The sensitive data protection feature of Data Management (DMS) provides a built-in data de-identification rule that masks the entire value of a field. You can also create custom data de-identification rules based on the built-in data de-identification algorithms. This topic describes how to create a data de-identification rule.

Prerequisites

You are a DMS administrator, a database administrator (DBA), or a security administrator.
Note To view the role of your account, move the pointer over the 5租户头像 icon in the upper-right corner of the DMS console.

Procedure

  1. Log on to the DMS console V5.0.
  2. In the top navigation bar, click Security and Specifications. In the left-side navigation pane, choose Sensitive Data > Data Masking Management.
  3. On the Data Masking Rule tab of the Data Masking Management tab, click Create Data Masking Rule.
  4. In the Create Rule panel, set the parameters as required.
    DMS provides five types of built-in data de-identification algorithms: Hash, .Cover up, Replacement, Transformation, and Encryption.
    • Hash
      • MD5: a widely used cryptographic hash function that can generate a 128-bit (16-byte) hash value.
      • SHA1: a cryptographic hash function that can generate a 160-bit (20-byte) hash value called a message digest.
      • SHA256: generates a 256-bit hash value.
      • HMAC: a cryptographic technique that uses keys and a hash function to perform authentication.
    • Cover up
      • Full cover: masks the entire value of a field.

        For example, if you want to fully mask the phone number 1381111****, set the Cover string parameter to ***********. In this case, the phone number is de-identified to ***********.

      • Fixed position cover: masks the specified part of a field.

        For example, if you want to mask the second part of the IP address 192.168.255.254, set the Cover string parameter to *** and the Mask position configuration parameter to (5,7). In this case, the IP address is de-identified to 192.***. 255.254.

      • Fixed character mask: masks the specified characters of a field.

        For example, if you want to mask example in the email address username@example.com, set the Cover string parameter to ******* and the String to be obscured parameter to example. In this case, the email address is de-identified to username@*******.com.

    • Replacement
      • Map replacement: replaces a specified string with another specified string.

        For example, if you want to replace ab in the string abcd with mn, set the Match String parameter to ab and the Replace By parameter to mn. In this case, the string is de-identified to mncd.

      • Random replacement: replaces the specified part of a field with the random characters that you specify.

        For example, if you want to replace username in the email address username@example.com with random characters, set the Replacement position parameter to (1,8) and the Random character parameter to abc. In this case, the email address may be de-identified to acbbbbac@example.com.

        Note If you specify two or more random characters, the de-identification result is random.
    • Transformation
      • Number rounding: rounds down a number to the Nth digit before the decimal point.

        For example, if you set the Keep the first decimal place parameter to 2, the number 1234.12 is de-identified to 1230.

      • Date rounded: rounds a date and time.

        For example, if you set the Date rounding level parameter to hour, 2021-10-14 15:15:30 is de-identified to 2021-10-14 15:00:00.

      • Character displacement: moves characters of a field leftward in a loop manner.

        For example, if you set the String left shift number parameter to 2, the number 345678 is de-identified to 567834.

    • Encryption
      • DES: uses the Data Encryption Standard (DES) algorithm to encrypt data. The key is 8 characters in length and the de-identification result is 16 characters in length.
      • AES: a more advanced encryption algorithm compared with the DES algorithm. The key is 16 characters in length and the desensitization result is 32 characters in length.
  5. Test the de-identification rule.
    1. Enter the data to be de-identified.
    2. Click Test.
    3. Check whether the de-identification rule works as expected.
    For example, if you set the Data Masking Algorithm parameter to Transformation, the Algorithm Type parameter to Character displacement, and the String left shift number parameter to 2, the number 345678 is de-identified to 567834. Check whether the expected de-identification result is generated. 2敏感数据保护-脱敏规则英文
  6. After the preceding configuration is complete, click Submit.
    Note By default, the DEFAULT built-in rule is applied on sensitive data. For more information about how to apply a custom data de-identification rule on sensitive data, see Manage sensitive data.