All Products
Search

This Product

    Data Management:Create a data masking algorithm

    Document Center

    Data Management:Create a data masking algorithm

    Last Updated:Feb 05, 2024

    The sensitive data protection feature of Data Management (DMS) provides five data masking algorithms, including hashing, cover, replacement, transformation, and encryption. You can customize different masking rules based on a built-in masking algorithm to define flexible masking policies. The sensitive data protection feature provides a built-in full cover rule for data masking. If you want to use other data masking methods, you can create data masking rules by referring to the steps described in this topic.

    Prerequisites

    You are a DMS administrator, a database administrator (DBA), or a security administrator.

    Note

    To view the role of your account, move the pointer over the 头像 icon in the upper-right corner of the DMS console.

    Usage notes

    • For an instance that is managed in Security Collaboration mode, after you configure a custom data masking rule on a field, you must apply for the partial masking permissions to view the data that is masked based on the masking rule that you configure. Otherwise, you can view only the data that is fully masked (full cover). For more information about how to apply for the partial masking permissions, see Manage permissions.

    • After you create a data masking algorithm, you must change the data masking algorithm for the sensitive fields to the new data masking algorithm. This way, the data masking algorithm takes effect.

    Procedure

    1. Log on to the DMS console V5.0.

    2. In the top navigation bar, click Security and Specifications. In the left-side navigation pane, choose Sensitive Data > Rule Configurations.

      Note

      If you use the DMS console in simple mode, move the pointer over the 2022-10-21_15-25-22.png icon in the upper-left corner of the DMS console and choose All functions > Security and Specifications > Sensitive Data > Rule Configurations.

    3. On the Rule Configurations page, click the Data Masking Algorithm tab. On this tab, click Add Data Masking Algorithm.

    4. In the New Algorithm panel, configure a data masking algorithm.

      DMS provides the following built-in data masking algorithms:

      • Hashing:

        • MD5: a widely used cryptographic hash function that can generate a 128-bit (16-byte) hash value.

        • SHA1: a cryptographic hash function that can generate a 160-bit (20-byte) hash value called a message digest.

        • SHA256: generates a 256-bit hash value.

        • HMAC: a cryptographic technique that uses keys and a hash function to perform authentication.

      • Cover up:

        • Full cover: masks the entire value of a field.

          For example, if you want to fully mask the phone number 1381111****, set the Cover string parameter to ***********. Then, the data masking result is ***********.

        • Fixed position cover: masks the specified part of a field.

          For example, if you want to mask the second segment of the IP address 192.168.255.254, set the Cover string parameter to *** and the Mask position configuration parameter to (5,7). Then, the data masking result is 192.***.255.254.

        • Fixed character mask: masks the specified characters of a field.

          For example, if you want to mask example in the email address username@example.com, set the Cover string parameter to ******* and the String to be obscured parameter to example. Then, the data masking result is username@*******.com.

      • Replacement:

        • Map replacement: replaces the specified string with another string.

          Note

          • Separate multiple strings with commas (,).

          • The number of strings to be replaced must be the same as that of the strings to be used for replacement.

          For example, if you want to replace ab in the string abcd with mn, set the Match String parameter to ab and the Replace By parameter to mn. Then, the data masking result is mncd.

        • Random replacement: replaces the specified part of a field with the random characters that you specify.

          For example, if you want to replace username in the email address username@example.com with random characters, set the Replacement position parameter to (1,8) and the Random character parameter to abc. Then, the data masking result may be acbbbbac@example.com.

          Note

          If you specify two or more random characters, the data masking result is random.

      • Transformation:

        • Number rounding: rounds down a number to the Nth digit before the decimal point.

          For example, if the raw data is 1234.12, and you set the Keep the first decimal place parameter to 2, the data masking result is 1230.

        • Date rounded: rounds a date and time.

          For example, if the raw data is 2021-10-14 15:15:30, and you set the Date rounding level parameter to hour, the data masking result is 2021-10-14 15:00:00.

        • Character displacement: moves characters of a field leftward in a loop manner.

          For example, if the raw data is 345678, and you set the String left shift number parameter to 2, the data masking result is 567834.

      • Encryption:

        • DES: uses the Data Encryption Standard (DES) algorithm to encrypt data. The key is eight characters in length, and the data masking result is 16 characters in length.

        • AES: uses the Advanced Encryption Standard (AES) algorithm to encrypt data. It is a more advanced encryption algorithm than the DES algorithm. The key is 16 characters in length, and the data masking result is 32 characters in length.

        • AES encryption-enhanced: an AES encryption mode that does not limit the key length. The data masking result is 32 characters in length.

      • Decryption:

        • AES decryption: decrypts the data that is encrypted in AES encryption mode.

        • AES decryption-enhanced: decrypts the data that is encrypted in AES encryption-enhanced mode.

    5. Test the data masking result.

      1. Enter the raw data to be masked.

      2. Click Test.

      3. Check whether the data is masked as expected.

      For example, if the raw data is 345678, and you set the Algorithm Type parameter to Transformation, the Level 2 parameter to Character displacement, and the String left shift number parameter to 2, the masking result should be 567834. Check whether the data is masked as expected.

    6. Click Submit.

      Note

      By default, the DEFAULT built-in rule is applied to sensitive data. For more information about how to apply a custom data masking rule to sensitive data, see Manage sensitive data.

    What to do next

    After you create a data masking algorithm, you must change the data masking algorithm for the sensitive fields to the new data masking algorithm on the Sensitive Data Assets page. This way, the data masking algorithm takes effect. For more information, see Manage sensitive data.