Skip to main content
Version: v4.16

Data Masking

You can use a Cyral policy to mask the results of queries to protect information and comply with privacy regulations. To set this up, you'll add one or more masking commands in the data block of your Cyral policy.

note

Masking is supported on Denodo, MariaDB, MongoDB, MySQL, Oracle, PostgreSQL, Redshift, Snowflake, and SQL Server repositories.

About masking

Each mask describes a transformation to be applied to a specific field's data when a user queries that field. For instance, a policy can specify that when user bob tries to read a credit card number (for example, from a column you've labeled as "CCN" in your Cyral data map and policy), his query will instead return the constant ***. The example policy below illustrates this:

{
"governedData": {
"labels": ["CCN"]
},
"readRules": [
{
"conditions": [],
"constraints": {
"mask": {
"function": "constant",
"args": ["***"]
}
}
}
]
}

In the example above, the mask constraint specifies that any fields that correspond to the CCN label will have their data replaced with a constant value (in this case, ***) in query results. As the name implies, the "constant" mask function forces the replacement of the field’s value with a constant value that is specified as its argument.

To show the effect of the above policy, let's look first at the results without the policy applied:

bob=# select ccn from credit_card_data; # masking policy disabled
ccn
---------------------
4444-3333-2222-1111
4484-6000-0000-0004
4035-5010-0000-0008

Now, let's see the results with the policy in effect:

bob=# select ccn from credit_card_data; # masking policy enabled
ccn
-----
***
***
***

Enable masking on your repository

Before your policies can enforce masking rules, you must enable the Cyral masking capability on each repository that you want to protect. Follow the steps in both sections below to do this.

Turn on masking for the repository in Cyral

  1. In the Cyral control plane UI, click Data Repos, click the name of your repository, and click Config and Policy Enforcement.
  2. Turn ON Enable policy enforcements and turn ON Enable data masking.
warning

Your setup is not complete. You must install the helper function in your database as described below!

Install the Cyral mask helper in your database

Prerequisite: Make sure you have turned on masking for the repository in Cyral.

  1. Install the Cyral mask helper function in your database. To do this:
    • Make sure you have an SQL user account on the repository with at least the following permissions:
      • the CREATE SCHEMA privilege
      • the privilege to install a user-defined function (UDF) or equivalent (often the USAGE privilege grants this)
      • on Snowflake and SQL Server only: The CREATE DATABASE privilege
    • Using the account described above, connect to your repository through the Cyral sidecar. For this, you must use psql or any client that uses the JDBC driver with enableQueryMode=simple.
    • Run cyral install mask;
  2. Proceed to Add a masking rule in your policy, below.
note

Installing the Cyral mask function creates a schema called cyral in your repository. The Cyral mask function belongs to this schema.

On Snowflake repositories only, installing the mask function also creates a database called cyral.

Manage the Cyral mask function

To check the status of the Cyral mask function on any repository (except Oracle), type cyral describe mask at the SQL prompt.

Remove the Cyral mask function

To remove the Cyral mask function, run the command cyral uninstall mask at the SQL prompt.

Add a masking policy

You can create either a global policy or use the predefined Datat Masking policy template to define a masking policy.

Mask types

Cyral supports the following types of masks:

  • format-preserving: Cyral replaces the field's contents with a semi-randomized string that preserves all hyphens, dots, and other punctuation in the string. Numbers are replaced with randomly chosen numbers, and letters with randomly chosen letters. Letter case is preserved, meaning lowercase letters are replaced with random lowercase letters, and uppercase with random uppercase letters. This transformation happens for each element individually.For example, two email addresses, even if identical, would be transformed to two different strings.

    • Example: A mask constraint declared as {"function": "format-preserving"} might replace an address of MyEmail123@cyral.com with ZaFxbcd517@dzbxq.pqd.
  • **constant**: Cyral replaces the field's contents with the value that you provide. Specify the replacement value as the second argument, in double quotes.

    • Example: A mask constraint declared as {"function": "constant", "args": ["***"]} would replace any value with the fixed value of ***.
  • null: Cyral replaces the field's contents with a null value.

    • Example: A mask constraint declared as {"function": "null"} would replace any value with NULL.
  • custom: Cyral replaces the field's contents with the result of a user-defined function, please check the custom mask page for more details.

Supported data types

When applying data masking, Cyral will, in general, respect the data type of the masked field. However, not all data types are supported, and errors in policies can lead to the type being incorrect. Please see below for database-specific details:

Cyral supports booleans, numeric types, and strings. If a policy targets a column whose type is not one of the above, the behavior depends on the mask specified in the policy:

  • mask: the field will be returned with a null value
  • constant_mask: the field will be returned with the supplied replacement value
  • null_mask: the field will be returned with a null value