Masking Profiles
Satori’s Masking profiles allow organizations to mask query responses for their users to avoid exposing sensitive information. Unlike existing masking solutions that require defining which columns to mask, Satori’s masking profiles can be applied to data detected and tagged by Satori’s data classification and tagging mechanism, which automates the definition process.
Data Transformations
Satori supports two types of data transformations:
- Generic Transformations - can be applied to any data type, like replace data fields with predefined strings, hash the data or remove it completely from the result set.
- Specific Transformations - custom-made transformations for common data types which provide a better user experience for users of masked data. For example, anonymizing an email address by replacing the address prefix with
*or retain only the year from a date of birth field.
To see the full list of transformations refer to the link: Transformations List.
Using Masking Profiles
To simplify the process for configuring dynamic masking, Satori uses Masking Profiles. Masking profiles define the set of transformations to apply to each data type and are used by the policy engine when defining rules. The same profile can be re-used by multiple rules.
Masking Profile Implementation Methods
There are two main methods for applying "Masking Profiles" the first is to apply the masking profile to a security policy masking rule and the second method is to apply a masking policy via the Policy Engine YAML Rule Editor. To learn more about applying a Masking Profile to a Security Policy refer to the link: Security Policies.
Masking Profile Templates
Satori provides three preconfigured profile templates for common use-cases.
-
Permissive Profile - A profile suited for roles which require some access to PII.
-
Restrictive Profile - A profile suited for any role which does not require access to PII.
-
Analytics Profile - A profile suited for analytics teams who need to retain statistical data characteristics while protecting PII.
Masking Profile Attributes
Masking profiles are comprised of the following attributes:
- Name - a unique name of the profile.
- Description - a short description of the profile.
- Masking Conditions - a list of masking conditions.
Masking conditions define which transformation to apply for every tag. Only one condition can be set for each tag. Satori supports two types of tags:
- Pre-defined Tags - like PII, email, credit card, etc. See the tag reference for the full list.
- Custom Tags - user-defined tags. See custom tags for more information.
When defining a condition for both a tag and its category, for example email and PII, the most specific condition takes precedence. In this example, the transformation defined in the condition for email will be applied.
Creating a Masking Policy
Masking profiles are used by the policy engine when defining a rule with a mask action. To tell the policy engine which masking profile to use, specify the ID of the profile in the action. The ID is available either by selecting the Copy ID action in the profile menu or when viewing the profile.
For Example:
- name: Mask Customer PII for Analysts
action:
type: mask
profile: 7d1c1d8f-2fed-4897-8163-ef174d885192
identity_tags:
- identity.datastore.role::analyst
data_tags:
- customer_data
priority: 2
Transformations
Generic Transformations
| Name | Example | Definition |
|---|---|---|
| Hash | "data" => "50d858e0985ecc7f60418aaf0cc5ab587f42c2570a884095a9e8ccacd0f6545c" |
Use this transformation to obfuscate the data completely while retaining its statistical properties for counting, aggregating, etc. |
| Replace characters with | "12345678" => "aaaaaaaa" |
Use this transformation to preserve the length of the original data |
| Replace entire string | "12345678" => "REDACTED" |
Use this transformation to make it clear the data has been masked |
| Mask everything except last | "12345678" => "******78" |
Use this transformation to retain a hint of the original data |
Specific Transformations
In addition to the generic transformation, for selected data types specific transformation are available.
| Name | Example | Definition |
|---|---|---|
| Hash while preserving format | "user@company.net" => "1234@567890a.bcd" |
Generates a hashed version of the original email address. Use this transformation to preserve the original format of the data |
| Mask while preserving format | "user@company.net" => "****@*******.***" |
Use this transformation to obfuscate the data completely while preserving its original format |
| Mask username | "user@company.net" => "****@company.net" |
Use this transformation to retain information about the domain name of the email address |
| Mask domain | "user@company.net" => "user@*******.***" |
Use this transformation to retain information about the username of the email address |
Credit Card
| Name | Example | Definition |
|---|---|---|
| Hash while preserving format | "1234-5678-9012-3456" => "abcd-ef12-3456-7890" |
Generates a hashed version of the original credit card. Use this transformation to preserve the original format of the data |
| Mask while preserving format | "1234-5678-9012-3456" => "****-****-****-****" |
Use this transformation to obfuscate the data completely while preserving its original format |
| Show only last 4 digits | "1234-5678-9012-3456" => "****-****-****-3456" |
Shows only last 4 digits |
Date of Birth
| Name | Example | Definition |
|---|---|---|
| Show only the year | "abcd 2/6/1975 abcd" => "*********1975*****" |
Use this transformation to retain information about the year only |
Public IP Address
| Name | Example | Definition |
|---|---|---|
| Anonymize IP address | "11.20.30.1" => "11.20.0.0" |
Use this transformation to retain /16 of an IPv4 address and /64 of an IPv6 address |
| Hash while preserving format | "11.20.30.1" => "ab.cd.ef.1" |
Generates a hashed version of the original IP address. Use this transformation to preserve the original format of the data |
| Mask while preserving format | "11.20.30.1" => "**.**.**.*" |
Use this transformation to obfuscate the data completely while preserving its original format |
Semi Structured Data
For semi-structured data granularity (e.g. a specific location inside a JSON), masking is applied to specific fields without affecting other JSON locations.