Sensitive Data Protection helps you discover, classify, and de-identifysensitive data inside and outside Google Cloud. This page describes the servicesthat make up Sensitive Data Protection.

Sensitive data discovery

The discovery service lets you generate profiles for your data acrossan organization, folder, or project. Data profiles contain metrics and metadataabout your data assets and help you determine wheresensitive and high-riskdata reside. Sensitive Data Protection reports these metrics at variouslevels of detail. For information about the types of data you can profile, seeSupported resources.

You use ascan configuration to specify the resource to scan, thetypes of information (infoTypes) tolook for, the profiling frequency, and the actions to take when profilingis complete.

Tip: Data profiling is useful if you want to scan large amounts ofdata at a high level. If you need to know the granulardetails, like the exact location of every instance of sensitive data, considerperforming aninspection as well.

For more information about the discovery service, seeDataprofiles overview.

Sensitive data inspection

The inspection service lets you perform a deep scan of an individualresource to find instances of sensitive data. You specify the infoType that youwant to search for, and the inspection service generates a report aboutevery instance of data that matches that infoType. For example, the report tellsyou how many credit card numbers are in a Cloud Storage bucket and theexact location of each instance.

Tip: An inspection is useful if you needdetailed information about each instance of sensitive data stored in a resource,like a singleBigQuery table. It is especially useful if you haveunstructured data—like user-provided comments—that might haveintermittent instances of personally identifiable information.

If youneed to perform automated scans ofmultiple resources across projects, folders,or the entire organization, use thediscoveryservice to generate data profiles.

There are two ways to perform an inspection:

• Create an inspection or hybrid job through the Google Cloud console orthrough the Cloud Data Loss Prevention API of Sensitive Data Protection (DLP API).
• Send acontent.inspectrequest to the DLP API.

Inspection through a job

You can configure inspection and hybrid jobs through the Google Cloud consoleor through the Cloud Data Loss Prevention API. The results of inspection and hybrid jobs arestored in Google Cloud.

You can specify actions that you want Sensitive Data Protection to takewhen the inspection or hybrid job is complete. For example, you can configure ajob to save the findings to a BigQuery table or send aPub/Sub notification.

Inspection jobs

Sensitive Data Protection has built-in support for selectGoogle Cloud products. You can inspect a BigQuery table, aCloud Storage bucket or folder, and a Datastore kind. For moreinformation, seeInspect Google Cloud storage and databases for sensitivedata.

Hybrid jobs

A hybrid job lets you scan payloads of data sent from any source, andthen store the inspection findings in Google Cloud. For more information,seeHybrid jobs and job triggers.

Inspection through acontent.inspect request

Thecontent.inspect method of the DLP API lets you send datadirectly to the DLP API for inspection. The response contains theinspection findings. Use this approach if you require a synchronous operation orif you don't want to store the findings in Google Cloud.

Sensitive data de-identification

The de-identification service lets you obfuscate instances of sensitive data.Varioustransformation methodsare available, including masking, redaction, bucketing, date shifting, andtokenization.

There are two ways to perform de-identification:

• Create a de-identified copy of Cloud Storage data using an inspectionjob. For more information, seeDe-identification of sensitive data instorage.
• Send acontent.deidentifyrequest to the DLP API. For more information, seeDe-identifyingsensitive data.

Risk analysis

The risk analysis service lets you analyze structuredBigQuery data to identify and visualize the risk that sensitiveinformation will be revealed (re-identified).

You can use risk analysis methods before de-identification to helpdetermine an effective de-identification strategy, or after de-identification tomonitor for any changes or outliers.

You perform risk analysis by creating a risk analysis job. For more information,seeRe-identification risk analysis.

Cloud Data Loss Prevention API

The Cloud Data Loss Prevention API lets you use the Sensitive Data Protection servicesprogrammatically. Through the DLP API, you can inspect data frominside and outside Google Cloud and build custom workloads on or offcloud. For more information, seeService methodtypes.

Asynchronous operations

If you want to asynchronously inspect or analyze data at rest, you can use theDLP API to create aDlpJob. Creating aDlpJob is the equivalent of creating an inspection job, hybrid job, or riskanalysis job through the Google Cloud console. The results of aDlpJob arestored in Google Cloud.

Synchronous operations

If you want to inspect, de-identify, or re-identify data synchronously, use theinlinecontent methods of the DLP API. To de-identify data inimages, you can use theimage.redactmethod. You send the data in an API request and the DLP API respondswith the inspection, de-identification, or re-identification results. Theresults ofcontent methods and theimage.redact method aren't storedin Google Cloud.

Pricing

For information about costs associated with using Sensitive Data Protection,seeSensitive Data Protection pricing.

What's next

• Learn how toprofile data in a project.
• Learn how tostart or schedule aninspection.
• Learn how toinspect data from external sources using hybrid jobs.
• Learn how tocreate a de-identified copy of data stored in Cloud Storage.
• Learn how tocompute k-anonymity for a dataset.
• Learn how tode-identify and re-identify data using the DLP API.