: Efficiently audits logs from various data sources, such as databases and OSS. It uses more than 900 built-in rules for high-risk operations to identify abnormal behavior, data leakage, SQL injection, and other risks. It also supports custom rules, multi-dimensional log filtering, and real-time alerts.

• How to enable: Locate the target asset and click the toggle in the Data Auditing column to enable this feature. For a Self-Managed Database, you must also configure the network and install an agent. For more information, see Install an agent. After it is enabled, you can go to the Data Auditing > Native Data Auditing page to manage data audits. For more information, see cloud-native data auditing.

Data Detection and Response

• Feature description: This feature focuses on data leakage prevention by automatically identifying sensitive content, such as user AKs and database connection strings, in OSS files. This service also detects file access using leaked or abnormal AKs and abnormal login activities using leaked database accounts.

• How to enable: Locate the target asset and click the toggle in the Data Detection and Response column to enable this feature. After it is enabled, you can go to the Data Detection and Response > Data Leak page to manage data leakage. For more information, see Data Detection and Response.

Classification and Grading

• Feature description: DSC provides sensitive data identification templates for industries such as finance, energy, and automotive. You can use these templates to identify sensitive information in your assets and manage its classification and grading based on location, type, and sensitivity level.

• How to enable: Locate the target asset, click the toggle in the Classification and Grading column, and complete the following configurations in the Enable Classification and Grading dialog box.

  General assets

  Parameter	Description
  Activation Method	DSC provides the following three methods to connect to data assets for data detection tasks. The supported connection methods vary by asset type. Automatically create database accounts : DSC automatically creates a read-only account with a name that starts with sddp_auto in the target data asset. DSC uses this account to connect to the database and identify data. Note If you no longer use DSC, the system automatically removes this read-only account 15 days after your DSC instance expires. Manually enter username and password: Enter the account and password to connect to the target database. Service-Linked Role Access: DSC uses a service-linked role to access the data asset.
  Authorization Scope	Select the scope for data detection. Some asset types only support Entire data source. Entire data source. Manage authorization scope in the data source list: Select an authorization scope.
  Automatically create and start a default scan task	If you select this option, DSC immediately creates a default scan task. You can later go to the Classification and Grading > Tasks > Identification Tasks tab and click Default Tasks to view or configure the default scan task. For more information, see Scan sensitive data by using an identification task.
  Automatically connect to new databases. (Supported by only some database assets)	If enabled, DSC automatically connects to new databases that it discovers in an instance during asset synchronization.

  Self-Managed Database

  Configure the Database Name, Database Account, Database Password, and Database Port. You can add up to 20 databases.

• View the DSC connection status: After enabling the data classification and grading feature, you can click the number next to the toggle to view the connection status. The initial status is Testing Connectivity. In this state, DSC performs a connectivity check every 30 seconds:

  • For database assets, DSC attempts to log in to the database with the configured account and password.

  • For OSS assets, DSC verifies that the specified bucket exists.

  If a check is successful (the database login is successful or the OSS bucket exists), the connection status changes to Connected. If a check fails, a failure is recorded. If 10 consecutive checks fail, the connection status changes to Connection Failed. In the Data Classification and Grading Enablement Details pop-up window, the Account Connection Status column shows the connection result. If the connection is successful, the status is Connected and the Data Classification and Grading Status is Enabled.

• Next steps: Go to the Classification and Grading > Asset Insight page to view the identified sensitive information, or go to the Classification and Grading > Identification Configuration page to configure sensitive data identification templates. For more information, see Sensitive data classification and grading.

Column Encryption

• Feature description: Encrypts specific columns in a database to prevent unauthorized users from directly accessing sensitive data in plaintext through cloud platform software or database connection tools. This effectively defends against internal and external security threats.

• How to enable: Locate the target asset, click the toggle in the Column Encryption column, and complete the following configurations in the Encryption Configuration dialog box.

  Important

  • Prerequisite: Before configuring column encryption, you must enable the data classification and grading feature and complete data scanning and identification.

  • Detailed configuration: This section describes only the parameters required to configure column encryption in Asset Center for quick deployment. For more information about encryption principles and full configuration instructions, see column encryption.

  Parameter	Description
  Asset Type and Instance Name	The target asset is pre-selected. No manual adjustment is required.
  Encryption Algorithm	Select an encryption algorithm.
  Encryption Method	You can use a local key or a KMS key to encrypt data. KMS keys are supported only for RDS for MySQL.
  Plaintext Permission Accounts	Configure accounts that are allowed to access data in plaintext. Queries from unconfigured accounts return ciphertext. Important If you used the Manually enter username and password method to connect DSC to your data asset when enabling Classification and Grading, you must set that database account as a Plaintext Permission Accounts. This ensures the account has permission to read the database, allowing DSC to perform up-to-date classification and grading.
  Configure Columns	Select the data columns to encrypt.

• Next steps: Go to the Risk Governance > Column Encryption page to view an overview of sensitive column encryption and manage account permissions.

Image Masking

• Feature description: This feature creates an image desensitization task to scan images in a target bucket for sensitive information, such as ID card numbers, license plate numbers, and faces. The service then desensitizes this information by masking it with a gray rectangle.

• How to enable: Locate the target asset, click the toggle in the Image Masking column, and complete the following configurations in the Enable Image Masking dialog box.

  Note

  If you want to identify and classify sensitive information in images before desensitization, you must enable the Classification and Grading feature for the bucket.

  Parameter	Description
  Task Name	Enter a name for the desensitization task.
  Masking Scope	Configure which images to desensitize. DSC scans all images in the selected bucket. To desensitize all eligible images in the bucket, you do not need to configure this parameter. To desensitize specific images in the bucket, configure this parameter and then select the file path matching method: Match by Prefix or Match by Suffix. For example, a bucket contains the following images that meet the desensitization criteria: example/dir01/test01.png, example/dir02/test02.jpg, testexample/testdir/testim.jpg, and test.jpg. Match Prefix: Enter the prefix example. DSC desensitizes only the matching images example/dir01/test01.png and example/dir02/test02.jpg. Match Suffix : Enter the suffix jpg. DSC desensitizes only the matching images test.jpg, testexample/testdir/testim.jpg, and example/dir02/test02.jpg.
  Scan Type	Run Now: Scan and desensitize images immediately. Periodic Run: Configure a Scheduled Execution Time. DSC desensitizes incremental images in the bucket at 00:00:00 based on the configured schedule. To run the task immediately, select Run Again Now.
  Image Type	Select one or more supported information types to desensitize.
  De-identification Method	Currently, only masking is supported.

• Next steps: Go to the Risk Governance > Image Masking page to view the details of your desensitization tasks. For more information, see OSS Image Desensitization.

One-click activation

Use one-click activation to efficiently enable features for many assets at once.

To enable: Locate the target asset, click Enable in the Actions column, and complete the following configuration.

Routine O&M

Asset overview

In the upper-right corner of the Asset Center page, you can view the number of instances with enabled features and the storage capacity usage.  

In the asset list on the left, click a target asset type. The total number of assets of this type and their feature status appear at the top of the page. Click the number under "Features disabled" to filter assets by this status.

The feature statuses include configuration risk disabled, data classification disabled, data audit disabled, and column-level encryption disabled. In the Actions column of the asset list, you can click Enable All to enable the corresponding features.

Edit enabled features

• Classification and Grading: After you enable the Classification and Grading feature, you can view the DSC authorization and connection status for certain assets to the right of the toggle.

  Click the number to the right of the toggle to open a panel where you can perform the following operations on the target database (or SLS LogStore):

  • Authorize DSC: Select the target database or LogStore and click Batch Enable. If you did not select Automatically create database accounts when enabling the Classification and Grading feature, you must enter the database account and password in the dialog box and then click OK.

  • Deauthorize DSC: Select the target database or LogStore, click Bulk Disable, and then click OK in the dialog box.

  • Add a database (MongoDB only): Click Add Database. In the dialog box, enter the Database Name, Database Account, and Database Password, and then click OK.

  • Modify the discovery node (MongoDB only): By default, DSC discovers data from the secondary node. To change this, click the icon in the Node column. In the Edit dialog box, modify the settings and click OK. The node configuration change takes effect in the next discovery task.

• Column Encryption: After you enable the Column Encryption feature, you can view the encrypted column status for the database instance to the right of the toggle.

  Click the number to the right of the toggle to open a panel where you can modify settings such as Encryption Algorithm and Account Permissions. For more information, see Configure column-level encryption for a database.

  In the asset management list in Data Security Center, information such as Encrypted Columns 1/5 appears to the right of the toggle in the Column-level encryption column. This means 1 of the 5 columns in the instance is encrypted.

DSC IP ranges for database access