Data Masking Policy
IOMETE allows you to protect sensitive data using data masking. With this feature, you can create policies that mask or anonymize specific columns containing sensitive data, such as PII, PCI, and PHI, dynamically in the query output.
Policy details
Policy details includes the following properties.| Field | Description |
|---|---|
| Policy name | Enter an appropriate policy name. This name cannot be duplicated in another policy. |
| Enabled & Disabled | The policy is enabled by default. If disabled, the policy will not affect user queries. |
| Normal & Override | When switched to Override, the access permissions in the policy override the access permissions in existing policies. |
| Add Validity Period | Specify a start and end time for the policy. (Optional) |
| Description | Describe the purpose of the policy. (Optional) |
Policy resources
| Field | Description |
|---|---|
| Database | Choose only one database. All available options are displayed in the selection. The search function helps you find an exact match. |
| Table | Choose only one table. All available options are displayed in the selection based on the chosen database. The search function helps you find an exact match. |
| Column | Choose only one column. All available options are displayed in the selection based on the chosen database and table. The search function helps you find an exact match. |
Wildcard matching is not supported in data masking policy.
Mask Conditions
IOMETE provides the mask conditions for the management of fine-grained data masking. The condition includes the following properties.
| Field | Description |
|---|---|
| Select Group | Specify one or more groups for whom this policy should be applied. If no group is specified, you must provide a user. |
| Select User | Specify one or more users for whom this policy should be applied. If no user is specified, you must provide a group. |
| Masking options | To create a masking filter for the specified users, groups, click Select Masking Option, then
select a masking type: |
To add additional conditions, click on the Add new condition button. The conditions are evaluated in the order they appear in the policy. The top condition is applied first, followed by the second, third, and so on.
Drag items from the left-side icon to reorder.
Data masking policy use cases
Use case: Masking phone number in Customers Table
Let's use the customers table for data-masking feature use cases as well.
This use case focuses on implementing a masking policy for the phone_number column within the customers table. The objective is to provide a certain level of data privacy while granting access to the data for the public group.
Policy details:
- Target Table:
customers - Target Column:
phone_number
Masking rule:
- The policy enforces that members of the public group can only view the last 4 digits of the
phone_numbercolumn. - All other digits preceding the last 4 should be masked or obfuscated, ensuring that sensitive information remains protected.
Access permissions:
- The public group is granted read access to the
phone_numbercolumn within thecustomerstable. - This allows the
publicgroup members to view the partially masked phone numbers for customers while ensuring that critical digits are concealed.
Query results
SELECT * from default.customers;
-
Sample Data Before Applying Masking Policy for public group: Consider a few records in the
customerstable before the masking policy is applied:
-
Sample Data After Applying Masking Policy public group: Once the masking policy is applied, the
phone_numbercolumn will show different results based on the user group's access level.