Universal Masking
Satori’s Universal Masking allows organizations to mask query responses for their users to avoid exposing sensitive information. Unlike existing dynamic masking solutions which require defining which columns to mask, Satori’s universal masking applies to data detected and tagged by Satori’s data classification and tagging mechanisms, automating the definition process.
Satori supports two types of data transformations:
- Generic transformations - can be applied to any data type, like replace data fields with predefined strings, hash the data or remove it completely from the result set.
- Specific transformations - tailored-made transformations for common data types which provide a better user experience for users of masked data. For example, anonymizing an email address by replacing the address prefix with
*or retain only the year from a date of birth field.
The full list of transformations is listed here.
Masking Profiles
To simplify the process of configuring masking, Satori uses Masking Profiles. Masking profiles define the set of transformations to apply to each data type, and are used by the policy engine when defining rules. The same profile can be re-used by multiple rules. In addition, Satori provides a few profile templates for common use-cases. Masking profiles are composed of:
- Name - a unique name of the profile.
- Description - a short description of the profile.
- Masking conditions - a list of masking conditions.
Masking conditions define which transformation to apply for every tag. Only one condition can be set for each tag. Satori supports two types of tags:
- Pre-defined tags - like PII, email, credit card, etc. See the tag reference for the full list.
- Custom - user-defined tags. See custom tags for more information.
When defining a condition for both a tag and its category, for example email and PII, the most specific condition takes precedence. In this example, the transformation defined in the condition for email will be applied.
Creating a masking policy
Masking profiles are used by the policy engine when defining a rule with a mask action. To tell the policy engine which masking profile to use, specify the ID of the profile in the action. The ID is available either by selecting the Copy ID action in the profile menu or when viewing the profile.
For example:
- name: Mask Customer PII for Analysts
action:
type: mask
profile: 7d1c1d8f-2fed-4897-8163-ef174d885192
identity_tags:
- identity.datastore.role::analyst
data_tags:
- customer_data
priority: 2
Transformations
Generic Transformations
| Name | Example | Comments |
|---|---|---|
| Hash | "data" => "50d858e0985ecc7f60418aaf0cc5ab587f42c2570a884095a9e8ccacd0f6545c" |
Use this transformation to obfuscate the data completely while retaining its statistical properties for counting, aggregating, etc. |
| Replace characters with | "12345678" => "aaaaaaaa" |
Use this transformation to preserve the length of the original data |
| Replace entire string | "12345678" => "REDACTED" |
Use this transformation to make it clear the data has been masked |
| Mask everything except last | "12345678" => "******78" |
Use this transformation to retain a hint of the original data |
Specific Transformations
In addition to the generic transformation, for selected data types specific transformation are available.
| Name | Example | Comments |
|---|---|---|
| Hash while preserving format | "user@company.net" => "1234@567890a.bcd" |
Generates a hashed version of the original email address. Use this transformation to preserve the original format of the data |
| Mask while preserving format | "user@company.net" => "****@*******.***" |
Use this transformation to obfuscate the data completely while preserving its original format |
| Mask username | "user@company.net" => "****@company.net" |
Use this transformation to retain information about the domain name of the email address |
| Mask domain | "user@company.net" => "user@*******.***" |
Use this transformation to retain information about the username of the email address |
Credit Card
| Name | Example | Comments |
|---|---|---|
| Hash while preserving format | "1234-5678-9012-3456" => "abcd-ef12-3456-7890" |
Generates a hashed version of the original credit card. Use this transformation to preserve the original format of the data |
| Mask while preserving format | "1234-5678-9012-3456" => "****-****-****-****" |
Use this transformation to obfuscate the data completely while preserving its original format |
| Show only last 4 digits | "1234-5678-9012-3456" => "****-****-****-3456" |
Shows only last 4 digits |
Date of Birth
| Name | Example | Comments |
|---|---|---|
| Show only the year | "abcd 2/6/1975 abcd" => "*********1975*****" |
Use this transformation to retain information about the year only |
Public IP Address
| Name | Example | Comments |
|---|---|---|
| Anonymize IP address | "11.20.30.1" => "11.20.0.0" |
Use this transformation to retain /16 of an IPv4 address and /64 of an IPv6 address |
| Hash while preserving format | "11.20.30.1" => "ab.cd.ef.1" |
Generates a hashed version of the original IP address. Use this transformation to preserve the original format of the data |
| Mask while preserving format | "11.20.30.1" => "**.**.**.*" |
Use this transformation to obfuscate the data completely while preserving its original format |
Limitations
Masking does not currently support semi-structured data granularity (e.g. a specific location inside a JSON) , when masking is triggered on a semi-structured data type, the full data set will get masked.