Masking Sensitive Data
Database protection has built-in compliance knowledge bases of Payment Card Industry (PCI), Healthcare Information Portability and Accountability Act (HIPAA), Sarbanes-Oxley Act (SOX), and General Data Protection Regulation (GDPR). You can also customize the rule knowledge base and discovery policies to check sensitive data. Based on sensitive data discovery results, masking rules can be generated to mask sensitive data in real time.
For details about the types of sensitive data that can be detected by database protection, see Supported Sensitive Data Types to be Discovered.
Scenario
Figure 1 shows the architecture for database protection to mask sensitive data.
After purchasing a database protection instance, you can mask sensitive data in a self-built database in HUAWEI CLOUD ECS. Table 1 describes the example database information.
This section describes how to use database protection to mask sensitive data.
| Type | MySQL |
|---|---|
| Version | 5.5 |
| IP Address | 192.168.1.143 |
| Port | 3306 |
| Database Username | root |
| Database Password | N/A |
| Object | mysql database |
Step 1: Connect a Database to the Database Protection Management System (HexaTier)
After purchasing a database protection instance, you need to connect your database to the database protection management system (HexaTier), configure a log storage path, add a protected database, and modify the configuration file on the service side. Then you can use the monitoring, data reduction, log, and database protection policy functions.
- Log in to the management console.
- Go to the database protection login page.
- Enter the login username (admin) and password. Then click Log In or press Enter, as shown in Figure 3.
- Configure a log storage path.
To meet compliance requirements, HexaTier remotely stores logs for future audit and evidence collection. After logging in to HexaTier, you must configure the log storage location before you can enable the monitoring and data reduction functions, and view logs.
- Go to the page for configuring remote logs. Figure 4 Accessing the page for configuring remote logs
- On the Log Repository Configuration page, set remote log parameters. Figure 5 Configuring remote logs
- Click Test.
- Click Update.
- Go to the page for configuring remote logs.
- Add a protected database.
To protect a database instance, connect it to HexaTier. After you add the protected database, you can configure sensitive data masking rules and enable the sensitive data discovery function on the HexaTier console.
- Go to the page for creating a protected database. Figure 6 Accessing the page for creating a protected database
- On the Log Repository Configuration page, set remote log parameters. Figure 7 Creating a protected database
- Click Create. The created database is displayed in the protected database list.
- Go to the page for creating a protected database.
- Modify the service side configuration file.
HexaTier proxy address and port are required if you want to make your firewall policies take effect on protected databases. In the service side configuration file, you need to set the database IP address to the floating IP address of the database protection instance used for logging in to HexaTier, and set the database port number to the proxy port of the protected database.
Manually modify the IP address and port number of every protected database in the service side configuration file.
- Obtain the floating IP address 192.168.1.95 of the instance in Figure 2.
- Obtain the proxy address interface 3306 of the protected database in Figure 8.
- After you log in, specify the floating IP address of the DBSS instance and the proxy port of the protected database in the service side configuration file.
The following takes JDBC configurations as an example.
data.datasource.url=jdbc:mysql://192.168.1.95:3306/test
- Save the configuration file and restart the application.
After the configuration is complete, log in to HexaTier, choose Dashboard > Protected Database Servers: Topology and check whether the protected database is successfully connected.
: The connection between the service side and DBSS failed or has not been set up. If the connection failed, rectify the fault by referring to Database Protection Cannot Connect to the Target Database.
: The protected database is connected.
Step 2: Create a Sensitive Data Discovery Job
In HexaTier, you can set sensitive data discovery rules to automatically identify and classify sensitive data. If sensitive data is identified, HexaTier will generate the discovery results and GDPR reports.
- Go to the page for creating a sensitive data discovery job. Figure 9 Accessing the page for creating a sensitive data discovery job
- On the Log Repository Configuration page, set remote log parameters. Figure 10 Creating a job
- Click Create and Run. The discovery job is created successfully, as shown in Job created.
Step 3: Generate a Masking Rule Based on the Discovery Job Result
- In the left navigation pane, choose Discovery Result.
- On the Discovery Results page, click Details in the View column. Figure 12 Discovery job results
Click View GDPR Report to view the GDPR report of the detected sensitive data.
- On the Log Repository Configuration page, set remote log parameters. Figure 13 Generating masking rules
- Choose Masking from the main menu. The masking rule generated based on the discovery result is displayed in the masking policy list. Figure 14 Generating a masking rule based on the discovery job result
Step 4: View Data Masking Logs
Last Article: Preventing Attacks
Next Article: Change History
Did this article solve your problem?
Thank you for your score!Your feedback would help us improve the website.