Mastering Sensitive Data Scanning & Protection on Alibaba Cloud

Background

Scanning and protecting sensitive enterprise data (personal identity information, financial records, medical records, etc.) improves data security, helps comply with regulations such as GDPR, and reduces the risk of data leakage.

Solution Design

The solution leverages Alibaba Cloud Data Security Center (DSC) and Log Service (SLS) to discover, classify, and mask sensitive data in logs.

1. Access Desensitization Scheme

1.1 Access Phase

Analyze sample logs to locate sensitive fields, configure SLS Logtail collection, and verify desensitization results via DSC.

1.2 Iterative Optimization

Create periodic DSC scanning tasks to continuously refine masking configurations based on scan results.

Data Collection Pipelines

Logtail side‑masking (Data Flow 1): configure Logtail, then apply either a regex plugin or SPL parsing to replace sensitive fields.

Logtail + Ingest Processor (Data Flow 2): collect raw logs with Logtail, then mask on the server side using SPL in the Ingest Processor.

SDK + Ingest Processor (Data Flow 3): write logs via SDK, mask in the service using SPL.

DSC Sensitive Scanning

Authorize SLS assets in DSC, create custom identification templates, and run scanning tasks to obtain sensitivity levels and sample data.

2. Query Desensitization Scheme

When full logs must be stored, use StoreView with SPL to perform on‑the‑fly masking before exposing data to analysts.

2.1 StoreView Configuration

Define a virtual StoreView linking multiple logstores, then apply SPL expressions such as:

* | parse-json content
| extend creadit_card=regexp_replace(creadit_card, '\d{12}$','***********')
| extend customer_name=regexp_replace(customer_name, '\S{4}$','******')
| extend phone_number=regexp_replace(phone_number, '\S{3}\s\S{4}$','*** ****')
| extend ip_address=regexp_replace(ip_address, '\d{1,3}.\d{1,3}$','**.**')
| extend email=regexp_replace(email, '\S+@','****@')
| project-away content

3. Periodic Scanning

Set up daily, weekly, or monthly DSC scanning tasks to continuously monitor new log data and adjust masking rules accordingly.

Conclusion

By combining DSC scanning, Logtail/SDK pipelines, and StoreView SPL masking, enterprises can reduce data leakage risk, meet compliance requirements, and maintain data governance while still enabling business analytics.