Skip to content
Gallery
10. Security
Sensitive Data Protection
Cloud KMS
Cloud Secret Manager
Certificate Manager
Identity-Aware Proxy
Share
Explore

icon picker
Sensitive Data Protection

Sensitive Data Protection helps you discover, classify, and de-identify sensitive data inside and outside Google Cloud.

Sensitive data discovery

The discovery service lets you generate profiles for your data across an organization, folder, or project. Data profiles contain metrics and metadata about your data assets and help you determine where
sensitive and high-risk data
reside. Sensitive Data Protection reports these metrics at various levels of detail. For information about the types of data you can profile, see
Supported resources
.

Sensitive data inspection

The inspection service lets you perform a deep scan of an individual resource to find instances of sensitive data. You specify the infoType that you want to search for, and the inspection service generates a report about every instance of data that matches that infoType. For example, the report tells you how many credit card numbers are in a Cloud Storage bucket and the exact location of each instance.
There are two ways to perform an inspection:
Create an inspection or hybrid job through the Google Cloud console or through the Cloud Data Loss Prevention API of Sensitive Data Protection (DLP API).
Send a
content.inspect
request to the DLP API.

Sensitive data de-identification

The de-identification service lets you obfuscate instances of sensitive data. Various
transformation methods
are available, including masking, redaction, bucketing, date shifting, and tokenization.
There are two ways to perform de-identification:
Create a de-identified copy of Cloud Storage data using an inspection job. For more information, see
De-identification of sensitive data in storage
.
Send a
content.deidentify
request to the DLP API. For more information, see
De-identifying sensitive data
.

Risk analysis

The risk analysis service lets you analyze structured BigQuery data to identify and visualize the risk that sensitive information will be revealed (re-identified).
You can use risk analysis methods before de-identification to help determine an effective de-identification strategy, or after de-identification to monitor for any changes or outliers.
You perform risk analysis by creating a risk analysis job. For more information, see
Re-identification risk analysis
.

Cloud Data Loss Prevention API

The Cloud Data Loss Prevention API lets you use the Sensitive Data Protection services programmatically. Through the DLP API, you can inspect data from inside and outside Google Cloud and build custom workloads on or off cloud. For more information, see
Service method types
.

Asynchronous operations

If you want to asynchronously inspect or analyze data at rest, you can use the DLP API to create a
DlpJob
. Creating a DlpJob is the equivalent of creating an inspection job, hybrid job, or risk analysis job through the Google Cloud console. The results of a DlpJob are stored in Google Cloud.

Synchronous operations

If you want to inspect, de-identify, or re-identify data synchronously, use the inline content methods of the DLP API. To de-identify data in images, you can use the
image.redact
method. You send the data in an API request and the DLP API responds with the inspection, de-identification, or re-identification results. The results of content methods and the image.redact method aren't stored in Google Cloud.


Ref:
Sensitive Data Protection overview  |  Sensitive Data Protection Documentation  |  Google Cloud
Sensitive data discovery
Sensitive data inspection
Sensitive data de-identification
Risk analysis
Cloud Data Loss Prevention API
Asynchronous operations
Synchronous operations
Want to print your doc?
This is not the way.
Try clicking the ⋯ next to your doc name or using a keyboard shortcut (
CtrlP
) instead.