{"id":819,"date":"2026-04-16T06:45:37","date_gmt":"2026-04-16T06:45:37","guid":{"rendered":"https:\/\/www.devopsschool.com\/tutorials\/google-cloud-sensitive-data-protection-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-security\/"},"modified":"2026-04-16T06:45:37","modified_gmt":"2026-04-16T06:45:37","slug":"google-cloud-sensitive-data-protection-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-security","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/tutorials\/google-cloud-sensitive-data-protection-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-security\/","title":{"rendered":"Google Cloud Sensitive Data Protection Tutorial: Architecture, Pricing, Use Cases, and Hands-On Guide for Security"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">Category<\/h2>\n\n\n\n<p>Security<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">1. Introduction<\/h2>\n\n\n\n<p><strong>What this service is<\/strong><br\/>\nSensitive Data Protection is Google Cloud\u2019s managed service for discovering, classifying, and de-identifying sensitive information (for example: PII, PHI, PCI data, credentials, and other regulated or confidential data) across content you send to the API and supported Google Cloud data sources.<\/p>\n\n\n\n<p><strong>Simple explanation (one paragraph)<\/strong><br\/>\nIf you need to find where sensitive data lives and reduce exposure (by masking, redacting, or tokenizing it), Sensitive Data Protection helps you detect sensitive patterns (like email addresses or credit card numbers) and transform data so teams can safely store, share, or analyze it.<\/p>\n\n\n\n<p><strong>Technical explanation (one paragraph)<\/strong><br\/>\nSensitive Data Protection (formerly widely known as <strong>Cloud Data Loss Prevention \/ Cloud DLP<\/strong>) provides an API-driven detection engine with built-in and custom detectors (\u201cinfoTypes\u201d), plus transformation methods for de-identification (masking, redaction, replacement, and cryptographic tokenization). It supports scanning content directly via API calls and running jobs over supported Google Cloud storage\/analytics services. Findings can be routed to destinations such as BigQuery, Cloud Storage, or Pub\/Sub for downstream workflows.<\/p>\n\n\n\n<p><strong>What problem it solves<\/strong><br\/>\nOrganizations often don\u2019t know <strong>what<\/strong> sensitive data they store, <strong>where<\/strong> it is, and <strong>how<\/strong> to reduce the risk of leaks. Sensitive Data Protection helps you:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Discover sensitive data at scale<\/li>\n<li>Classify and label data for governance and access control<\/li>\n<li>De-identify data for safer analytics and sharing<\/li>\n<li>Reduce compliance and breach risk through repeatable scanning and policy-based transformations<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">2. What is Sensitive Data Protection?<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Official purpose<\/h3>\n\n\n\n<p>Sensitive Data Protection is designed to help you <strong>discover<\/strong>, <strong>inspect<\/strong>, <strong>classify<\/strong>, and <strong>de-identify<\/strong> sensitive data in Google Cloud and in data you provide to the service.<\/p>\n\n\n\n<blockquote>\n<p>Naming note (important): Google Cloud has rebranded \u201cCloud DLP\u201d under the product name <strong>Sensitive Data Protection<\/strong>. You will still see API and documentation references to \u201cDLP\u201d (for example, the DLP API, client libraries, and role names). Treat \u201cSensitive Data Protection\u201d as the current product name and \u201cDLP\u201d as the underlying API naming.<\/p>\n<\/blockquote>\n\n\n\n<h3 class=\"wp-block-heading\">Core capabilities (what it can do)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Detect sensitive data<\/strong> using built-in and custom detectors (infoTypes)<\/li>\n<li><strong>Inspect content<\/strong> you send to the API (strings, structured records)<\/li>\n<li><strong>Scan supported Google Cloud data sources<\/strong> using long-running jobs (batch inspection)<\/li>\n<li><strong>De-identify data<\/strong> with masking\/redaction\/replacement and cryptographic transformations<\/li>\n<li><strong>Measure re-identification risk<\/strong> (statistical risk analysis features, where applicable)<\/li>\n<li><strong>Automate and repeat scans<\/strong> using job triggers and templates<\/li>\n<li><strong>Route findings<\/strong> to destinations for alerts, reporting, or remediation workflows<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Major components<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>InfoTypes<\/strong>: Detectors for sensitive patterns (predefined + custom)<\/li>\n<li><strong>Inspection configuration<\/strong>: What to scan for, how to score, what rules to apply<\/li>\n<li><strong>De-identification configuration<\/strong>: How to transform detected sensitive values<\/li>\n<li><strong>Templates<\/strong>: Reusable inspection and de-identification configurations<\/li>\n<li><strong>Jobs &amp; job triggers<\/strong>: Batch scans and scheduled\/triggered scans for supported sources<\/li>\n<li><strong>Findings outputs<\/strong>: Optional export of findings to BigQuery\/Cloud Storage\/Pub\/Sub (depending on job type and configuration)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Service type<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Managed Security service<\/strong> (API-first)<\/li>\n<li>Primarily used by <strong>security engineering<\/strong>, <strong>data platform<\/strong>, <strong>governance<\/strong>, and <strong>application teams<\/strong><\/li>\n<li>Works well as a control in a broader <strong>data security<\/strong> and <strong>privacy engineering<\/strong> program<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Scope: regional \/ global \/ project boundaries<\/h3>\n\n\n\n<p>Sensitive Data Protection is controlled via Google Cloud projects and IAM. Many resources (templates, jobs) are created within a project and may be associated with a <strong>processing location<\/strong> (for example <code>global<\/code>, <code>us<\/code>, <code>europe<\/code>, or other supported locations). The exact set of supported locations and data residency behavior can change\u2014<strong>verify current locations in official docs<\/strong>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">How it fits into the Google Cloud ecosystem<\/h3>\n\n\n\n<p>Sensitive Data Protection is typically used alongside:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>IAM<\/strong> for access control and least privilege<\/li>\n<li><strong>Cloud Audit Logs<\/strong> \/ <strong>Cloud Logging<\/strong> for auditability<\/li>\n<li><strong>Cloud Storage \/ BigQuery<\/strong> as common data sources and destinations<\/li>\n<li><strong>Pub\/Sub + Cloud Functions\/Cloud Run<\/strong> for event-driven remediation<\/li>\n<li><strong>Security Command Center<\/strong> (in some org setups) for centralized security visibility (integration details depend on your SCC tier and configuration\u2014<strong>verify in official docs<\/strong>)<\/li>\n<li><strong>Dataplex \/ Data Catalog<\/strong> for metadata governance (often complementary; not a replacement)<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">3. Why use Sensitive Data Protection?<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Business reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Reduce the financial and reputational impact of data leaks<\/li>\n<li>Support compliance initiatives (GDPR, HIPAA, PCI DSS, SOC 2, ISO 27001, etc.)<\/li>\n<li>Enable safer data sharing with partners, analysts, and ML teams<\/li>\n<li>Create repeatable evidence for audits (scan schedules, findings exports, remediation logs)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Technical reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>High-quality detection using maintained detectors and configurable inspection rules<\/li>\n<li>De-identification methods that can preserve usefulness (e.g., partial masking, tokenization)<\/li>\n<li>API-driven design that integrates with CI\/CD, data pipelines, and apps<\/li>\n<li>Scales beyond what manual reviews or ad-hoc regex scripts can handle<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Operational reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Centralized policy patterns using templates<\/li>\n<li>Batch scanning and automation using jobs and triggers<\/li>\n<li>Findings export to storage\/analytics systems for dashboards and triage<\/li>\n<li>Clear separation of responsibilities (security sets policy, platforms implement pipelines)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Security\/compliance reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Helps enforce data minimization and least exposure<\/li>\n<li>Supports defensible handling of regulated data by locating it and transforming it<\/li>\n<li>Enables safer \u201canalytics zones\u201d with de-identified datasets<\/li>\n<li>Provides structured findings that can flow into incident response workflows<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Scalability\/performance reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Designed for large-scale discovery and repeated scanning (when using supported job modes)<\/li>\n<li>Supports both interactive \u201cinspect this content now\u201d and scheduled scans<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">When teams should choose it<\/h3>\n\n\n\n<p>Choose Sensitive Data Protection when you need:\n&#8211; Sensitive data discovery across common cloud data stores\n&#8211; A consistent detection engine and policy-controlled transformations\n&#8211; An API\/service that fits into automated governance and data engineering workflows\n&#8211; Evidence of scanning and handling for compliance programs<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">When teams should not choose it<\/h3>\n\n\n\n<p>Sensitive Data Protection may not be the best fit if:\n&#8211; You need a full data governance catalog (ownership, lineage, glossary) \u2014 consider <strong>Dataplex\/Data Catalog<\/strong> as complementary\n&#8211; You need endpoint DLP on devices, email DLP, or SaaS app controls \u2014 those are typically handled by Google Workspace\/Chrome Enterprise or third-party tooling, not this service\n&#8211; Your data sources are unsupported and you cannot send content to the API in a compliant way\n&#8211; You require deterministic \u201cperfect\u201d detection: no content classifier is perfect; you must validate detectors and tune rules<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">4. Where is Sensitive Data Protection used?<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Industries<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Healthcare (PHI discovery and de-identification)<\/li>\n<li>Financial services (PCI and customer PII controls)<\/li>\n<li>Retail\/e-commerce (customer data governance)<\/li>\n<li>SaaS and technology (multi-tenant privacy and incident prevention)<\/li>\n<li>Public sector (regulated identifiers, data residency concerns)<\/li>\n<li>Education (student records)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Team types<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Security engineering and security operations<\/li>\n<li>Privacy engineering and compliance teams<\/li>\n<li>Data platform \/ data engineering teams<\/li>\n<li>DevOps\/SRE\/platform engineering (automation and guardrails)<\/li>\n<li>Application developers handling user-submitted content<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Workloads<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Data lakes (Cloud Storage) and warehouses (BigQuery)<\/li>\n<li>ETL\/ELT pipelines (Dataflow, Dataproc, Composer) that need pre-ingestion checks<\/li>\n<li>Customer support systems exporting data for analytics<\/li>\n<li>Log and event pipelines that might accidentally capture secrets<\/li>\n<li>ML\/AI pipelines that require de-identified training data<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Architectures<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Centralized discovery scanning across projects (org-scale governance)<\/li>\n<li>Per-team scanning embedded into CI\/CD and data pipelines<\/li>\n<li>Hub-and-spoke: central security project manages templates; application projects run scans<\/li>\n<li>Event-driven remediation: findings \u2192 Pub\/Sub \u2192 Cloud Run \u2192 ticketing\/quarantine<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Production vs dev\/test usage<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Dev\/test<\/strong>: validate detectors, tune custom infoTypes, test false-positive\/false-negative rates, verify transformations preserve usability  <\/li>\n<li><strong>Production<\/strong>: schedule scans, enforce standardized templates, integrate findings into alerting and remediation, maintain audit evidence, and track costs and quotas<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">5. Top Use Cases and Scenarios<\/h2>\n\n\n\n<p>Below are realistic scenarios where Sensitive Data Protection is commonly used.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">1) Scan Cloud Storage buckets for PII before sharing<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: A team wants to share CSV exports but can\u2019t guarantee they don\u2019t contain PII.<\/li>\n<li><strong>Why this service fits<\/strong>: Batch inspection jobs can scan objects and report findings.<\/li>\n<li><strong>Example scenario<\/strong>: Marketing exports purchase history to a bucket for an agency; Sensitive Data Protection scans and flags emails and phone numbers before release.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">2) Detect secrets accidentally stored in logs<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Application logs might contain API keys, passwords, or tokens.<\/li>\n<li><strong>Why this service fits<\/strong>: You can inspect log payloads (or samples) and detect credential-like patterns (often using custom infoTypes and rules).<\/li>\n<li><strong>Example scenario<\/strong>: CI pipeline samples recent logs from a sink and scans for OAuth tokens; findings trigger a rotation workflow.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">3) De-identify customer support transcripts<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Support transcripts contain names, emails, addresses, and account numbers.<\/li>\n<li><strong>Why this service fits<\/strong>: De-identification can redact or mask sensitive fields while retaining context.<\/li>\n<li><strong>Example scenario<\/strong>: A support analytics team tokenizes customer identifiers and masks addresses before training an internal classifier.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">4) Build a \u201csafe analytics\u201d dataset in BigQuery<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Analysts need access to data, but raw PII access is heavily restricted.<\/li>\n<li><strong>Why this service fits<\/strong>: You can de-identify data and store transformed outputs in a separate dataset with broader access controls.<\/li>\n<li><strong>Example scenario<\/strong>: Security defines a de-identification template; a scheduled pipeline produces a de-identified BigQuery dataset for BI.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">5) Compliance-driven discovery for PCI scope reduction<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: You don\u2019t know where card data exists; PCI audits become broad and expensive.<\/li>\n<li><strong>Why this service fits<\/strong>: Discovery identifies locations of card numbers and related data.<\/li>\n<li><strong>Example scenario<\/strong>: A retailer scans storage\/warehouse exports; only systems with confirmed PCI data remain in scope.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6) Pre-ingestion checks in ETL pipelines<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Data arrives from partners; you must verify and sanitize before storing.<\/li>\n<li><strong>Why this service fits<\/strong>: Inline inspection and de-identification can run as a pipeline step.<\/li>\n<li><strong>Example scenario<\/strong>: Dataflow calls Sensitive Data Protection to inspect streaming records and redact fields before writing to BigQuery.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">7) Identify regulated IDs in semi-structured JSON<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: JSON payloads contain many optional fields and nested objects.<\/li>\n<li><strong>Why this service fits<\/strong>: The API can inspect structured content with field-level findings.<\/li>\n<li><strong>Example scenario<\/strong>: Event ingestion service scans payloads for national IDs and masks them before storage.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">8) Create a custom detector for internal customer IDs<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Your \u201csensitive data\u201d includes proprietary identifiers not covered by predefined detectors.<\/li>\n<li><strong>Why this service fits<\/strong>: Custom infoTypes (regex\/dictionary) allow detection of internal patterns.<\/li>\n<li><strong>Example scenario<\/strong>: Detect internal IDs like <code>CUST-2026-000123<\/code> and replace with stable tokens.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">9) Risk analysis on anonymized datasets (where applicable)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: You\u2019ve anonymized data but need to understand re-identification risk.<\/li>\n<li><strong>Why this service fits<\/strong>: Statistical analyses can estimate uniqueness and risk in certain dataset types and configurations.<\/li>\n<li><strong>Example scenario<\/strong>: A data privacy team measures k-anonymity on quasi-identifiers before publishing a dataset.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">10) Automate recurring discovery scans for new data<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: One-time scans are not enough; data changes every day.<\/li>\n<li><strong>Why this service fits<\/strong>: Job triggers and templates make discovery repeatable and consistent.<\/li>\n<li><strong>Example scenario<\/strong>: A weekly scan runs on new objects in a landing bucket; findings route to a triage queue.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">11) Data residency-aware scanning<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: You must process data within certain geographic boundaries.<\/li>\n<li><strong>Why this service fits<\/strong>: Sensitive Data Protection supports selecting processing locations (availability varies).<\/li>\n<li><strong>Example scenario<\/strong>: EU customer data is scanned using an EU processing location (verify the location list and constraints).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">12) M&amp;A \/ migration due diligence<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: You\u2019re migrating data into Google Cloud and need to understand sensitive content distribution.<\/li>\n<li><strong>Why this service fits<\/strong>: Scanning provides an inventory of sensitive data and helps plan access controls.<\/li>\n<li><strong>Example scenario<\/strong>: During migration, scanned results determine which datasets require encryption keys, restricted IAM, and additional monitoring.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">6. Core Features<\/h2>\n\n\n\n<blockquote>\n<p>Note: Feature availability can depend on data source type, API method, and processing location. Always confirm details in the official documentation.<\/p>\n<\/blockquote>\n\n\n\n<h3 class=\"wp-block-heading\">6.1 Predefined infoTypes (built-in detectors)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Detects common sensitive data types (e.g., emails, phone numbers, credit cards, national identifiers).<\/li>\n<li><strong>Why it matters<\/strong>: Saves time; detectors are maintained by Google.<\/li>\n<li><strong>Practical benefit<\/strong>: Fast onboarding\u2014use standard detectors in minutes.<\/li>\n<li><strong>Limitations\/caveats<\/strong>: Not perfect; tune likelihood thresholds and test on your data.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6.2 Custom infoTypes (regex, dictionaries, stored infoTypes)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Finds organization-specific patterns (employee IDs, customer tokens, internal codes).<\/li>\n<li><strong>Why it matters<\/strong>: Most enterprises have \u201csensitive\u201d fields outside standard categories.<\/li>\n<li><strong>Practical benefit<\/strong>: Better coverage and fewer gaps in discovery.<\/li>\n<li><strong>Limitations\/caveats<\/strong>: Regex and dictionaries require ongoing maintenance; avoid overly broad patterns that cause false positives.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6.3 Inspection rules (hotword rules and context)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Improves detection by using context words and proximity rules.<\/li>\n<li><strong>Why it matters<\/strong>: Helps reduce false positives (and sometimes false negatives) by adding semantic hints.<\/li>\n<li><strong>Practical benefit<\/strong>: More reliable findings for operational workflows.<\/li>\n<li><strong>Limitations\/caveats<\/strong>: Requires tuning and representative test data.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6.4 Templates (inspection and de-identification templates)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Saves and reuses configurations for consistent scanning and transformations.<\/li>\n<li><strong>Why it matters<\/strong>: Prevents configuration drift across teams and pipelines.<\/li>\n<li><strong>Practical benefit<\/strong>: Security teams can publish approved templates for platform teams to use.<\/li>\n<li><strong>Limitations\/caveats<\/strong>: Template governance needs process (versioning, change control).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6.5 De-identification: masking, redaction, replacement<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Transforms detected sensitive segments\u2014mask characters, redact, or replace with an infoType label.<\/li>\n<li><strong>Why it matters<\/strong>: Minimizes data exposure while retaining analytical usefulness.<\/li>\n<li><strong>Practical benefit<\/strong>: You can safely share de-identified datasets with broader roles.<\/li>\n<li><strong>Limitations\/caveats<\/strong>: Redaction may reduce utility; masking strategies must be chosen per use case.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6.6 Cryptographic transformations (tokenization \/ format-preserving encryption)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Replaces sensitive values with cryptographic tokens (often preserving format).<\/li>\n<li><strong>Why it matters<\/strong>: Enables joins and analytics without revealing raw identifiers.<\/li>\n<li><strong>Practical benefit<\/strong>: Analysts can group by tokenized customer IDs, detect duplicates, and run cohort analyses.<\/li>\n<li><strong>Limitations\/caveats<\/strong>: Key management and access controls become critical; evaluate reversibility requirements and threat model.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6.7 Structured data transformations (record-level)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Applies transformations by field in structured records (tables\/rows).<\/li>\n<li><strong>Why it matters<\/strong>: Most operational datasets are structured and need deterministic, field-aware transformations.<\/li>\n<li><strong>Practical benefit<\/strong>: Mask \u201cssn\u201d but keep \u201czip_code\u201d, or bucket \u201cage\u201d into ranges.<\/li>\n<li><strong>Limitations\/caveats<\/strong>: Requires schema awareness; ensure transformations align with downstream data types.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6.8 Batch inspection jobs (supported data sources)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Runs long-running inspections over supported Google Cloud repositories.<\/li>\n<li><strong>Why it matters<\/strong>: Scales discovery across large datasets.<\/li>\n<li><strong>Practical benefit<\/strong>: Scheduled scanning and inventory generation for compliance.<\/li>\n<li><strong>Limitations\/caveats<\/strong>: Not all sources are supported; jobs have quotas and can generate significant costs if scanning large volumes.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6.9 Job triggers (scheduled\/recurring)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Automatically starts inspection jobs based on schedules or certain triggers (depending on job type).<\/li>\n<li><strong>Why it matters<\/strong>: Discovery is an ongoing process, not a one-time project.<\/li>\n<li><strong>Practical benefit<\/strong>: Continuous compliance checks.<\/li>\n<li><strong>Limitations\/caveats<\/strong>: Trigger frequency and scan scope must be cost-controlled.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6.10 Findings export (BigQuery \/ Cloud Storage \/ Pub\/Sub)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Exports results for analytics, alerting, and workflow integration.<\/li>\n<li><strong>Why it matters<\/strong>: Findings must land where teams can act on them.<\/li>\n<li><strong>Practical benefit<\/strong>: Build dashboards, alerts, and remediation runbooks.<\/li>\n<li><strong>Limitations\/caveats<\/strong>: Export destinations have their own IAM\/security requirements; ensure least privilege.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6.11 Hybrid inspection (for non-Google Cloud data paths)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Allows inspection workflows where data originates outside supported repositories by sending content to the service (and\/or using hybrid job patterns).<\/li>\n<li><strong>Why it matters<\/strong>: Many orgs have on-prem or multi-cloud sources.<\/li>\n<li><strong>Practical benefit<\/strong>: Consistent detection engine across environments.<\/li>\n<li><strong>Limitations\/caveats<\/strong>: Data transfer, privacy constraints, and network controls must be carefully designed.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6.12 Data risk analysis (statistical)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Helps estimate re-identification risk and dataset properties (feature set depends on API and dataset type).<\/li>\n<li><strong>Why it matters<\/strong>: \u201cAnonymized\u201d data can still be re-identified.<\/li>\n<li><strong>Practical benefit<\/strong>: Quantify risk and guide stronger transformations.<\/li>\n<li><strong>Limitations\/caveats<\/strong>: Requires statistical understanding; confirm applicability and supported methods in current docs.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">7. Architecture and How It Works<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">High-level architecture<\/h3>\n\n\n\n<p>Sensitive Data Protection sits in the middle of your data ecosystem:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Inputs<\/strong>: content sent directly via API; supported Google Cloud data sources via batch jobs<\/li>\n<li><strong>Processing<\/strong>: detection (inspection) and optional transformation (de-identification)<\/li>\n<li><strong>Outputs<\/strong>: transformed content (for API calls), plus findings exports for jobs<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Request\/data\/control flow (typical)<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>A caller (developer app, pipeline, or automation) authenticates with IAM and calls the API.<\/li>\n<li>Sensitive Data Protection evaluates content against configured infoTypes and rules.<\/li>\n<li>The service returns findings (what was found, likelihood, location).<\/li>\n<li>Optionally, the service returns transformed content (masking\/tokenization\/etc.).<\/li>\n<li>For jobs, results can be exported to BigQuery\/Cloud Storage\/Pub\/Sub for governance and remediation.<\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\">Integrations with related services (common patterns)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Cloud Storage \/ BigQuery<\/strong>: common sources and sinks for batch jobs and findings exports<\/li>\n<li><strong>Pub\/Sub<\/strong>: triggers workflows when findings are produced (alerting, ticketing, quarantine)<\/li>\n<li><strong>Cloud Functions \/ Cloud Run<\/strong>: serverless remediation handlers (e.g., revoke sharing, move objects)<\/li>\n<li><strong>Cloud Logging + Audit Logs<\/strong>: trace API calls and operational activity<\/li>\n<li><strong>IAM<\/strong>: enforce who can scan and who can access findings<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Dependency services<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Service Usage API<\/strong> (to enable the API in a project)<\/li>\n<li><strong>IAM<\/strong> for authentication\/authorization<\/li>\n<li>Destination services (BigQuery\/Cloud Storage\/Pub\/Sub) if exporting findings<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Security\/authentication model<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Auth uses Google Cloud IAM (OAuth2). Typical identities:<\/li>\n<li>User accounts (for interactive testing)<\/li>\n<li>Service accounts (for production pipelines)<\/li>\n<li>Access is controlled with predefined roles (e.g., DLP roles) and resource-level IAM.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Networking model<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The API is accessed over Google\u2019s public API endpoints using TLS.<\/li>\n<li>For strict exfiltration controls, organizations often combine this with:<\/li>\n<li>Organization policy constraints<\/li>\n<li>VPC Service Controls (where applicable\u2014verify current support for Sensitive Data Protection)<\/li>\n<li>Private connectivity patterns for data sources\/destinations (separately configured)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Monitoring\/logging\/governance considerations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use <strong>Cloud Audit Logs<\/strong> to track who called Sensitive Data Protection APIs and when.<\/li>\n<li>Export findings to a governed analytics store (e.g., BigQuery) for reporting.<\/li>\n<li>Define and enforce template usage to avoid inconsistent policies across teams.<\/li>\n<li>Track scan volumes and quotas to prevent surprise cost or throttling.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Simple architecture diagram (Mermaid)<\/h3>\n\n\n\n<pre><code class=\"language-mermaid\">flowchart LR\n  A[App \/ Pipeline] --&gt;|Inspect or De-identify API call| B[Sensitive Data Protection]\n  B --&gt; C[Findings in API response]\n  B --&gt; D[De-identified content in response]\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Production-style architecture diagram (Mermaid)<\/h3>\n\n\n\n<pre><code class=\"language-mermaid\">flowchart TB\n  subgraph Data_Stores[Data Stores]\n    GCS[Cloud Storage Buckets]\n    BQ[BigQuery Datasets]\n  end\n\n  subgraph SDP[Sensitive Data Protection]\n    T[Inspection &amp; De-id Templates]\n    J[Scheduled Jobs \/ Triggers]\n    E[Detection Engine]\n  end\n\n  subgraph Outputs[Outputs &amp; Workflows]\n    PUB[Pub\/Sub Topic]\n    RUN[Cloud Run Remediation Service]\n    OUTBQ[BigQuery Findings Dataset]\n    LOG[Cloud Logging \/ Audit Logs]\n  end\n\n  SecTeam[Security Team] --&gt;|Defines templates| T\n  Platform[Platform Automation] --&gt;|Creates jobs using templates| J\n\n  GCS --&gt;|Batch inspect job reads data| E\n  BQ --&gt;|Batch inspect job reads data| E\n  J --&gt; E\n  E --&gt;|Exports findings| OUTBQ\n  E --&gt;|Publishes alerts| PUB\n  PUB --&gt; RUN\n  RUN --&gt;|Quarantine \/ Notify \/ Ticket| GCS\n  SDP --&gt; LOG\n<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">8. Prerequisites<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Account\/project requirements<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A Google Cloud project with billing enabled<\/li>\n<li>Ability to enable APIs in the project<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Permissions \/ IAM roles<\/h3>\n\n\n\n<p>At minimum, you need:\n&#8211; Permission to enable the API: typically <code>roles\/serviceusage.serviceUsageAdmin<\/code> (or equivalent)\n&#8211; Permission to use Sensitive Data Protection:\n  &#8211; For interactive use: a role that includes calling the DLP API methods (commonly <strong>Sensitive Data Protection\/DLP roles<\/strong>, such as a user role)\n  &#8211; For production: a <strong>service account<\/strong> with least-privilege roles required for:\n    &#8211; Calling Sensitive Data Protection APIs\n    &#8211; Reading data from sources (if using jobs)\n    &#8211; Writing findings to destinations (if exporting)<\/p>\n\n\n\n<blockquote>\n<p>Role names and exact permissions can evolve. Verify current roles in the official IAM documentation for Sensitive Data Protection.<\/p>\n<\/blockquote>\n\n\n\n<h3 class=\"wp-block-heading\">Billing requirements<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Sensitive Data Protection is usage-billed; you need an active billing account attached to the project.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">CLI\/SDK\/tools needed<\/h3>\n\n\n\n<p>Choose one:\n&#8211; <strong>Cloud Shell<\/strong> (recommended for labs): includes <code>gcloud<\/code>, Python, and authentication helpers\n&#8211; Local workstation with:\n  &#8211; Google Cloud SDK (<code>gcloud<\/code>)\n  &#8211; Python 3.10+ (recommended) and ability to install packages\n  &#8211; Auth configured via <code>gcloud auth application-default login<\/code> or service account key<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Region availability<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Sensitive Data Protection is an API-based service with processing location choices for some operations.<\/li>\n<li><strong>Verify current processing locations and residency guidance in official docs<\/strong> if you have data residency requirements.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Quotas\/limits<\/h3>\n\n\n\n<p>Expect quotas around:\n&#8211; Requests per minute\n&#8211; Bytes processed per request\/job\n&#8211; Concurrent jobs\n&#8211; Findings limits<\/p>\n\n\n\n<p>Quotas vary and can change. Verify in the <strong>Sensitive Data Protection quotas<\/strong> documentation for your project and location.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Prerequisite services (for the lab below)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Sensitive Data Protection API enabled (<code>dlp.googleapis.com<\/code>)<\/li>\n<li>IAM and Service Usage APIs (typically enabled by default)<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">9. Pricing \/ Cost<\/h2>\n\n\n\n<p>Sensitive Data Protection pricing is usage-based and depends on <strong>what you do<\/strong> (inspect content, de-identify, run jobs, export findings) and <strong>how much data you process<\/strong>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Official pricing resources<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Pricing page (official): https:\/\/cloud.google.com\/sensitive-data-protection\/pricing  <\/li>\n<li>Pricing calculator (official): https:\/\/cloud.google.com\/products\/calculator<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Pricing dimensions (typical)<\/h3>\n\n\n\n<p>While exact SKUs and units are defined on the pricing page, common pricing dimensions include:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Content inspection volume<\/strong> (how many bytes you inspect)<\/li>\n<li><strong>De-identification volume<\/strong> (how many bytes you transform)<\/li>\n<li><strong>Discovery \/ profiling job scanning<\/strong> (if you run discovery or profiling features)<\/li>\n<li><strong>Risk analysis<\/strong> (if used; typically volume-based)<\/li>\n<li><strong>Export destinations<\/strong> (BigQuery storage\/query costs, Cloud Storage storage\/ops, Pub\/Sub delivery)<\/li>\n<\/ul>\n\n\n\n<blockquote>\n<p>Do not assume \u201cAPI calls\u201d are the primary cost unit; in many DLP-style services, <strong>data volume processed<\/strong> is the key driver. Confirm the billable units and SKUs on the official pricing page.<\/p>\n<\/blockquote>\n\n\n\n<h3 class=\"wp-block-heading\">Free tier<\/h3>\n\n\n\n<p>Google Cloud sometimes offers free tiers or monthly free usage for certain services, but this changes. <strong>Verify free-tier eligibility and limits on the official pricing page<\/strong>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Main cost drivers<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Scanning large objects repeatedly (e.g., re-scanning the same buckets daily)<\/li>\n<li>Using broad detectors across large datasets (more processing)<\/li>\n<li>Exporting high-cardinality findings into BigQuery tables (storage + query)<\/li>\n<li>Running frequent scheduled triggers without filtering scope<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Hidden or indirect costs<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>BigQuery<\/strong>: storing and querying findings tables<\/li>\n<li><strong>Cloud Storage<\/strong>: storing exported reports and scan artifacts<\/li>\n<li><strong>Pub\/Sub<\/strong>: message delivery for alerts<\/li>\n<li><strong>Compute<\/strong>: Cloud Run\/Functions\/Dataflow used to automate workflows<\/li>\n<li><strong>Network egress<\/strong>: generally minimal if everything stays in Google Cloud, but cross-region\/cross-cloud exports can add cost<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Network\/data transfer implications<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Content methods require sending data to the service endpoint; ensure this is acceptable for your compliance posture.<\/li>\n<li>For batch jobs scanning Google Cloud sources, data movement is handled within Google\u2019s infrastructure, but you still pay for the DLP processing and any destination service usage.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">How to optimize cost (practical)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Start with <strong>sampling<\/strong> and narrow scope; expand only after validation.<\/li>\n<li>Use <strong>templates<\/strong> to standardize detection and avoid \u201cscan everything with everything.\u201d<\/li>\n<li>Prefer scanning <strong>new or changed data<\/strong> rather than full rescans (architect pipeline-driven scans).<\/li>\n<li>Export only needed fields and tune findings output (e.g., avoid exporting huge payload excerpts when not required).<\/li>\n<li>Set clear job schedules and retention policies for findings data.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Example low-cost starter estimate (no fabricated prices)<\/h3>\n\n\n\n<p>A low-cost starting point is to use <strong>InspectContent<\/strong> on small test strings (KBs) to validate detectors. This processes minimal bytes and typically costs very little.<br\/>\nTo estimate, measure:\n&#8211; average bytes per request \u00d7 requests per day \u00d7 price per byte unit (from pricing page)<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Example production cost considerations (how to think about it)<\/h3>\n\n\n\n<p>For a production discovery program:\n&#8211; Inventory total bytes scanned per week\/month per data source\n&#8211; Determine rescan frequency (daily\/weekly\/monthly)\n&#8211; Add overhead for exports:\n  &#8211; BigQuery findings dataset storage growth\n  &#8211; Query costs for dashboards\n&#8211; Consider automation compute and Pub\/Sub costs<\/p>\n\n\n\n<p>Build the estimate using the official calculator and validate with early pilot scans.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">10. Step-by-Step Hands-On Tutorial<\/h2>\n\n\n\n<p>This lab focuses on <strong>real, executable<\/strong> API calls that are safe and low-cost: inspecting and de-identifying a small piece of text. This avoids complex permissions required for batch jobs over storage systems.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Objective<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Enable Sensitive Data Protection in a Google Cloud project<\/li>\n<li>Inspect a sample text for sensitive data (email, phone)<\/li>\n<li>Add a custom detector for an internal identifier pattern<\/li>\n<li>De-identify the same text (masking + replacement)<\/li>\n<li>Validate results and clean up<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Lab Overview<\/h3>\n\n\n\n<p>You will:\n1. Create or select a Google Cloud project and enable the API\n2. Configure authentication in Cloud Shell\n3. Run a Python script that calls:\n   &#8211; <code>inspect_content<\/code> to detect sensitive data\n   &#8211; <code>deidentify_content<\/code> to mask\/replace detected data\n4. Review findings and transformed output\n5. Clean up resources<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Step 1: Create\/select a project and enable the API<\/h3>\n\n\n\n<p>1) Open <strong>Cloud Shell<\/strong> in the Google Cloud Console.<\/p>\n\n\n\n<p>2) Set your project ID (replace with your project):<\/p>\n\n\n\n<pre><code class=\"language-bash\">export PROJECT_ID=\"YOUR_PROJECT_ID\"\ngcloud config set project \"$PROJECT_ID\"\n<\/code><\/pre>\n\n\n\n<p>3) Enable the Sensitive Data Protection API:<\/p>\n\n\n\n<pre><code class=\"language-bash\">gcloud services enable dlp.googleapis.com\n<\/code><\/pre>\n\n\n\n<p><strong>Expected outcome<\/strong>: The API enables successfully.<br\/>\n<strong>Verify<\/strong>:<\/p>\n\n\n\n<pre><code class=\"language-bash\">gcloud services list --enabled --filter=\"name:dlp.googleapis.com\"\n<\/code><\/pre>\n\n\n\n<p>You should see <code>dlp.googleapis.com<\/code> in the output.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 2: Set up authentication for the lab (Cloud Shell)<\/h3>\n\n\n\n<p>In Cloud Shell, you typically already have credentials for the active account. For client libraries, the simplest method is <strong>Application Default Credentials (ADC)<\/strong>:<\/p>\n\n\n\n<pre><code class=\"language-bash\">gcloud auth application-default login\n<\/code><\/pre>\n\n\n\n<p>Follow the prompts.<\/p>\n\n\n\n<p><strong>Expected outcome<\/strong>: A credentials file is created for ADC.<br\/>\n<strong>Verify<\/strong>:<\/p>\n\n\n\n<pre><code class=\"language-bash\">gcloud auth application-default print-access-token | head -c 20 &amp;&amp; echo\n<\/code><\/pre>\n\n\n\n<p>You should see a token prefix (do not share tokens).<\/p>\n\n\n\n<blockquote>\n<p>Production note: In real systems, use a dedicated <strong>service account<\/strong> with least privilege instead of user credentials. This lab uses ADC for simplicity.<\/p>\n<\/blockquote>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 3: Install the Python client library<\/h3>\n\n\n\n<p>In Cloud Shell:<\/p>\n\n\n\n<pre><code class=\"language-bash\">python3 -m pip install --upgrade pip\npython3 -m pip install google-cloud-dlp\n<\/code><\/pre>\n\n\n\n<p><strong>Expected outcome<\/strong>: <code>google-cloud-dlp<\/code> installs successfully.<br\/>\n<strong>Verify<\/strong>:<\/p>\n\n\n\n<pre><code class=\"language-bash\">python3 -c \"import google.cloud.dlp; print('google-cloud-dlp imported')\"\n<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 4: Create a Python script to inspect content<\/h3>\n\n\n\n<p>Create a file:<\/p>\n\n\n\n<pre><code class=\"language-bash\">cat &gt; sdp_inspect.py &lt;&lt;'PY'\nfrom google.cloud import dlp_v2\n\nPROJECT_ID = None  # filled in main()\n\nTEST_TEXT = \"\"\"\nCustomer record:\nName: Casey Nguyen\nEmail: casey.nguyen@example.com\nPhone: +1 (415) 555-2671\nInternal ID: CUST-2026-000123\nNotes: Call after 5pm.\n\"\"\".strip()\n\ndef inspect_text(project_id: str):\n    client = dlp_v2.DlpServiceClient()\n\n    parent = f\"projects\/{project_id}\/locations\/global\"\n\n    # Built-in detectors + one custom detector for an internal ID format.\n    # Custom detector here is a regex infoType.\n    inspect_config = {\n        \"info_types\": [\n            {\"name\": \"EMAIL_ADDRESS\"},\n            {\"name\": \"PHONE_NUMBER\"},\n        ],\n        \"custom_info_types\": [\n            {\n                \"info_type\": {\"name\": \"INTERNAL_CUSTOMER_ID\"},\n                \"regex\": {\"pattern\": r\"CUST-\\d{4}-\\d{6}\"},\n                \"likelihood\": \"LIKELY\",\n            }\n        ],\n        # Returning the quote helps learning, but in production you may avoid\n        # returning full quotes to reduce exposure.\n        \"include_quote\": True,\n    }\n\n    item = {\"value\": TEST_TEXT}\n\n    response = client.inspect_content(\n        request={\n            \"parent\": parent,\n            \"inspect_config\": inspect_config,\n            \"item\": item,\n        }\n    )\n\n    return response\n\ndef main():\n    import os\n    project_id = os.environ.get(\"PROJECT_ID\")\n    if not project_id:\n        raise RuntimeError(\"Set PROJECT_ID environment variable.\")\n    global PROJECT_ID\n    PROJECT_ID = project_id\n\n    resp = inspect_text(project_id)\n\n    findings = resp.result.findings\n    print(f\"Findings count: {len(findings)}\\n\")\n\n    for f in findings:\n        info_type = f.info_type.name\n        likelihood = f.likelihood.name\n        quote = f.quote if f.quote else \"\"\n        print(f\"- {info_type} ({likelihood}): {quote}\")\n\nif __name__ == \"__main__\":\n    main()\nPY\n<\/code><\/pre>\n\n\n\n<p>Run it:<\/p>\n\n\n\n<pre><code class=\"language-bash\">export PROJECT_ID=\"YOUR_PROJECT_ID\"\npython3 sdp_inspect.py\n<\/code><\/pre>\n\n\n\n<p><strong>Expected outcome<\/strong>: You see findings for email, phone, and your custom internal ID.<br\/>\n<strong>Verification<\/strong>: Confirm output lines include:\n&#8211; <code>EMAIL_ADDRESS<\/code>\n&#8211; <code>PHONE_NUMBER<\/code>\n&#8211; <code>INTERNAL_CUSTOMER_ID<\/code><\/p>\n\n\n\n<p>If you don\u2019t see the custom ID, double-check the regex and the sample ID format.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 5: De-identify the content (mask + replace)<\/h3>\n\n\n\n<p>Create a second script:<\/p>\n\n\n\n<pre><code class=\"language-bash\">cat &gt; sdp_deid.py &lt;&lt;'PY'\nfrom google.cloud import dlp_v2\n\nTEST_TEXT = \"\"\"\nCustomer record:\nName: Casey Nguyen\nEmail: casey.nguyen@example.com\nPhone: +1 (415) 555-2671\nInternal ID: CUST-2026-000123\nNotes: Call after 5pm.\n\"\"\".strip()\n\ndef deidentify_text(project_id: str):\n    client = dlp_v2.DlpServiceClient()\n    parent = f\"projects\/{project_id}\/locations\/global\"\n\n    inspect_config = {\n        \"info_types\": [\n            {\"name\": \"EMAIL_ADDRESS\"},\n            {\"name\": \"PHONE_NUMBER\"},\n        ],\n        \"custom_info_types\": [\n            {\n                \"info_type\": {\"name\": \"INTERNAL_CUSTOMER_ID\"},\n                \"regex\": {\"pattern\": r\"CUST-\\d{4}-\\d{6}\"},\n                \"likelihood\": \"LIKELY\",\n            }\n        ],\n        \"include_quote\": True,\n    }\n\n    # De-identification strategy:\n    # - Replace emails with the infoType name (e.g., [EMAIL_ADDRESS])\n    # - Mask phone numbers and internal IDs with a character mask\n    #\n    # This is intentionally simple. For production, evaluate whether you need\n    # irreversible redaction, reversible tokenization, or FPE.\n    deidentify_config = {\n        \"info_type_transformations\": {\n            \"transformations\": [\n                {\n                    \"info_types\": [{\"name\": \"EMAIL_ADDRESS\"}],\n                    \"primitive_transformation\": {\n                        \"replace_with_info_type_config\": {}\n                    },\n                },\n                {\n                    \"info_types\": [{\"name\": \"PHONE_NUMBER\"}, {\"name\": \"INTERNAL_CUSTOMER_ID\"}],\n                    \"primitive_transformation\": {\n                        \"character_mask_config\": {\n                            \"masking_character\": \"*\",\n                            \"number_to_mask\": 0,  # 0 means mask all characters in the match\n                        }\n                    },\n                },\n            ]\n        }\n    }\n\n    item = {\"value\": TEST_TEXT}\n\n    response = client.deidentify_content(\n        request={\n            \"parent\": parent,\n            \"inspect_config\": inspect_config,\n            \"deidentify_config\": deidentify_config,\n            \"item\": item,\n        }\n    )\n\n    return response\n\ndef main():\n    import os\n    project_id = os.environ.get(\"PROJECT_ID\")\n    if not project_id:\n        raise RuntimeError(\"Set PROJECT_ID environment variable.\")\n\n    resp = deidentify_text(project_id)\n\n    print(\"Original text:\\n\")\n    print(TEST_TEXT)\n    print(\"\\nDe-identified text:\\n\")\n    print(resp.item.value)\n\nif __name__ == \"__main__\":\n    main()\nPY\n<\/code><\/pre>\n\n\n\n<p>Run:<\/p>\n\n\n\n<pre><code class=\"language-bash\">export PROJECT_ID=\"YOUR_PROJECT_ID\"\npython3 sdp_deid.py\n<\/code><\/pre>\n\n\n\n<p><strong>Expected outcome<\/strong>:<br\/>\n&#8211; The email address becomes something like <code>[EMAIL_ADDRESS]<\/code> (replacement with infoType)\n&#8211; The phone number and internal ID are fully masked with <code>*<\/code> characters<\/p>\n\n\n\n<p><strong>Verification<\/strong>: Ensure the output does <strong>not<\/strong> contain the original email, phone number, or internal ID.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 6: (Optional) Tighten detection and reduce exposure<\/h3>\n\n\n\n<p>In real environments:\n&#8211; Set <code>include_quote<\/code> to <code>False<\/code> for findings unless you truly need quotes.\n&#8211; Use rules to reduce false positives.\n&#8211; Prefer structured inspection for JSON\/records when possible.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Validation<\/h3>\n\n\n\n<p>Run both scripts and confirm:<\/p>\n\n\n\n<p>1) Inspect script returns findings:\n&#8211; <code>EMAIL_ADDRESS<\/code>\n&#8211; <code>PHONE_NUMBER<\/code>\n&#8211; <code>INTERNAL_CUSTOMER_ID<\/code><\/p>\n\n\n\n<p>2) De-identification script output:\n&#8211; Does not contain the original sensitive strings\n&#8211; Still preserves non-sensitive context (\u201cNotes\u201d, \u201cName\u201d, etc.)<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Troubleshooting<\/h3>\n\n\n\n<p><strong>Error: <code>PERMISSION_DENIED<\/code><\/strong>\n&#8211; Cause: Your identity doesn\u2019t have permission to call the API.\n&#8211; Fix:\n  &#8211; Ensure your account can use Sensitive Data Protection in the project.\n  &#8211; If using a service account in production, grant the correct DLP role to that service account.<\/p>\n\n\n\n<p><strong>Error: API not enabled<\/strong>\n&#8211; Symptom: <code>dlp.googleapis.com has not been used in project ...<\/code>\n&#8211; Fix:\n  &#8211; Run <code>gcloud services enable dlp.googleapis.com<\/code>\n  &#8211; Wait 1\u20132 minutes and retry.<\/p>\n\n\n\n<p><strong>Error: <code>INVALID_ARGUMENT<\/code><\/strong>\n&#8211; Cause: Misconfigured inspect\/deidentify config (bad infoType name, invalid regex, wrong fields).\n&#8211; Fix:\n  &#8211; Start with only predefined infoTypes.\n  &#8211; Add custom infoTypes one at a time.\n  &#8211; Validate regex patterns.<\/p>\n\n\n\n<p><strong>Quota or rate limit errors<\/strong>\n&#8211; Fix:\n  &#8211; Reduce request frequency\n  &#8211; Batch work where possible\n  &#8211; Request quota increases if needed (production)<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Cleanup<\/h3>\n\n\n\n<p>To avoid ongoing risk\/cost:\n&#8211; Remove local scripts if they contain sensitive test strings:<\/p>\n\n\n\n<pre><code class=\"language-bash\">rm -f sdp_inspect.py sdp_deid.py\n<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>If you created a dedicated project for the lab, delete it (most thorough cleanup):<\/li>\n<\/ul>\n\n\n\n<pre><code class=\"language-bash\"># WARNING: this deletes everything in the project\ngcloud projects delete \"$PROJECT_ID\"\n<\/code><\/pre>\n\n\n\n<p>If you used an existing project, consider disabling the API:<\/p>\n\n\n\n<pre><code class=\"language-bash\">gcloud services disable dlp.googleapis.com\n<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">11. Best Practices<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Architecture best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Separate policy from execution<\/strong>: security teams define templates; pipelines consume templates.<\/li>\n<li><strong>Use a hub-and-spoke model<\/strong> for large orgs:<\/li>\n<li>Central security project for templates and reporting<\/li>\n<li>Application projects run scans on their own data (with centralized governance)<\/li>\n<li><strong>Scan at the right points<\/strong>:<\/li>\n<li>On ingest (prevent sensitive data from entering uncontrolled zones)<\/li>\n<li>Pre-sharing (before exports)<\/li>\n<li>Periodic discovery (to detect drift and new datasets)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">IAM\/security best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use <strong>service accounts<\/strong> for production scanning jobs, not user credentials.<\/li>\n<li>Grant <strong>least privilege<\/strong>:<\/li>\n<li>Only allow the identities that need to scan data<\/li>\n<li>Lock down who can read findings outputs (they can be sensitive)<\/li>\n<li>Treat findings as sensitive metadata:<\/li>\n<li>Findings often include data excerpts or references; restrict access accordingly.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Cost best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Start with <strong>small pilots<\/strong> and measure scan volumes.<\/li>\n<li>Use <strong>sampling<\/strong> and incremental scope expansion.<\/li>\n<li>Avoid scanning the same unchanged data repeatedly.<\/li>\n<li>Put retention controls on findings exports:<\/li>\n<li>BigQuery table partitioning + expiration<\/li>\n<li>Cloud Storage lifecycle policies<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Performance best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use templates and consistent configs to reduce misconfiguration retries.<\/li>\n<li>Prefer structured inspection when you know schema\u2014often improves accuracy and reduces unnecessary matching.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Reliability best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Build idempotent workflows for findings processing (Pub\/Sub handlers).<\/li>\n<li>Store template versions and roll out changes safely (canary scans).<\/li>\n<li>For automation, implement retries with exponential backoff for transient API errors.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Operations best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Centralize logs and audit trails for:<\/li>\n<li>API usage<\/li>\n<li>Template changes<\/li>\n<li>Job creation\/trigger activity<\/li>\n<li>Create operational dashboards for:<\/li>\n<li>bytes scanned per day<\/li>\n<li>findings count by infoType and project<\/li>\n<li>job failure rates and error types<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Governance\/tagging\/naming best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Standardize naming for templates and jobs:<\/li>\n<li>Example: <code>dlp-inspect-bq-prod-pii-v3<\/code><\/li>\n<li>Apply labels consistently (where supported) for cost attribution:<\/li>\n<li><code>env=prod<\/code>, <code>owner=data-platform<\/code>, <code>purpose=discovery<\/code><\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">12. Security Considerations<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Identity and access model<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Sensitive Data Protection uses IAM for:<\/li>\n<li>Who can call inspection\/de-identification APIs<\/li>\n<li>Who can create\/modify templates and jobs<\/li>\n<li>Who can view results and exported findings<\/li>\n<\/ul>\n\n\n\n<p>Recommendations:\n&#8211; Use <strong>separate roles<\/strong> for:\n  &#8211; Template authors (security)\n  &#8211; Job runners (platform automation)\n  &#8211; Findings consumers (security operations, data governance)\n&#8211; Prefer <strong>organization policies<\/strong> and controlled projects for sensitive scans.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Encryption<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Data in transit to the API is protected with TLS.<\/li>\n<li>For data at rest:<\/li>\n<li>Protect source\/destination systems using their encryption controls (e.g., CMEK in BigQuery\/Cloud Storage if required).<\/li>\n<li>For cryptographic de-identification:<\/li>\n<li>Treat keys as highly sensitive; align with enterprise KMS policies.<\/li>\n<\/ul>\n\n\n\n<blockquote>\n<p>CMEK support and how the service handles transient processing may vary by feature\u2014verify in official docs for your compliance requirements.<\/p>\n<\/blockquote>\n\n\n\n<h3 class=\"wp-block-heading\">Network exposure<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>API access is over Google APIs endpoints.<\/li>\n<li>Consider restricting who can call the API via:<\/li>\n<li>IAM conditions<\/li>\n<li>Egress controls (where applicable)<\/li>\n<li>VPC Service Controls (verify current support)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Secrets handling<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Never store service account keys in repos.<\/li>\n<li>Prefer:<\/li>\n<li>Workload Identity (where applicable)<\/li>\n<li>Short-lived credentials<\/li>\n<li>Secret Manager if you must store sensitive configs (but avoid storing raw sensitive datasets in secrets systems)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Audit\/logging<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Enable and retain <strong>Cloud Audit Logs<\/strong> for Sensitive Data Protection API usage.<\/li>\n<li>Export logs to a dedicated security logging project if needed.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Compliance considerations<\/h3>\n\n\n\n<p>Sensitive Data Protection can support compliance programs by:\n&#8211; Providing evidence of discovery scans\n&#8211; Supporting de-identification for approved data sharing\n&#8211; Producing structured findings that map to data classification policies<\/p>\n\n\n\n<p>But it does not automatically make you compliant. You still need:\n&#8211; Governance processes\n&#8211; Access controls\n&#8211; Incident response\n&#8211; Data retention and deletion policies<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Common security mistakes<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Exporting findings to a dataset\/bucket with broad read access<\/li>\n<li>Returning quotes (<code>include_quote<\/code>) in production when not required<\/li>\n<li>Using overly permissive service accounts that can read everything everywhere<\/li>\n<li>Treating de-identified data as \u201csafe for all purposes\u201d without re-identification risk assessment<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Secure deployment recommendations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Separate \u201craw\u201d and \u201cde-identified\u201d zones into different projects\/datasets<\/li>\n<li>Restrict findings access to security\/governance teams<\/li>\n<li>Use deterministic tokenization only when justified, and protect keys rigorously<\/li>\n<li>Document and test your detection accuracy and transformation impact<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">13. Limitations and Gotchas<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Known limitations (practical)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Detection is probabilistic<\/strong>: expect false positives\/negatives; test and tune.<\/li>\n<li><strong>Data source support is specific<\/strong>: batch jobs only support certain repositories and formats; confirm support before committing to an architecture.<\/li>\n<li><strong>Quotes in findings can leak data<\/strong>: operationally useful but increases exposure.<\/li>\n<li><strong>Transformations can reduce utility<\/strong>: masking\/redaction can break analytics or downstream parsing.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Quotas<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Requests and processing quotas exist and can throttle high-volume pipelines.<\/li>\n<li>Long-running jobs have limits (concurrency, job counts, throughput).<\/li>\n<li>Always review quotas early in pilot phases.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Regional constraints<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Processing location options exist, but not every feature may be available in every location.<\/li>\n<li>If you have strict residency requirements, confirm:<\/li>\n<li>supported locations<\/li>\n<li>where data is processed for your chosen method (content vs jobs)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Pricing surprises<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The biggest surprise is often scanning <strong>far more bytes<\/strong> than expected (especially with recurring jobs).<\/li>\n<li>Findings exports can grow quickly and generate BigQuery query costs.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Compatibility issues<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Custom regex patterns can become expensive or inaccurate if too broad.<\/li>\n<li>Structured transformations require consistent schema; schema drift can break pipelines.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Operational gotchas<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u201cContinuous scanning\u201d can become noisy without triage workflows and thresholds.<\/li>\n<li>Findings without an owner or remediation process become backlog.<\/li>\n<li>Template changes can cause sudden shifts in findings volume\u2014roll out carefully.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Migration challenges<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>If you are migrating from homegrown regex scanners, detector results will differ.<\/li>\n<li>You must retrain stakeholders on likelihood scoring and how to interpret findings.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Vendor-specific nuances<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Resource naming often uses <code>projects\/...\/locations\/...<\/code> patterns; ensure scripts and pipelines pass the correct parent path.<\/li>\n<li>Some methods are location-specific; defaulting to <code>global<\/code> may not satisfy residency requirements\u2014verify before production.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">14. Comparison with Alternatives<\/h2>\n\n\n\n<p>Sensitive Data Protection is a specialized service for sensitive data discovery and de-identification. Alternatives vary depending on whether you want discovery, classification governance, endpoint controls, or SaaS scanning.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Comparison table<\/h3>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Option<\/th>\n<th>Best For<\/th>\n<th>Strengths<\/th>\n<th>Weaknesses<\/th>\n<th>When to Choose<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><strong>Google Cloud Sensitive Data Protection<\/strong><\/td>\n<td>Discovering and de-identifying sensitive data in Google Cloud workflows<\/td>\n<td>Strong detection engine (predefined + custom), de-identification transformations, API\/pipeline integration<\/td>\n<td>Requires tuning; batch source support is specific; costs scale with scan volume<\/td>\n<td>You need scalable discovery + de-identification in Google Cloud<\/td>\n<\/tr>\n<tr>\n<td><strong>Google Cloud Dataplex \/ Data Catalog (metadata governance)<\/strong><\/td>\n<td>Data governance, cataloging, ownership, lineage<\/td>\n<td>Great for organizing data assets and governance processes<\/td>\n<td>Not a DLP\/de-id engine; doesn\u2019t replace sensitive pattern detection<\/td>\n<td>You need governance and cataloging; use alongside Sensitive Data Protection<\/td>\n<\/tr>\n<tr>\n<td><strong>Security Command Center (SCC)<\/strong><\/td>\n<td>Centralized security posture and findings<\/td>\n<td>Aggregates findings, supports security workflows<\/td>\n<td>Not a primary DLP engine; integrations vary by tier<\/td>\n<td>You want centralized visibility and security operations integration<\/td>\n<\/tr>\n<tr>\n<td><strong>AWS Macie<\/strong><\/td>\n<td>Sensitive data discovery in AWS S3<\/td>\n<td>Tight S3 integration and AWS-native workflows<\/td>\n<td>AWS-specific; not for Google Cloud stores<\/td>\n<td>Your primary data lake is in AWS<\/td>\n<\/tr>\n<tr>\n<td><strong>Microsoft Purview + Information Protection<\/strong><\/td>\n<td>Microsoft ecosystem governance and labeling<\/td>\n<td>Strong Microsoft 365 integration, labeling\/classification<\/td>\n<td>Different model; may require broader Microsoft stack<\/td>\n<td>You standardize on Microsoft governance and labeling<\/td>\n<\/tr>\n<tr>\n<td><strong>Open-source (e.g., Presidio) + custom pipelines<\/strong><\/td>\n<td>Custom detection in self-managed environments<\/td>\n<td>Flexible, code-driven, can run anywhere<\/td>\n<td>More engineering\/ops burden, detection quality depends on your work<\/td>\n<td>You need full control, custom environments, or on-prem-only processing<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">15. Real-World Example<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Enterprise example: regulated data discovery across a multi-project analytics platform<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: A financial services company has dozens of BigQuery datasets and Cloud Storage buckets across teams. Auditors require proof of where PCI and PII data exists, and security needs to reduce exposure.<\/li>\n<li><strong>Proposed architecture<\/strong>:<\/li>\n<li>Central security project defines inspection templates (PCI, PII, secrets)<\/li>\n<li>Scheduled discovery jobs run per domain\/project on a controlled cadence<\/li>\n<li>Findings export to a central BigQuery dataset (restricted to security\/governance)<\/li>\n<li>Pub\/Sub alerts trigger Cloud Run remediation:<ul>\n<li>notify dataset owners<\/li>\n<li>apply stricter IAM if high-risk data is found<\/li>\n<li>open a ticket for triage<\/li>\n<\/ul>\n<\/li>\n<li><strong>Why Sensitive Data Protection was chosen<\/strong>:<\/li>\n<li>Provides repeatable discovery with consistent detection policies<\/li>\n<li>Enables controlled de-identification workflows for safer analytics zones<\/li>\n<li>Integrates into existing Google Cloud logging and automation stack<\/li>\n<li><strong>Expected outcomes<\/strong>:<\/li>\n<li>Reduced audit scope and clearer inventory of regulated data<\/li>\n<li>Faster incident response when sensitive data appears in unexpected places<\/li>\n<li>Standardized, version-controlled detection and transformation policy<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Startup\/small-team example: safe sharing of product analytics exports<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: A startup exports user events for analytics, but exports occasionally include email addresses in free-text fields. They need a simple, low-ops solution.<\/li>\n<li><strong>Proposed architecture<\/strong>:<\/li>\n<li>Application pipeline calls Sensitive Data Protection <code>inspect_content<\/code> on high-risk fields before writing exports<\/li>\n<li>If PII is detected, pipeline either:<ul>\n<li>masks it automatically (<code>deidentify_content<\/code>), or<\/li>\n<li>routes records to a quarantine queue for review<\/li>\n<\/ul>\n<\/li>\n<li><strong>Why Sensitive Data Protection was chosen<\/strong>:<\/li>\n<li>Quick to integrate via API<\/li>\n<li>Minimal infrastructure to operate<\/li>\n<li>Good coverage for common PII patterns out of the box<\/li>\n<li><strong>Expected outcomes<\/strong>:<\/li>\n<li>Reduced risk of accidental PII sharing<\/li>\n<li>A documented, repeatable control for compliance conversations<\/li>\n<li>Low operational overhead compared to self-managed scanners<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">16. FAQ<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">1) Is Sensitive Data Protection the same as Cloud DLP?<\/h3>\n\n\n\n<p>Sensitive Data Protection is the current product name; \u201cCloud DLP\u201d is the older\/common name and still appears in API names, libraries, and role names. Functionally, it refers to the same core capability set.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">2) Do I have to move my data into Sensitive Data Protection?<\/h3>\n\n\n\n<p>No. You can either:\n&#8211; Send content to the API for inspection\/de-identification, or\n&#8211; Run jobs against supported Google Cloud data sources (where supported).<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">3) Can it scan BigQuery and Cloud Storage?<\/h3>\n\n\n\n<p>Yes, via job-based scanning for supported sources and configurations. Confirm current supported sources and formats in official docs.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">4) Can it scan databases like Cloud SQL?<\/h3>\n\n\n\n<p>Not in the same way as scanning a file store. Many teams export data or scan data as it flows through pipelines. Verify current support for any specific database source.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">5) Is it real-time?<\/h3>\n\n\n\n<p>Content inspection\/de-identification API calls are synchronous for small payloads. Batch scans are long-running jobs and not \u201creal-time\u201d in the streaming sense.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">6) Does it replace a data catalog?<\/h3>\n\n\n\n<p>No. It detects and transforms sensitive data. A catalog (Dataplex\/Data Catalog) manages metadata, ownership, and governance. They\u2019re complementary.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">7) How accurate are predefined detectors?<\/h3>\n\n\n\n<p>They\u2019re strong for common patterns, but not perfect. Always test with representative data and tune likelihood thresholds, rules, and custom detectors.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">8) What\u2019s an infoType?<\/h3>\n\n\n\n<p>An infoType is a detector definition for a sensitive data type (predefined like <code>EMAIL_ADDRESS<\/code>, or custom like <code>INTERNAL_CUSTOMER_ID<\/code>).<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">9) What does \u201clikelihood\u201d mean?<\/h3>\n\n\n\n<p>Likelihood is the service\u2019s confidence score that a finding matches an infoType (e.g., possible\/likely\/very likely). Use it to filter noise.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">10) Can I tokenize data so I can join tables later?<\/h3>\n\n\n\n<p>Yes, via cryptographic transformations (tokenization \/ format-preserving encryption) depending on your configuration. Design key management and access control carefully.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">11) Is de-identified data always safe to share?<\/h3>\n\n\n\n<p>Not always. De-identification reduces risk, but re-identification may still be possible depending on context, quasi-identifiers, and auxiliary data. Consider risk analysis and governance review.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">12) Should I export findings to BigQuery?<\/h3>\n\n\n\n<p>Often yes for reporting and triage, but protect findings access. Findings may contain sensitive excerpts or metadata.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">13) How do I control costs?<\/h3>\n\n\n\n<p>Control scan volume, scan frequency, and export growth. Start small, measure bytes scanned, and use templates plus scope filters.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">14) Can I use it in CI\/CD?<\/h3>\n\n\n\n<p>Yes. Common patterns include scanning configuration files, test datasets, or artifacts for secrets\/PII before release. Be mindful of what data you send.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">15) What\u2019s the safest way to test it?<\/h3>\n\n\n\n<p>Use synthetic or anonymized test strings and small payloads first. Avoid uploading real sensitive production datasets during early experimentation.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">16) How does it interact with IAM?<\/h3>\n\n\n\n<p>IAM controls who can call the API, create jobs\/templates, and access exported findings. Use least privilege and separate roles for policy vs operations.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">17) Can I keep processing within a specific geography?<\/h3>\n\n\n\n<p>Sensitive Data Protection supports processing locations for certain operations. Verify the current list of supported locations and constraints in the official docs.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">17. Top Online Resources to Learn Sensitive Data Protection<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Resource Type<\/th>\n<th>Name<\/th>\n<th>Why It Is Useful<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>Official documentation<\/td>\n<td>Sensitive Data Protection docs: https:\/\/cloud.google.com\/sensitive-data-protection\/docs<\/td>\n<td>Canonical source for concepts, features, and how-to guides<\/td>\n<\/tr>\n<tr>\n<td>API reference<\/td>\n<td>REST reference: https:\/\/cloud.google.com\/sensitive-data-protection\/docs\/reference\/rest<\/td>\n<td>Exact request\/response schemas and method details<\/td>\n<\/tr>\n<tr>\n<td>Pricing<\/td>\n<td>Pricing page: https:\/\/cloud.google.com\/sensitive-data-protection\/pricing<\/td>\n<td>Current SKUs, billable units, and pricing model<\/td>\n<\/tr>\n<tr>\n<td>Cost estimation<\/td>\n<td>Google Cloud Pricing Calculator: https:\/\/cloud.google.com\/products\/calculator<\/td>\n<td>Build real estimates using your scan volumes<\/td>\n<\/tr>\n<tr>\n<td>Client libraries<\/td>\n<td>Libraries overview: https:\/\/cloud.google.com\/sensitive-data-protection\/docs\/libraries<\/td>\n<td>Supported languages and authentication patterns<\/td>\n<\/tr>\n<tr>\n<td>Quickstarts \/ guides<\/td>\n<td>Quickstarts (verify current): https:\/\/cloud.google.com\/sensitive-data-protection\/docs\/quickstarts<\/td>\n<td>Fast path to first scan and common setups<\/td>\n<\/tr>\n<tr>\n<td>Samples (official)<\/td>\n<td>GoogleCloudPlatform Python samples (DLP): https:\/\/github.com\/GoogleCloudPlatform\/python-docs-samples\/tree\/main\/dlp<\/td>\n<td>Practical code you can adapt for production<\/td>\n<\/tr>\n<tr>\n<td>Architecture guidance<\/td>\n<td>Google Cloud Architecture Center: https:\/\/cloud.google.com\/architecture<\/td>\n<td>Reference architectures for security\/data patterns (not SDP-specific on every page)<\/td>\n<\/tr>\n<tr>\n<td>Videos<\/td>\n<td>Google Cloud Tech YouTube: https:\/\/www.youtube.com\/@googlecloudtech<\/td>\n<td>Product overviews and security architecture sessions<\/td>\n<\/tr>\n<tr>\n<td>Community learning<\/td>\n<td>Google Cloud Community: https:\/\/www.googlecloudcommunity.com\/<\/td>\n<td>Real-world discussions and troubleshooting patterns<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">18. Training and Certification Providers<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Institute<\/th>\n<th>Suitable Audience<\/th>\n<th>Likely Learning Focus<\/th>\n<th>Mode<\/th>\n<th>Website URL<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>DevOpsSchool.com<\/td>\n<td>DevOps engineers, SREs, cloud engineers<\/td>\n<td>Google Cloud operations, DevOps tooling, cloud security fundamentals (check course catalog for SDP coverage)<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.devopsschool.com\/<\/td>\n<\/tr>\n<tr>\n<td>ScmGalaxy.com<\/td>\n<td>Build\/release engineers, DevOps learners<\/td>\n<td>DevOps foundations, CI\/CD, cloud and automation (verify SDP-specific modules)<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.scmgalaxy.com\/<\/td>\n<\/tr>\n<tr>\n<td>CLoudOpsNow.in<\/td>\n<td>Cloud ops teams, beginners to intermediate<\/td>\n<td>Cloud operations and practical labs (verify Google Cloud security offerings)<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.cloudopsnow.in\/<\/td>\n<\/tr>\n<tr>\n<td>SreSchool.com<\/td>\n<td>SREs, platform teams<\/td>\n<td>Reliability engineering, operations practices, observability (security-adjacent practices)<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.sreschool.com\/<\/td>\n<\/tr>\n<tr>\n<td>AiOpsSchool.com<\/td>\n<td>Ops teams adopting AIOps<\/td>\n<td>Monitoring, automation, AIOps practices (verify cloud security modules)<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.aiopsschool.com\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">19. Top Trainers<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Platform\/Site<\/th>\n<th>Likely Specialization<\/th>\n<th>Suitable Audience<\/th>\n<th>Website URL<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>RajeshKumar.xyz<\/td>\n<td>DevOps\/cloud training content (verify current offerings)<\/td>\n<td>Engineers seeking practical guidance<\/td>\n<td>https:\/\/www.rajeshkumar.xyz\/<\/td>\n<\/tr>\n<tr>\n<td>devopstrainer.in<\/td>\n<td>DevOps training and mentoring (verify Google Cloud content)<\/td>\n<td>Beginners to intermediate DevOps learners<\/td>\n<td>https:\/\/www.devopstrainer.in\/<\/td>\n<\/tr>\n<tr>\n<td>devopsfreelancer.com<\/td>\n<td>Freelance DevOps\/platform help (verify services offered)<\/td>\n<td>Teams needing short-term expertise<\/td>\n<td>https:\/\/www.devopsfreelancer.com\/<\/td>\n<\/tr>\n<tr>\n<td>devopssupport.in<\/td>\n<td>DevOps support and training resources (verify scope)<\/td>\n<td>Ops teams needing hands-on support<\/td>\n<td>https:\/\/www.devopssupport.in\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">20. Top Consulting Companies<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Company Name<\/th>\n<th>Likely Service Area<\/th>\n<th>Where They May Help<\/th>\n<th>Consulting Use Case Examples<\/th>\n<th>Website URL<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>cotocus.com<\/td>\n<td>Cloud\/DevOps consulting (verify offerings)<\/td>\n<td>Cloud adoption, platform engineering, security foundations<\/td>\n<td>Set up least-privilege IAM, logging\/audit patterns, CI\/CD guardrails<\/td>\n<td>https:\/\/cotocus.com\/<\/td>\n<\/tr>\n<tr>\n<td>DevOpsSchool.com<\/td>\n<td>Training + consulting (check service pages)<\/td>\n<td>DevOps enablement and cloud implementation support<\/td>\n<td>Build automation around findings exports, integrate scans into pipelines<\/td>\n<td>https:\/\/www.devopsschool.com\/<\/td>\n<\/tr>\n<tr>\n<td>DEVOPSCONSULTING.IN<\/td>\n<td>DevOps consulting (verify offerings)<\/td>\n<td>Platform automation, deployment practices, operational controls<\/td>\n<td>Implement scanning workflows with Cloud Run\/Pub\/Sub and reporting in BigQuery<\/td>\n<td>https:\/\/www.devopsconsulting.in\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">21. Career and Learning Roadmap<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">What to learn before this service<\/h3>\n\n\n\n<p>To use Sensitive Data Protection effectively, you should understand:\n&#8211; Google Cloud basics: projects, billing, APIs, Cloud Shell\n&#8211; IAM fundamentals: roles, service accounts, least privilege\n&#8211; Data services fundamentals: Cloud Storage and BigQuery basics\n&#8211; Logging basics: Cloud Logging and Audit Logs\n&#8211; Security basics: data classification, threat modeling, compliance fundamentals<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">What to learn after this service<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Organization-scale governance:<\/li>\n<li>resource hierarchy (org\/folder\/project)<\/li>\n<li>organization policies<\/li>\n<li>Data governance tooling:<\/li>\n<li>Dataplex\/Data Catalog concepts<\/li>\n<li>Automation patterns:<\/li>\n<li>Pub\/Sub + Cloud Run\/Functions<\/li>\n<li>Infrastructure as Code (Terraform)<\/li>\n<li>Advanced privacy engineering:<\/li>\n<li>re-identification risk, k-anonymity concepts<\/li>\n<li>differential privacy concepts (separate topic; not the same as SDP)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Job roles that use it<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Cloud Security Engineer<\/li>\n<li>Data Security Engineer \/ Privacy Engineer<\/li>\n<li>Cloud Architect \/ Security Architect<\/li>\n<li>Data Platform Engineer<\/li>\n<li>DevOps Engineer \/ SRE (automation and operationalization)<\/li>\n<li>Governance, Risk, and Compliance (GRC) technical staff<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Certification path (Google Cloud)<\/h3>\n\n\n\n<p>Google Cloud certifications don\u2019t map 1:1 to a single product, but relevant tracks include:\n&#8211; Professional Cloud Security Engineer\n&#8211; Professional Data Engineer (for pipeline integration and governance patterns)<\/p>\n\n\n\n<p>Verify current certification content outlines on Google Cloud\u2019s official certification pages.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Project ideas for practice<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Build a small \u201cPII scanner\u201d CLI that inspects files and outputs a report.<\/li>\n<li>Create a standardized inspection template and apply it across multiple sample datasets.<\/li>\n<li>Build a de-identified analytics dataset and document how joins still work with tokenization.<\/li>\n<li>Export findings to BigQuery and build a dashboard of infoTypes by dataset\/team.<\/li>\n<li>Create a Pub\/Sub + Cloud Run workflow that opens an issue when high-severity findings appear.<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">22. Glossary<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Sensitive Data Protection<\/strong>: Google Cloud service for discovering, classifying, and de-identifying sensitive data.<\/li>\n<li><strong>DLP (Data Loss Prevention)<\/strong>: Common term and historical product\/API naming for sensitive data discovery and protection.<\/li>\n<li><strong>infoType<\/strong>: A detector for a sensitive data type (predefined or custom).<\/li>\n<li><strong>Finding<\/strong>: A match detected by inspection (includes infoType, likelihood, and optionally the matching text excerpt).<\/li>\n<li><strong>Likelihood<\/strong>: Confidence score that a detected match corresponds to the infoType.<\/li>\n<li><strong>Inspection<\/strong>: Scanning content to find sensitive data.<\/li>\n<li><strong>De-identification<\/strong>: Transforming sensitive data to reduce exposure (masking, redaction, replacement, tokenization).<\/li>\n<li><strong>Tokenization<\/strong>: Replacing sensitive values with tokens that can preserve analytic utility.<\/li>\n<li><strong>Format-Preserving Encryption (FPE)<\/strong>: Cryptographic transformation that keeps output in a similar format (e.g., digits remain digits).<\/li>\n<li><strong>Template<\/strong>: Saved configuration for inspection or de-identification to enable consistent reuse.<\/li>\n<li><strong>Job<\/strong>: A long-running batch operation to inspect supported repositories.<\/li>\n<li><strong>Job trigger<\/strong>: Configuration that starts jobs on a schedule or based on trigger conditions (depending on feature).<\/li>\n<li><strong>ADC (Application Default Credentials)<\/strong>: Google authentication mechanism used by client libraries to obtain credentials.<\/li>\n<li><strong>Service account<\/strong>: Non-human identity for workloads and automation in Google Cloud.<\/li>\n<li><strong>Cloud Audit Logs<\/strong>: Logs that record administrative and data access activities for Google Cloud services.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">23. Summary<\/h2>\n\n\n\n<p>Sensitive Data Protection is Google Cloud\u2019s managed <strong>Security<\/strong> service for <strong>discovering<\/strong> sensitive data and <strong>de-identifying<\/strong> it through masking, redaction, replacement, and cryptographic transformations. It fits best when you need an API-driven, scalable approach to identify where PII\/PHI\/PCI\/secrets exist and to reduce exposure before sharing or analytics.<\/p>\n\n\n\n<p>Key takeaways:\n&#8211; <strong>Cost<\/strong> is primarily driven by <strong>data volume scanned\/transformed<\/strong> and by findings export destinations (BigQuery\/Cloud Storage\/Pub\/Sub).\n&#8211; <strong>Security<\/strong> depends on strict IAM, careful handling of findings, and thoughtful de-identification choices (including key management if using cryptographic methods).\n&#8211; Use it when you need repeatable discovery and de-identification in Google Cloud workflows; pair it with governance tooling and operational remediation for full effectiveness.<\/p>\n\n\n\n<p>Next step: read the official docs and extend the lab into a production pattern by exporting findings to BigQuery and building a simple remediation workflow with Pub\/Sub and Cloud Run.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Security<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[51,10],"tags":[],"class_list":["post-819","post","type-post","status-publish","format-standard","hentry","category-google-cloud","category-security"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/819","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/comments?post=819"}],"version-history":[{"count":0,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/819\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/media?parent=819"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/categories?post=819"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/tags?post=819"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}