Skip to content

Universal Masking

Satori’s Universal Masking allows organizations to mask query responses for their users to avoid exposing sensitive information. Unlike existing dynamic masking solutions which require defining which columns to mask, Satori’s universal masking applies to data detected and tagged by Satori’s data classification and tagging mechanisms, automating the definition process.

Satori supports two types of data transformations:

  • Generic transformations - can be applied to any data type, like replace data fields with predefined strings, hash the data or remove it completely from the result set.
  • Specific transformations - tailored-made transformations for common data types which provide a better user experience for users of masked data. For example, anonymizing an email address by replacing the address prefix with * or retain only the year from a date of birth field.

The full list of transformations is listed here.

Masking Profiles

To simplify the process of configuring masking, Satori uses Masking Profiles. Masking profiles define the set of transformations to apply to each data type, and are used by the policy engine when defining rules. The same profile can be re-used by multiple rules. In addition, Satori provides a few profile templates for common use-cases. Masking profiles are composed of:

  • Name - a unique name of the profile.
  • Description - a short description of the profile.
  • Masking conditions - a list of masking conditions.

Masking conditions define which transformation to apply for every tag. Only one condition can be set for each tag. Satori supports two types of tags:

  • Pre-defined tags - like PII, email, credit card, etc. See the tag reference for the full list.
  • Custom - user-defined tags. See custom tags for more information.

When defining a condition for both a tag and its category, for example email and PII, the most specific condition takes precedence. In this example, the transformation defined in the condition for email will be applied.

Creating a masking policy

Masking profiles are used by the policy engine when defining a rule with a mask action. To tell the policy engine which masking profile to use, specify the ID of the profile in the action. The ID is available either by selecting the Copy ID action in the profile menu or when viewing the profile.

For example:

- name: Mask Customer PII for Analysts
  action:
    type: mask
    profile: 7d1c1d8f-2fed-4897-8163-ef174d885192
  identity_tags:
    - identity.datastore.role::analyst
  data_tags:
    - customer_data
  priority: 2

Transformations

Generic Transformations

Name Example Comments
Hash "data" => "50d858e0985ecc7f60418aaf0cc5ab587f42c2570a884095a9e8ccacd0f6545c" Use this transformation to obfuscate the data completely while retaining its statistical properties for counting, aggregating, etc.
Replace characters with "12345678" => "aaaaaaaa" Use this transformation to preserve the length of the original data
Replace entire string "12345678" => "REDACTED" Use this transformation to make it clear the data has been masked
Mask everything except last "12345678" => "******78" Use this transformation to retain a hint of the original data

Specific Transformations

In addition to the generic transformation, for selected data types specific transformation are available.

Email

Name Example Comments
Hash while preserving format "user@company.net" => "1234@567890a.bcd" Generates a hashed version of the original email address. Use this transformation to preserve the original format of the data
Mask while preserving format "user@company.net" => "****@*******.***" Use this transformation to obfuscate the data completely while preserving its original format
Mask username "user@company.net" => "****@company.net" Use this transformation to retain information about the domain name of the email address
Mask domain "user@company.net" => "user@*******.***" Use this transformation to retain information about the username of the email address

Credit Card

Name Example Comments
Hash while preserving format "1234-5678-9012-3456" => "abcd-ef12-3456-7890" Generates a hashed version of the original credit card. Use this transformation to preserve the original format of the data
Mask while preserving format "1234-5678-9012-3456" => "****-****-****-****" Use this transformation to obfuscate the data completely while preserving its original format
Show only last 4 digits "1234-5678-9012-3456" => "****-****-****-3456" Shows only last 4 digits

Date of Birth

Name Example Comments
Show only the year "abcd 2/6/1975 abcd" => "*********1975*****" Use this transformation to retain information about the year only

Public IP Address

Name Example Comments
Anonymize IP address "11.20.30.1" => "11.20.0.0" Use this transformation to retain /16 of an IPv4 address and /64 of an IPv6 address
Hash while preserving format "11.20.30.1" => "ab.cd.ef.1" Generates a hashed version of the original IP address. Use this transformation to preserve the original format of the data
Mask while preserving format "11.20.30.1" => "**.**.**.*" Use this transformation to obfuscate the data completely while preserving its original format

Limitations

Masking does not currently support semi-structured data granularity (e.g. a specific location inside a JSON) , when masking is triggered on a semi-structured data type, the full data set will get masked.