After activating Data Security Center (DSC), complete asset onboarding in the Asset Center and enable the required features. You can use core security capabilities, such as risk identification, data classification, and data audit, only after your assets are onboarded.
This topic describes the new version of Asset Center. If you are using the old version of Asset Center, see Asset Center (Old Version). Log on to the Data Security Center console, click Asset Center in the left-side navigation pane, and identify the current version by its UI.
Enable asset features
Step 1: Onboard assets
Log on to the Data Security Center console.
In the navigation pane on the left, select Asset Center.
In the asset list on the left, click the type of asset that you want to onboard.
General assets
Data Security Center supports automatic synchronization for most data asset types. If you cannot find the target asset, click Asset synchronization and then refresh the page.
NoteAutomatic synchronization: After you authorize the service-linked role, the system creates the AliyunServiceRoleForSDDP service-linked role and attaches the AliyunServiceRolePolicyForSDDP policy to it. Every day at 00:00, Data Security Center uses this role to automatically scan and synchronize cloud assets in your account by calling OpenAPI.
Manual synchronization: You can click Asset synchronization to synchronize assets immediately.
After asset synchronization is complete, Data Security Center adds an allowlist group named
ali_sddp_groupto the asset instance. This group allows Data Security Center to access the database information of the asset. The allowlist contains the IP addresses of the Data Security Center server, which vary by region.Self-Managed Database
Data Security Center supports onboarding self-managed databases that are deployed on ECS instances or as external assets.
Log on to the database and run the following command to create a user and grant Data Security Center access to the database. Replace
<allowed_ip_range>in the command with the IP address range that corresponds to the region of your instance. The following example is for MySQL 8.0. Adjust the syntax for other database types.CREATE USER '<username>'@'<allowed_ip_range>' IDENTIFIED BY '<password>'; GRANT SELECT ON <database_name>.* TO '<username>'@'<allowed_ip_range>';Go to the Asset Center page in the Data Security Center console. If you have subscribed to Security Center Enterprise or Ultimate Edition, click Sync Assets to complete asset synchronization. Otherwise, click Add Self-built Asset and provide the following parameters.
Parameter
Description
Database Engine Type
Select from the supported database types.
Server Type
Supports onboarding ECS Instance and External Assets.
Region and Instance ID (ECS Instance)
Select the region and instance ID of the target ECS instance. If the target ECS instance is not listed, click ECS Asset Sync to update the instance list.
Region and Instance name (External Assets)
Select the region of the VPC that is connected to your external network, and enter an easy-to-identify instance name.
IP/Domain and Port
Enter the IP address or domain name and the database port of the asset. You can add multiple entries.
ADB-PG
AnalyticDB for PostgreSQL does not support automatic asset synchronization. To add an asset, click Add Asset and provide the following parameters.
Parameter
Description
Region
Select the region where the instance is located.
Instance Name
Select the target instance in the specified region.
Database Name
Enter the name of the database that you want to onboard.
Username
Enter the username for connecting to the database. Select the permission level (Read/Write or Read-only) that corresponds to the user's actual access rights in the database.
Password
Enter the password for the specified username.
Step 2: Enable the feature
Supported features by asset type
The following table lists the asset types that can be connected to DSC and their supported features. Additionally, assets in certain regions have feature limitations. For a complete list of these limitations, see Supported regions.
Asset type | Configuration Risks | Classification and Grading | Data Auditing | Data Detection and Response | Column Encryption | Image Masking | Enable/Automatically create database accounts |
RDS | Supported only for writable instances of MySQL, SQL Server, and MariaDB. | ||||||
PolarDB | Supported only for MySQL. | ||||||
PolarDB-X | |||||||
PolarDB-X 2.0 | |||||||
Redis | |||||||
MongoDB | |||||||
OceanBase | |||||||
Self-Managed Database | Supported only for ECS assets. | ||||||
OSS | |||||||
SLS | |||||||
TableStore | |||||||
MaxCompute | |||||||
ADB-MYSQL | |||||||
ADB-PG |
Configuration Risks
Feature description: This feature detects configuration risks by analyzing the configurations of your Alibaba Cloud databases, storage, and big data assets. The risks cover areas such as permission management, access control, encrypted transmission, and disaster recovery. This feature also continuously monitors your configuration security.
How to enable: Locate the target asset and click the
toggle in the Configuration Risks column to enable this feature. After it is enabled, you can go to the page to manage these risks. For more information, see security baseline check.
Data Auditing
Feature description: Efficiently audits logs from various data sources, such as databases and OSS. It uses more than 900 built-in rules for high-risk operations to identify abnormal behavior, data leakage, SQL injection, and other risks. It also supports custom rules, multi-dimensional log filtering, and real-time alerts.
How to enable: Locate the target asset and click the
toggle in the Data Auditing column to enable this feature. For a Self-Managed Database, you must also configure the network and install an agent. For more information, see Install an agent. After it is enabled, you can go to the page to manage data audits. For more information, see cloud-native data auditing.
Data Detection and Response
Feature description: This feature focuses on data leakage prevention by automatically identifying sensitive content, such as user AKs and database connection strings, in OSS files. This service also detects file access using leaked or abnormal AKs and abnormal login activities using leaked database accounts.
How to enable: Locate the target asset and click the
toggle in the Data Detection and Response column to enable this feature. After it is enabled, you can go to the page to manage data leakage. For more information, see Data Detection and Response.
Classification and Grading
Feature description: DSC provides sensitive data identification templates for industries such as finance, energy, and automotive. You can use these templates to identify sensitive information in your assets and manage its classification and grading based on location, type, and sensitivity level.
How to enable: Locate the target asset, click the
toggle in the Classification and Grading column, and complete the following configurations in the Enable Classification and Grading dialog box.General assets
Parameter
Description
Activation Method
DSC provides the following three methods to connect to data assets for data detection tasks. The supported connection methods vary by asset type.
Automatically create database accounts : DSC automatically creates a read-only account with a name that starts with
sddp_autoin the target data asset. DSC uses this account to connect to the database and identify data.NoteIf you no longer use DSC, the system automatically removes this read-only account 15 days after your DSC instance expires.
Manually enter username and password: Enter the account and password to connect to the target database.
Service-Linked Role Access: DSC uses a service-linked role to access the data asset.
Authorization Scope
Select the scope for data detection. Some asset types only support Entire data source.
Entire data source.
Manage authorization scope in the data source list: Select an authorization scope.
Automatically create and start a default scan task
If you select this option, DSC immediately creates a default scan task.
You can later go to the tab and click Default Tasks to view or configure the default scan task. For more information, see Scan sensitive data by using an identification task.
Automatically connect to new databases. (Supported by only some database assets)
If enabled, DSC automatically connects to new databases that it discovers in an instance during asset synchronization.
Self-Managed Database
Configure the Database Name, Database Account, Database Password, and Database Port. You can add up to 20 databases.
View the DSC connection status: After enabling the data classification and grading feature, you can click the number next to the toggle to view the connection status. The initial status is Testing Connectivity. In this state, DSC performs a connectivity check every 30 seconds:
For database assets, DSC attempts to log in to the database with the configured account and password.
For OSS assets, DSC verifies that the specified bucket exists.
If a check is successful (the database login is successful or the OSS bucket exists), the connection status changes to Connected. If a check fails, a failure is recorded. If 10 consecutive checks fail, the connection status changes to Connection Failed. In the Data Classification and Grading Enablement Details pop-up window, the Account Connection Status column shows the connection result. If the connection is successful, the status is Connected and the Data Classification and Grading Status is Enabled.
Next steps: Go to the page to view the identified sensitive information, or go to the page to configure sensitive data identification templates. For more information, see Sensitive data classification and grading.
Column Encryption
Feature description: Encrypts specific columns in a database to prevent unauthorized users from directly accessing sensitive data in plaintext through cloud platform software or database connection tools. This effectively defends against internal and external security threats.
How to enable: Locate the target asset, click the
toggle in the Column Encryption column, and complete the following configurations in the Encryption Configuration dialog box.ImportantPrerequisite: Before configuring column encryption, you must enable the data classification and grading feature and complete data scanning and identification.
Detailed configuration: This section describes only the parameters required to configure column encryption in Asset Center for quick deployment. For more information about encryption principles and full configuration instructions, see column encryption.
Parameter
Description
Asset Type and Instance Name
The target asset is pre-selected. No manual adjustment is required.
Encryption Algorithm
Select an encryption algorithm.
Encryption Method
You can use a local key or a KMS key to encrypt data. KMS keys are supported only for RDS for MySQL.
Plaintext Permission Accounts
Configure accounts that are allowed to access data in plaintext. Queries from unconfigured accounts return ciphertext.
ImportantIf you used the Manually enter username and password method to connect DSC to your data asset when enabling Classification and Grading, you must set that database account as a Plaintext Permission Accounts. This ensures the account has permission to read the database, allowing DSC to perform up-to-date classification and grading.
Configure Columns
Select the data columns to encrypt.
Next steps: Go to the page to view an overview of sensitive column encryption and manage account permissions.
Image Masking
Feature description: This feature creates an image desensitization task to scan images in a target bucket for sensitive information, such as ID card numbers, license plate numbers, and faces. The service then desensitizes this information by masking it with a gray rectangle.
How to enable: Locate the target asset, click the
toggle in the Image Masking column, and complete the following configurations in the Enable Image Masking dialog box.NoteIf you want to identify and classify sensitive information in images before desensitization, you must enable the Classification and Grading feature for the bucket.
Parameter
Description
Task Name
Enter a name for the desensitization task.
Masking Scope
Configure which images to desensitize. DSC scans all images in the selected bucket.
-
To desensitize all eligible images in the bucket, you do not need to configure this parameter.
-
To desensitize specific images in the bucket, configure this parameter and then select the file path matching method: Match by Prefix or Match by Suffix.
For example, a bucket contains the following images that meet the desensitization criteria:
example/dir01/test01.png,example/dir02/test02.jpg,testexample/testdir/testim.jpg, andtest.jpg.-
Match Prefix: Enter the prefix
example. DSC desensitizes only the matching imagesexample/dir01/test01.pngandexample/dir02/test02.jpg. -
Match Suffix : Enter the suffix
jpg. DSC desensitizes only the matching imagestest.jpg,testexample/testdir/testim.jpg, andexample/dir02/test02.jpg.
-
Scan Type
-
Run Now: Scan and desensitize images immediately.
-
Periodic Run: Configure a Scheduled Execution Time. DSC desensitizes incremental images in the bucket at 00:00:00 based on the configured schedule. To run the task immediately, select Run Again Now.
Image Type
Select one or more supported information types to desensitize.
De-identification Method
Currently, only masking is supported.
-
Next steps: Go to the page to view the details of your desensitization tasks. For more information, see OSS Image Desensitization.
One-click activation
Use one-click activation to efficiently enable features for many assets at once.
This feature supports only Configuration Risks, Data Classification, Data Auditing, and Data Detection and Response. You must enable other features manually.
To enable: Locate the target asset, click Enable in the Actions column, and complete the following configuration.
Parameter | Description |
Feature selection | Select the features to enable. |
Scan assets and identify sensitive data now. | If selected, DSC immediately creates a default scan task. You can then go to the tab and click Default Tasks to view or configure the default system scan task. For more information, see Scan for sensitive data by using discovery tasks. |
Automatically connect to new databases. (Supported by only some databases) | If enabled, DSC automatically connects to new databases detected in the instance during manual or automatic asset synchronization. |
Routine O&M
Asset overview
In the upper-right corner of the Asset Center page, you can view the number of instances with enabled features and the storage capacity usage.
In the asset list on the left, click a target asset type. The total number of assets of this type and their feature status appear at the top of the page. Click the number under "Features disabled" to filter assets by this status.
The feature statuses include configuration risk disabled, data classification disabled, data audit disabled, and column-level encryption disabled. In the Actions column of the asset list, you can click Enable All to enable the corresponding features.
For SLS assets, the data volume displayed in the DSC console may differ from the storage volume shown in the Log Service console. This is expected because the data volume that DSC calculates includes both free-tier and billable data.
Edit enabled features
Classification and Grading: After you enable the Classification and Grading feature, you can view the DSC authorization and connection status for certain assets to the right of the toggle.
Click the number to the right of the toggle to open a panel where you can perform the following operations on the target database (or SLS LogStore):
Authorize DSC: Select the target database or LogStore and click Batch Enable. If you did not select Automatically create database accounts when enabling the Classification and Grading feature, you must enter the database account and password in the dialog box and then click OK.
Deauthorize DSC: Select the target database or LogStore, click Bulk Disable, and then click OK in the dialog box.
Add a database (MongoDB only): Click Add Database. In the dialog box, enter the Database Name, Database Account, and Database Password, and then click OK.
Modify the discovery node (MongoDB only): By default, DSC discovers data from the secondary node. To change this, click the
icon in the Node column. In the Edit dialog box, modify the settings and click OK. The node configuration change takes effect in the next discovery task.
Column Encryption: After you enable the Column Encryption feature, you can view the encrypted column status for the database instance to the right of the toggle.
Click the number to the right of the toggle to open a panel where you can modify settings such as Encryption Algorithm and Account Permissions. For more information, see Configure column-level encryption for a database.
In the asset management list in Data Security Center, information such as Encrypted Columns 1/5 appears to the right of the toggle in the Column-level encryption column. This means 1 of the 5 columns in the instance is encrypted.
icon in the Node column. In the Edit dialog box, modify the settings and click OK. The node configuration change takes effect in the next discovery task.DSC IP ranges for database access
|
Region |
CIDR Block |
|
China (Qingdao) |
|
|
China (Beijing) |
|
|
China (Zhangjiakou) |
|
|
China (Hohhot) |
|
|
China (Hangzhou) |
|
|
China (Shanghai) |
|
|
China (Shenzhen) |
|
|
China (Hong Kong) |
|
|
Alibaba Cloud for Government |
|
|
China (Shanghai) Finance |
|
|
China (Hangzhou) Finance |
|
|
China (Chengdu) |
|