All Products
Search
Document Center

Data Security Center:Configure identification templates

Last Updated:Aug 12, 2024

Data Security Center (DSC) provides built-in identification templates to identify sensitive data for different industries, such as the financial, energy, and automotive industries. You can use identification templates to identify sensitive data in your assets. You can use built-in identification templates or configure custom identification templates based on built-in identification templates. This topic describes how to configure an identification template.

Terms

Before you use identification templates, make sure that you understand the related terms. The following table describes the terms.

Term

Description

identification template

Identification templates are tailored to meet industry-specific standards for the classification of sensitive data. You can use identification templates to check whether sensitive data meets compliance requirements.

built-in identification template

To help you quickly configure data identification, DSC provides built-in identification templates for common industries, including the built-in classification template for the financial industry, the built-in data security classification template for Alibaba and Ant Group, the built-in classification template for the energy industry, and the built-in classification template for the Internet of Vehicles (IoV) industry. You can select a built-in identification template based on your business scenarios. Built-in identification templates only allow you to enable or disable built-in identification models. You cannot configure custom sensitivity levels, identification features, or identification models. For more information, see Supported industry-specific classification templates.

custom identification template

If built-in identification templates cannot meet your business requirements, you can copy built-in identification templates to create custom identification templates. You can configure identification features and identification models to create a custom identification template that meets your business requirements. You can create up to 7 custom identification templates. The total number of identification templates cannot exceed 10.

main template

The main template is the identification template that is used by the system. Only one main template is allowed. The data that is identified by the main template is displayed on all pages in the DSC console, such as the Asset Insight and Data Directory pages.

active template

Active templates are identification templates that are enabled. You can select an active template when you create an identification task. You can configure up to two active templates.

identification feature

Identification features support content-based identification, metadata identification, and dictionary-based identification. The features use operators such as regular expressions, Contains and Does Not Contain to identify sensitive data characteristics and formulate identification rules. You can associate multiple identification rules by using the AND and OR logical operators to create complex identification rules. This allows you to identify sensitive data characteristics in a more flexible manner. DSC provides built-in identification features for typical sensitive data types and supports custom identification features. For more information about built-in identification features, see Supported sensitive data types.

identification model

An identification model is defined based on one or more identification features and associated with final identification results. You can configure the scope of an identification model. For example, you can configure an identification model to support only specific data assets, such as database instances, tables, Object Storage Service (OSS) buckets, and file directories. DSC provides built-in identification models for typical sensitive data and supports custom identification models.

Prerequisites

DSC is authorized to access and identify your data assets. For more information, see Asset authorization.

Limits

By default, the built-in classification template for the Internet industry is enabled. You can enable up to two identification templates.

Use a built-in identification template

If no identification templates are configured, the built-in classification template for the Internet industry is enabled and used as the main template. Procedure:

  1. Log on to the DSC console.

  2. In the left-side navigation pane, choose Data Insights > Config.

  3. Enable and configure the main template.

    Only an enabled template can be configured as the main template.

    1. If you want to use another built-in identification template in an identification task, go to the Template Management tab, find the built-in identification template that you want to enable, and then turn on the switch in the Status column.

      By default, the built-in classification template for the Internet industry is enabled. You can also enable up to two templates. The enabled template is displayed in the Enabled Templates section.

    2. In the Enabled Templates section, find the built-in identification template that you want to use as the main template and click Main Template. In the message that appears, click Continue.

      To change the main template, disable all identification tasks that currently use the template. After the identification tasks are disabled, you can proceed to change the main template. After the change operation is complete, the new template is used as the main template.

Use a custom identification template

The first time you use a custom identification template, perform the following steps.

Step 1: Create a custom identification template and manage identification features

You can copy built-in identification templates to create custom identification templates. You can view the built-in identification features provided by DSC. If the built-in identification features cannot meet your requirements, you can add new features to a custom identification template.

  1. Log on to the DSC console.

  2. In the left-side navigation pane, choose Data Insights > Config.

  3. On the Template Management tab, click Configure Template, find the template that you want to copy, and then click Copy in the Actions column. In the Copy Template dialog box, specify a template name and click OK.

    You can copy the template of the corresponding industry based on the nature of your business.

    After you copy a template, DSC automatically copies all identification models of the copied template as custom identification models.

  4. On the Identification Configuration page, click the Identification Features tab.

  5. In the feature list, view the built-in identification features.

    You cannot modify or delete built-in identification features.

  6. If the built-in identification features cannot meet your requirements, configure a custom identification feature.

    1. Click Add Feature.

    2. In the Add Feature panel, configure the parameters and click OK.

      Parameter

      Description

      Feature Name

      The name of the custom identification feature.

      Match Item

      The following match types are supported.

      • Rule Match: Configure feature rules. You can click Add Rule to add multiple feature rules. The feature rules can be evaluated by using the AND or OR logical operator.

        If you select Exception Rule, you can click Add Rule to add multiple exception rules. The exception rules can be evaluated by using the AND or OR logical operator.

        The feature detects data that meets the feature rules but does not meet the exception rules.

      • Dictionary Match: Enter a keyword and press Enter. A keyword can be 1 to 128 characters in length. You can configure multiple keywords. A keyword cannot contain commas (,). Otherwise, the keyword is considered as two or more keywords separated with commas. Fuzzy match is supported.

      Data Type

      The type of data that you want to identify. Valid values: Structured Data and Unstructured Data.

Step 2: Manage an identification model

  1. On the Identification Configuration page, click the Identification Models tab.

  2. On the Identification Models tab, view built-in identification models.

  3. You can only enable or disable built-in identification models. You cannot modify or delete built-in identification models.

    You can click Details in the Actions column to view the rules and identification thresholds of an identification model. You can click Create Submodel in the Actions column to create a submodel for a built-in identification model. For more information about the parameters, see the following section.

  4. If built-in identification models cannot meet your requirements, create a custom identification model.

    1. Click Create.

    2. In the Create panel, configure the parameters and click OK.

    3. Category

      Parameter

      Description

      Basic Information

      Model Name

      Enter the name of the custom identification model.

      Model Description

      Enter the description of the identification model.

      Tag

      Select the tag that is added to the identification model. You can add the Personal sensitive information, Personal information, or General information tag to the identification model.

      Data Category

      Select a template, sensitive data type, and sensitivity level from drop-down lists for the identification model.

      You can select only a custom identification template.

      Model Rule

      Identification Features

      Select the identification features that are used by the model from the drop-down list.

      You can select built-in identification features and custom identification features. You can select multiple identification features. The features are evaluated by using the OR logical operator.

      Identification Scope

      Select the asset types for which you want the model to take effect from the drop-down list.

      Multiple assets can be selected. The asset types are evaluated by using the OR logical operator.

      Advanced Settings

      To configure a more precise scope for sensitive data identification, you can configure advanced settings. Perform the following steps:

      1. Select an asset type from the drop-down list.

      2. You can select only the asset types that you selected for the Identification Scope parameter. To configure multiple asset types, click the image icon.

      3. Select a logical operator for different conditions. Valid values: AND and OR. To configure multiple condition groups, click Create Group. The added condition group is a subset of the first condition group.

      4. Configure identification conditions. To add multiple identification conditions, click Add Condition.

      Identification Threshold

      Minimum Hits (Unstructured Data)

      Specify the minimum threshold for the number of features that are hit for a single object in OSS.

      If the minimum threshold is reached, the object meets the sensitive data defined by the model.

      For example, if the minimum threshold is 1 and a file hits one feature in the identification model, the file is identified as sensitive data of the specified type and sensitivity level.

      Hit Ratio (Structured Data)

      Specify the hit ratio of structured data, such as ApsaraDB RDS.

      If the percentage of hits among 200 data samples meets the hit ratio, the data is classified as sensitive.

      For example, if the hit ratio is 50% and 100 data entries in a column meet the identification model, the column is identified as sensitive data of the specified type and sensitivity level.

Step 3: Enable a custom identification template

  1. On the Identification Configuration page, click the Template Management tab.

  2. Find the custom identification template that you want to enable and click the image icon in the Status column to enable the template.

  3. In the Enabled Templates section, click Main Template to configure the template as the main template.

Related operations

  • View the details of a template: Click Configure Template, find the template that you want to view, and then click View in the Actions column. You can view all sensitivity data types and identification models in the template.

  • Delete a template: You can delete only custom identification templates. You cannot delete built-in identification templates. To delete a template, click Configure Template, find the template that you want to delete, click the image icon in the Actions column, and then click Delete. After you delete a template, the custom identification models that belong to the template are also deleted.

  • Manage sensitivity data types:

    You can configure only the sensitivity data types of custom identification templates. You cannot modify the sensitivity data types of built-in identification templates. To manage sensitivity levels, click Configure Template, find the template that you want to manage, and then click Edit in the Actions column. Then, click Next. In the Template Configuration section, perform the following operations:

    • Add a sensitivity data type: Click the image icon next to an existing type and then click Add Same-level Category to add a sensitivity data type.

    • Change the name of a sensitivity data type: Click the input box to change the name of a sensitive data type.

    • Delete a sensitivity data type: Click the image icon next to an existing sensitivity data type and then click Delete to delete the sensitivity data type.

  • Manage the identification models of an identification template:

    For built-in identification templates, you can only enable or disable identification models. For custom identification templates, you can perform the following operations in the Template Configuration section:

    • Add an identification model: Click the image icon next to an existing sensitivity data type and then click Create to add an identification model.

    • Delete an identification model: Click the image icon next to an existing sensitivity data type, find the identification model that you want to delete, and then click the image icon.

  • Manage sensitivity levels

    For built-in identification templates, you cannot add or delete sensitivity levels. You can only modify the description of a sensitivity level. For custom identification templates, you can add, modify, and delete sensitivity levels.

    By default, 10 sensitivity levels are configured for a custom identification template, and up to 10 sensitivity levels can be configured.

    • Delete a sensitivity level: Only the S10 sensitivity level can be deleted. To delete a sensitivity level, click Sensitivity Level Configuration, find the level that you want to delete, and then click Delete in the Actions column.

    • Add a sensitivity level: Click Sensitivity Level Configuration and then click Configure Custom Sensitivity Level. To perform the operation for a template, the template must have less than 10 sensitivity levels.

    • Modify a sensitivity level: Click Sensitivity Level Configuration, find the level that you want to modify, and then click Edit in the Actions column.

What to do next

Use an identification template when you create an identification task. For more information, see Identification tasks.