Cyral
Get Started Sign In

Data Masking in Cyral

You can use a Cyral policy to mask the results of queries to protect information and comply with privacy regulations. To set this up, you'll add one or more masking commands in the data block of your Cyral policy. 

Each mask describes a transformation to be applied to a specific field's data when a user queries that field. For instance, a policy can specify that when user bob tries to read a credit card number (for example, from a column you've labeled as "CCN" in your Cyral data map and policy), his query will instead return the constant "***". The example policy below illustrates this:

data:
  - CCN
rules:
  - identities:
      users: [bob]
    reads:
      - data:
        - constant_mask(CCN, "***")


In the example above, the mask rule, constant_mask(CCN, "***") means that the columns that correspond to the CCN label will have their data replaced with a constant value (in this case, ***) in query results. As the name implies, constant_mask forces the replacement of the field’s value with a constant value you've specified.

To show the effect of the above policy, let's look first at the results without the policy applied:

bob=# select ccn from credit_card_data; # masking policy disabled
         ccn         
---------------------
 4444-3333-2222-1111
 4484-6000-0000-0004
 4035-5010-0000-0008



Now, let's see the results with the policy in effect:

bob=# select ccn from credit_card_data; # masking policy enabled
 ccn 
-----
 ***
 ***
 ***



Mask Specification

In your Cyral policy, add your masking rules in the data section of a contexted rule. In the data block, instead of simply declaring the data label to be protected, you will specify a mask type followed in parentheses by the name of the label to be masked. If the mask requires an argument, add a comma after the label name, and then the argument.


<mask_type>(<label>, <mask_argument>)



To mask more than one label for a user or group, include additional mask declarations in the data block. For example:

data:
  - EMAIL
  - CCN
rules:
  - identities:
      users: [bob]
    reads:
      - data:
        - mask(EMAIL)
        - constant_mask(CCN, "***")



Mask types

The available types of masks are

  • mask: Cyral replaces the field's contents with a semi-randomized string that preserves all hyphens, dots, and other punctuation in the string. Numbers are replaced with randomly chosen numbers, and letters with randomly chosen letters. Letter case is preserved, meaning lowercase letters are replaced with random lowercase letters, and uppercase with random uppercase letters. This transformation happens for each element individually. For example, two email addresses, even if identical, would be transformed to two different strings. For example, a mask declared as mask(EMAIL) might replace an address of "MyEmail123@cyral.com" with "ZaFxbcd517@dzbxq.pqd".

  • constant_mask: Cyral replaces the field's contents with the value that you provide. Specify the replacement value as the second argument, in double quotes. For example, a mask declared as constant_mask(CCF, “***“) would replace a CCF value of "4111111212121212" with a return value of "***".

  • null_mask: Cyral replaces the field's contents with a null value. For example, a mask declared as null_mask(CCN) would replace a CCF value of "4111111212121212" with a NULL return value.



Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.