Skip to main content
Version: v4.13

Data Masking

You can use a Cyral policy to mask the results of queries to protect information and comply with privacy regulations. To set this up, you'll add one or more masking commands in the data block of your Cyral policy.

note

Masking is supported on Denodo, MariaDB, MongoDB, MySQL, Oracle, PostgreSQL, Redshift, Snowflake, and SQL Server repositories.

About masking

Each mask describes a transformation to be applied to a specific field's data when a user queries that field. For instance, a policy can specify that when user bob tries to read a credit card number (for example, from a column you've labeled as "CCN" in your Cyral data map and policy), his query will instead return the constant ***. The example policy below illustrates this:

data:
- CCN
- TAXID
rules:
- identities:
users: [bob]
reads:
- data:
- constant_mask(CCN, "***")
- null_mask(TAXID)
rows: any

In the example above, the mask rule, constant_mask(CCN, "***") means that the columns that correspond to the CCN label will have their data replaced with a constant value (in this case, ***) in query results. As the name implies, constant_mask forces the replacement of the field’s value with a constant value you've specified.

To show the effect of the above policy, let's look first at the results without the policy applied:

bob=# select ccn from credit_card_data; # masking policy disabled
ccn
---------------------
4444-3333-2222-1111
4484-6000-0000-0004
4035-5010-0000-0008

Now, let's see the results with the policy in effect:

bob=# select ccn from credit_card_data; # masking policy enabled
ccn
-----
***
***
***

Enable masking on your repository

Before your policies can enforce masking rules, you must enable the Cyral masking capability on each repository that you want to protect. Follow the steps in both sections below to do this.

Turn on masking for the repository in Cyral

  1. In the Cyral control plane UI, click Data Repos, click the name of your repository, and click Config and Policy Enforcement.
  2. Turn ON Enable policy enforcements and turn ON Enable data masking.
warning

Your setup is not complete. You must install the helper function in your database as described below!

Install the Cyral mask helper in your database

Prerequisite: Make sure you have turned on masking for the repository in Cyral.

  1. Install the Cyral mask helper function in your database. To do this:
    • Make sure you have an SQL user account on the repository with at least the following permissions:
      • the CREATE SCHEMA privilege
      • the privilege to install a user-defined function (UDF) or equivalent (often the USAGE privilege grants this)
      • on Snowflake and SQL Server only: The CREATE DATABASE privilege
    • Using the account described above, connect to your repository through the Cyral sidecar. For this, you must use psql or any client that uses the JDBC driver with enableQueryMode=simple.
    • Run cyral install mask;
  2. Proceed to Add a masking rule in your policy, below.
note

Installing the Cyral mask function creates a schema called cyral in your repository. The Cyral mask function belongs to this schema.

On Snowflake repositories only, installing the mask function also creates a database called cyral.

Manage the Cyral mask function

To check the status of the Cyral mask function on any repository (except Oracle), type cyral describe mask at the SQL prompt.

Remove the Cyral mask function

To remove the Cyral mask function, run the command cyral uninstall mask at the SQL prompt.

Add a masking rule in your policy

In your Cyral policy, add your masking rules in the data section of a contexted rule

In the data block, instead of simply declaring the data label to be protected, you will specify a mask type (mask, constant_mask, null_mask or custom mask) followed in parentheses by the name of the data label to be masked. If the mask requires an argument, add a comma after the label name, and then the argument.

<mask_type>(<label>, <mask_argument>)

To mask more than one label for a user or group, include additional mask declarations in the data block. For example:

data:
- EMAIL
- CCN
rules:
- identities:
users: [bob]
reads:
- data:
- mask(EMAIL)
- constant_mask(CCN, "***")
tip

You can use masking along with other Cyral policy actions to protect your data. See policy enforcement actions to understand how these different actions interact when a user tries to access data.

Mask types

Cyral supports the following types of masks:

  • mask: Cyral replaces the field's contents with a semi-randomized string that preserves all hyphens, dots, and other punctuation in the string. Numbers are replaced with randomly chosen numbers, and letters with randomly chosen letters. Letter case is preserved, meaning lowercase letters are replaced with random lowercase letters, and uppercase with random uppercase letters. This transformation happens for each element individually.For example, two email addresses, even if identical, would be transformed to two different strings.

    • Example: A mask declared as mask(EMAIL) might replace an address of MyEmail123@cyral.com with ZaFxbcd517@dzbxq.pqd.
  • constant_mask: Cyral replaces the field's contents with the value that you provide. Specify the replacement value as the second argument, in double quotes.

    • Example: A mask declared as constant_mask(CCF, "***") would replace a CCF value of 4111111212121212 with a return value of ***.
  • null_mask: Cyral replaces the field's contents with a null value.

    • Example: A mask declared as null_mask(CCN) would replace a CCN value of 4111111212121212 with a NULL return value.
  • custom: Cyral replaces the field's contents with the result of a user-defined function, please check the custom mask page for more details.

Supported data types

When applying data masking, Cyral will, in general, respect the data type of the masked field. However, not all data types are supported, and errors in policies can lead to the type being incorrect. Please see below for database-specific details:

Cyral supports booleans, numeric types, and strings. If a policy targets a column whose type is not one of the above, the behavior depends on the mask specified in the policy:

  • mask: the field will be returned with a null value
  • constant_mask: the field will be returned with the supplied replacement value
  • null_mask: the field will be returned with a null value