This topic describes how to configure desensitization algorithms of Sensitive Data Discovery and Protection (SDDP).

Background information

The following table lists the desensitization algorithms that SDDP supports.

Algorithm Description Example
Hashing Uses a hash function to calculate the hash values of sensitive data and replace the raw data with the hash values. The MD5, Secure Hash Algorithm 1 (SHA-1), SHA-256, and hash-based message authentication code (HMAC) salted algorithms are supported.
Note
  • Raw data cannot be retrieved after it is desensitized in this mode.
  • Hashing is often used to implement tokenization or desensitize passwords.

Data to be desensitized: 13312341234

Data after desensitization: cde586d7e3a68db1fe2f01ee38bb5f60

Masking Masks targeted information in sensitive data with asterisks (*) or number signs (#) in any of the following ways:
  • Keep the first N characters and the last M characters.
  • Keep characters from the Xth position to the Yth position.
  • Mask the first N characters and the last M characters.
  • Mask characters from the Xth position to the Yth position.
  • Mask characters before a special character.
  • Mask characters after a special character.

Data to be desensitized: 13312341234

Data after desensitization: 13******234

Replacement Uses a mapping table or an interval to replace the entire value or a part of the value of a field randomly or with the mapped value.
  • If raw data is replaced with mapped values, the raw data can be retrieved after desensitization. If raw data is replaced with random values, the raw data cannot be retrieved after desensitization.
  • SDDP provides multiple built-in mapping tables, which can be used to desensitize fields in fixed formats, such as ID card numbers.
  • SDDP allows you to edit mapping tables in TXT and RTF formats, and add custom replacement algorithms.

Data to be desensitized: 13312341234

Data after desensitization: 13******23416661425042

Transformation Rounds or offsets values to desensitize them.
  • Rounding: You can round numbers and dates based on specified parameters. Raw data cannot be retrieved after it is desensitized in this mode. Rounding is often used for data analysis purposes.
  • Offsetting: You can offset characters in text based on specified parameters. Raw data can be retrieved after it is desensitized in this mode.

Data to be desensitized: 1331234.1234

Data after desensitization: 1331230

Encryption Uses the Data Encryption Standard (DES), Triple Data Encryption Standard (3DES), or Advanced Encryption Standard (AES) algorithm to encrypt data and replace the raw data with ciphertext. Raw data can be retrieved after it is desensitized in this mode.

Data to be desensitized: 13312341234

Data after desensitization: n8v53qy065eomabLc2Itlg==

Shuffling Shuffles values of a field in a specified range of a source table. The values can be shuffled randomly or be offset in a specified way. If raw data is offset, the raw data can be retrieved after desensitization. If raw data is shuffled randomly, the raw data cannot be retrieved after desensitization. N/A

Procedure

  1. Log on to the SDDP console.
  2. In the left-side navigation pane, choose Security Configuration > Desensitization Algorithm Configuration.
  3. Click the tab for the desensitization algorithm that you want to use for static desensitization.
  4. Configure the desensitization algorithm.
    • Hashing: Set a salt value for each encryption algorithm.
      Note

      In cryptography, you can insert a specific string to a fixed position of a password to generate a hash value that is different from that of the original password. This process is called salting.

      The salt value is the specific string that you insert.

      Hashing
    • Masking: Set parameters for the masking algorithm.
      Masking
    • Replacement: Set parameters for the replacement algorithm.
      Replacement
    • Transformation: Set parameters for the transformation algorithm.
      Transformation
    • Encryption: Set a key for each encryption algorithm.
      Encryption
    • Shuffling: Select a shuffling method.
      Shuffling
      Note You do not need to test the shuffling method. Click Save directly after you select a shuffling method.
  5. Click Test for a parameter.
    In the Desensitization Algorithm Test dialog box that appears, check whether the desensitization algorithm works.Desensitization algorithm test

    After the test is completed, close the Desensitization Algorithm Test dialog box.

  6. Click Save for the parameter.

What to do next

After configuring the desensitization algorithm, go to the Static Desensitization page to create a desensitization task with the desensitization algorithm or modify the desensitization algorithm of an existing desensitization task.