Example of data anonymization policy configuration
Sensitive data is displayed in desensitized form upon access to protect data security.
Adding a custom policy
- Logging in to the Database Operations and Maintenance Management System using the sysadmin system administrator account.
- Select Ops Asset Management > Ops Asset Control in the left navigation bar, pick an asset control item and click the Config button to open a new browser page. Figure 1 Operation and maintenance asset control
- Select Security Control > Policy Management, and the page displays the pending list.
- Click New, then select the policy type Fuzzy Matching Desensitization from the drop-down menu. Refer to Table 1 for parameter descriptions of data desensitization policy configuration. Figure 2 Policy management
Table 1 Table1 Data anonymization strategy configuration parameter description Parameter
Description
Basic Information
Policy Name
The name of this policy. (Required)
Policy Template
Select the previously configured policy template for quick filling.
Policy Description
Information on the usage scenarios and applicable situations of this strategy
Conditional Information
Operations and Maintenance User
Used to define the prevention and control scope for application users.
Operations and Maintenance Role
User Management-Role Information: Definition of system role functions. Each user can belong to one or more roles.
Organization
User Management-Organization: The organization information defined in the organization function allows each user to belong to one organization.
Database User
Used to define the protection scope for database users.
Client IP
Define the range of IP addresses and determine the scope of security controls using various IP address operators such as equal to, includes, and excludes. It also supports direct reference to IP templates.
Client Tools
The name of the client tool used by operations personnel to access data, such as WebSQL.
Impact Period
Select the start and end times for the current rules effective period.
Matching Information
Matching Content
Regular expression for matching SQL.
Schema Name
Belongs to column desensitization. Filter condition for the schema name, regular expression.
Table Name
Belongs to column desensitization. Filter condition for table names: regular expression.
Column name
Belongs to column desensitization. Filter conditions listed, regular expressions.
Data Domain
Belongs to the desensitization subitem. Columns that meet the conditions are desensitized according to the corresponding data field rules.
Response Action
Audit
Configure whether auditing and alerts are enabled. Enabling auditing will record logs, which can be viewed by the audit administrator.
- Alarm Audit
- Audit
- No Audit
Alarm Type
Display this parameter when the Audit option is set to Alarm Audit.
When configuring alarm auditing, you can select an alarm email address (selected from the data specialist in the current controlled asset database). An alarm email will be sent to the specified email address when the policy is triggered.
- Fill in basic policy information, condition information, matching information (only applicable to certain policies), response actions and other relevant items.
The basic information includes policy name, policy template, and policy description. The policy template allows selection of pre-created templates for quick policy information filling. Condition information comprises operations user, operations role, organizational unit, database user, client IP, client tool, and affected time period. Logical AND/OR relationships between conditions enable flexible condition control. Matching information includes matching content (entering regular expressions for SQL queries) and column anonymization settings specifying which columns to anonymize and corresponding rules. Response actions configure audit and alert configurations: Audit enables log recording viewable by administrators; Alert auditing allows specifying alert email addresses (selected from data specialists in the controlled asset repository), with alerts sent to designated mailboxes upon policy activation.
- Enter the policy name: Fuzzy Matching Desensitization Policy for NAME Field.
- Select sysadmin under the corresponding role as the O&M user.
- Match information entry: .* (select).* (from).*
- Column desensitization settings: Schema name: .*;Table name: .*;Column name: .*name.*;Data Domain: Name.
- Select Audit for response action. Figure 3 Matching information
- Click OK.
Enable Custom Policy
- Logging in to the Database Operations and Maintenance Management System using the sysadmin system administrator account.
- Select Ops Asset Management > Ops Asset Control in the left navigation bar, pick an asset control entry and click the Config button to open a new page in the browser.
- Select Security Control > Policy Management, and the pending approval list is displayed on the page.
- Click Enable rule. A prompt Confirm or not? EnableThe Rule? then click OK. Figure 4 Enable policy management
Verify Configuration Result
- Logging in to the Database Operations and Maintenance Management System using the sysadmin system administrator account.
- Access the database successfully via the web terminal of the O&M bastion host.
- Use the security client: In the left navigation bar, select Ops Bastion Host Inventory and click One-Click Login. A new tab for the O&M bastion host will open in the browser .
- On the O&M bastion host management page, select the newly added O&M asset and click the WEB terminal icon.
- A new WebSQL tab will launch in the browser, and the database will be connected successfully through the proxy service.
- Double-click a table name in the lower area; the corresponding query statement will be automatically filled into the SQL editing area on the right.
- Click the Execute button. Figure 5 WebSQL execution button location
- Data fields containing name in their names are displayed in desensitized form within the query result area.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot