IRI Chakra Max is a database firewall product designed to perform data-centric audit and protection (DCAP) for information in multiple database platforms. It does so through:
- Setting database access permissions
- Controlling SQL statements so only approved syntax on tables is allowed
- Masking sensitive data dynamically as it is extracted from a table
In this article, we focus on the creation and application of a dynamic data masking security policy in Chakra Max. The masking occurs as the data is extracted, so that requested sensitive data is redacted automatically, but the original data in the tables is not changed. This is done via packet analysis, and does not impact the performance of the database. A security administrator must set up the masking rules.
The five stages for creating a security policy for data masking, or a “security masking policy,” are:
- Configure Policy
- Define Security Rules
- Define Masking Rules
- Assign Policy
Open the Chakra Max Manager. This is where the security administrator can establish and monitor security policies. Close the Welcome window and select Policy on the menu bar. Click on the + Security Policy button in the lower left portion of the window to activate the Security Policy Wizard. Next, select the type of policy being created. Under Masking Policy, select the * button for SQL Result Masking Policy.
You need to know the details about the tables and columns that are to be masked. To help you discover and view the data in your tables, and the underlying structures (and relationships) of those tables, use the IRI Workbench GUI’s Data Source explorer. If you need help connecting to your DBs in the Workbench, email email@example.com.
In this window, type the name for the new policy in the field for Policy Name. In the Description box, type a brief description for that policy. The Apply Priority dropdown is to prioritize when there are multiple security policies to be applied. We will set this to 1 (the highest priority). At the bottom of the wizard, click Next.
Define Security Rules
This window will set the Database Access Rules; that is, what IP addresses, users, and applications can access tables where this policy is applied, and what days and times access is allowed. For each category, you can specify Including or Excluding to indicate whether the policy is or is not applied.
Each category has 2 boxes; one where you can enter individual items manually, and a dropdown where you can choose a predefined group. In the case of the Application boxes, you can choose from registered applications.
When manually entering more than one item, separate them with a semicolon (;). When finished, click Next.
Define Masking Rules
You have 2 mutually exclusive options for defining the masking rules:
- Select Table, Column
- Under the Table heading, specify the name of the table.
- Under the Column heading, specify the name of the column to be masked. If there is more than one column, use a semicolon to the separate the column names. If all columns are to be masked, then use an asterisk (*) under the Column heading.
- Under the Type heading, choose either “Full Masking” or “Partial Masking.” Partial Masking will mask the data in the column according to the specified format.
- Define the Format when there is Partial Masking. It should be expressed using an asterisk “*” as the masking character. Use a ”0” to represent characters that will not be masked. Any other characters in the format will be left “as is”. So if you have a social security number that is 555-44-3333 where the last four characters are to be unmasked, the format for the masking would be defined as ***-**-0000. The actual column value passed to the user is ***-**-3333. You can only do numeric masking with Oracle, MS-SQL, and MySQL, and you must choose Full Masking for the numeric columns.
- Select Sensitive Pattern
- Choose a Pattern from a list of predefined patterns. The patterns are defined in Sensitive Objects under Policy.
- Under the Type heading, choose either “Full Masking” or “Partial Masking” Partial Masking will mask the data in the column according to the specified format.
- Specify the Format.
This feature allows you to assign the masking policy to multiple database instances in a consistent fashion. Select the appropriate Chakra Max protected database(s), then click Next.
There will be a popup that says “Add a new policy?” Click Yes.
This new policy is now added to the list of policies. In the panel to the left of the Policy window, the policy list is displayed when the far right button at the top of that panel is selected. This is the Security Policy Management button. On that list, you can expand the Masking Policy List to show all the policies under that category.
By clicking on a specific policy, the information about that policy is displayed in the main part of the window, where you can choose to Modify or Delete the policy. If you choose Modify, you will be taken through the Security Policy Wizard again.
When the policy is completed, it can be activated. Right-click on the policy, then select Active Policy. There will be a popup that asks “Do you want to update status now?” Click Yes. In the list, the icon for the policy will change color to show that the policy is active. Once a masking policy is active, the rules assigned to users or user groups by that policy will then be enforced.
Below is a screen in IRI Workbench where an SQL select statement has been executed. In the Chakra Max Policy List, there are two masking policies; one that does a full mask of the column FIRSTNAME and another that does a partial mask of the column LASTNAME:
The view below the SQL statement shows the resulting rows. Notice that the columns FIRSTNAME and LASTNAME have been masked. This masking takes place as the data passes through the Chakra Max gateway and does not affect the data in the table.
The data redaction features in ChakraMax supplement other dynamic data masking options in IRI software. Static data masking for databases is available in IRI FieldShield or the larger IRI Voracity data management platform, both of which also include database profiling and administration facilities.