Mask data
You can use a Cyral policy to mask the results of queries to protect information and comply with privacy regulations. To set this up, you'll add one or more masking commands in the data block of your Cyral policy.
note
Masking is supported on Denodo, MariaDB, MySQL, Oracle, PostgreSQL, Redshift, Snowflake and SQL Server repositories.
About masking
Each mask describes a transformation to be applied to a specific
field's data when a user queries that field. For instance, a policy
can specify that when user bob tries to read a credit card number (for
example, from a column you've labeled as "CCN" in your Cyral data map
and policy), his query will instead return the constant ***
. The
example policy below illustrates this:
data:
- CCN
- TAXID
rules:
- identities:
users: [bob]
reads:
- data:
- constant_mask(CCN, "***")
- null_mask(TAXID)
rows: any
In the example above, the mask rule, constant_mask(CCN, "***")
means
that the columns that correspond to the CCN
label will have their data
replaced with a constant value (in this case, ***
) in query results.
As the name implies, constant_mask forces the replacement of the
field’s value with a constant value you've specified.
To show the effect of the above policy, let's look first at the results without the policy applied:
bob=# select ccn from credit_card_data; # masking policy disabled
ccn
---------------------
4444-3333-2222-1111
4484-6000-0000-0004
4035-5010-0000-0008
Now, let's see the results with the policy in effect:
bob=# select ccn from credit_card_data; # masking policy enabled
ccn
-----
***
***
***
Enable masking on your repository
Before your policies can enforce masking rules, you must enable the Cyral masking capability on each repository that you want to protect. Follow the steps in both sections below to do this.
Turn on masking for the repository in Cyral
- In the Cyral control plane UI, click Data Repos, click the name of your repository, and click Config and Policy Enforcement.
- Turn
ON
Enable policy enforcements and turnON
Enable data masking.
warning
Your setup is not complete. You must install the helper function in your database as described below!
Install the Cyral mask helper in your database
Prerequisite: Make sure you have turned on masking for the repository in Cyral.
- General
- MySQL/MariaDB
- Oracle
- Install the Cyral
mask
helper function in your database. To do this:- Make sure you have an SQL user account on the repository with
at least the following permissions:
- the
CREATE SCHEMA
privilege - the privilege to install a user-defined function (UDF) or equivalent (often the
USAGE
privilege grants this) - on Snowflake only: The
CREATE DATABASE
privilege
- the
- Using the account described above, connect to your repository through the Cyral sidecar. For this,
you must use psql or any client that uses the JDBC driver
with
enableQueryMode=simple
. - Run
cyral install mask;
- Make sure you have an SQL user account on the repository with
at least the following permissions:
- Proceed to Add a masking rule in your policy, below.
- Install the Cyral
mask
helper function in your database. To do this:- If using Amazon RDS for MySQL/MariaDB (skip this step if the repository is not an RDS instance):
- Ensure that a custom DB parameter group is used for the DB instance. If this is not already the case, create a custom DB parameter group and associate it with the DB instance.
- Modify the custom DB parameter group, and then set the parameter
log_bin_trust_function_creators=1
. - Choose Save Changes.
- Reboot the DB instance (note that the database will be unavailable while it reboots).
- Verify that
log_bin_trust_function_creators
parameter was successfully enabled:SELECT @@log_bin_trust_function_creators;
- Make sure you have an SQL user account on the repository with at least the following permissions:
- the
CREATE SCHEMA
privilege - the privilege to install user-defined functions and procedures
- the
- Using the account described above, connect to your repository through the Cyral sidecar. For this, you could use the MySQL CLI.
- Run:The output message
cyral install mask;
Function cyral_mask has been installed successfully!
indicates that the Cyral mask helper is ready. Proceed to Add a masking rule in your policy.
However, if the output message isFunction cyral_mask has been installed successfully, but additional steps are required.
, proceed to Additional install steps.
- If using Amazon RDS for MySQL/MariaDB (skip this step if the repository is not an RDS instance):
Additional install steps
MySQL and MariaDB may require additional steps to make masking functional. These are required only if the output of Cyral mask helper installation asked you to carry out additional steps. If this is the case, please follow the instructions in the section below based on your repository type and version.
MySQL (v5.7.8 - v5.X) / MariaDB (v10.2.7 - v10.10.X)
- The Anonymous user must exist in order to grant all users access to the Cyral masking helper:
- Verify that the Anonymous user already exists:
SELECT 'exists' FROM mysql.user WHERE user = "" AND host = "%";
- If it does not exist, then create it:
- MySQL
- MariaDB
CREATE USER IF NOT EXISTS ''@'%' IDENTIFIED WITH mysql_native_password BY 'PASSWORD';
CREATE USER IF NOT EXISTS ''@'%' IDENTIFIED BY 'PASSWORD';
- Verify that the Anonymous user already exists:
- Complete the installation process by running:Ensure the output message is:
cyral install mask with grant option;
Function cyral_mask has been installed successfully!
. - Proceed to Add a masking rule in your policy.
MySQL (v8.X)
- If using Amazon RDS for MySQL (skip this step if the repository is not an RDS instance):
- Ensure that a custom DB parameter group is used for the DB instance. If this is not already the case, create a custom DB parameter group and associate it with the DB instance.
- Modify the custom DB parameter group to:
- set the parameter
activate_all_roles_on_login=1
, - append
CYRAL_MASKING_PERMISSIONS
to the value of themandatory_roles
parameter (this is a comma-separated list of role names).
- set the parameter
- Choose Save Changes.
- Reboot the DB instance (note that the database will be unavailable while it reboots).
- Verify that:
activate_all_roles_on_login
parameter was successfully enabled:SELECT @@activate_all_roles_on_login;
CYRAL_MASKING_PERMISSIONS
is inmandatory_roles
parameter:SELECT @@mandatory_roles;
- Complete the installation process by running:Ensure the output message is:
cyral install mask with grant option;
Function cyral_mask has been installed successfully!
. - Proceed to Add a masking rule in your policy.
note
On Oracle Cyral mask commands run as PL/SQL. To see the command result on SQL*Plus you need enable the server output by running the following command at the SQL prompt:
set serveroutput on
Not enabling server output does not compromise the execution of Cyral Mask commands. However, it is essential to get the status of the Cyral mask function through the describe command.
- In Oracle, the installation command of Cyral's
mask
helper function will create a new user (CYRAL
). Within this new user's space, a new package (CYRALPKG
) will be created, where the helper functions will be properly defined. To Install the Cyralmask
helper function on your Oracle database, follow this steps:- Make sure you have an SQL user account on the repository with the
CREATE USER
andCREATE ANY PROCEDURE
privileges. - Using the account described above, connect to your repository through the Cyral sidecar. For this, you could use the sqlplus CLI.
- Run
exec cyral install mask;
- Make sure you have an SQL user account on the repository with the
- Proceed to Add a masking rule in your policy, below.
note
Installing the Cyral mask function creates a schema called cyral
in
your repository. The Cyral mask function belongs to this schema.
On Snowflake repositories only, installing the mask function also
creates a database called cyral
.
Manage the Cyral mask function
- General
- Oracle
To check the status of the Cyral mask function on any repository (except Oracle), type
cyral describe mask
at the SQL prompt.
note
On Oracle Cyral mask commands run as PL/SQL. To see the command result on SQL*Plus you need enable the server output by running the following command at the SQL prompt:
set serveroutput on
Not enabling server output does not compromise the execution of Cyral Mask commands. However, it is essential to get the status of the Cyral mask function through the describe command.
To check the status of the Cyral mask function on Oracle database, run the following command at the SQL prompt:
exec cyral describe mask;
Remove the Cyral mask function
- General
- MySQL/MariaDB
- Oracle
To remove the Cyral mask function, run the command cyral uninstall
mask
at the SQL prompt.
To remove the Cyral mask function, run the following command at the SQL prompt:
cyral uninstall mask;
The output message Function cyral_mask has been uninstalled successfully!
indicates success.
However, proceed to Additional uninstall steps in case the output message is Function cyral_mask has been uninstalled successfully, but additional steps are required.
.
Additional uninstall steps
MySQL and MariaDB may require additional steps to completely uninstall data mask. These are required only if the output of Cyral mask helper uninstallation asked you to carry out additional steps. If this is the case, please follow the instructions in the section below based on your repository type and version.
MySQL (v8.X)
- If using Amazon RDS for MySQL, execute the following steps to modify
mandatory_roles
parameter:- Modify the custom DB parameter group to remove
CYRAL_MASKING_PERMISSIONS
from the value of themandatory_roles
parameter. - Choose Save Changes.
- Reboot the DB instance (note that the database will be unavailable while it reboots).
- Verify that
CYRAL_MASKING_PERMISSIONS
is not inmandatory_roles
parameter:SELECT @@mandatory_roles;
- Modify the custom DB parameter group to remove
- Complete the uninstallation process by running:Ensure the output message is:
cyral uninstall mask;
Function cyral_mask has been uninstalled successfully!
.
note
On Oracle Cyral mask commands run as PL/SQL. To see the command result on SQL*Plus you need enable the server output by running the following command at the SQL prompt:
set serveroutput on
Not enabling server output does not compromise the execution of Cyral Mask commands. However, it is essential to get the status of the Cyral mask function through the describe command.
To remove the Cyral mask function on Oracle database, run the following command at the SQL prompt:
exec cyral uninstall mask;
Add a masking rule in your policy
In your Cyral policy, add your masking rules in the data
section of a
contexted rule
In the data
block, instead of simply declaring the data label to be
protected, you will specify a mask type (mask
, constant_mask
,
null_mask
) followed in parentheses by the name of the
data label to be masked. If the mask requires
an argument, add a comma after the label name, and then the argument.
<mask_type>(<label>, <mask_argument>)
To mask more than one label for a user or group, include additional mask declarations in the data block. For example:
data:
- EMAIL
- CCN
rules:
- identities:
users: [bob]
reads:
- data:
- mask(EMAIL)
- constant_mask(CCN, "***")
tip
You can use masking along with other Cyral policy actions to protect your data. See policy enforcement actions to understand how these different actions interact when a user tries to access data.
Mask types
Cyral supports the following types of masks:
mask: Cyral replaces the field's contents with a semi-randomized string that preserves all hyphens, dots, and other punctuation in the string. Numbers are replaced with randomly chosen numbers, and letters with randomly chosen letters. Letter case is preserved, meaning lowercase letters are replaced with random lowercase letters, and uppercase with random uppercase letters. This transformation happens for each element individually.For example, two email addresses, even if identical, would be transformed to two different strings.
- Example: A mask declared as
mask(EMAIL)
might replace an address ofMyEmail123@cyral.com
withZaFxbcd517@dzbxq.pqd
.
- Example: A mask declared as
constant_mask: Cyral replaces the field's contents with the value that you provide. Specify the replacement value as the second argument, in double quotes.
- Example: A mask declared as
constant_mask(CCF, "***")
would replace aCCF
value of4111111212121212
with a return value of***
.
- Example: A mask declared as
null_mask: Cyral replaces the field's contents with a null value.
- Example: A mask declared as
null_mask(CCN)
would replace aCCN
value of4111111212121212
with a NULL return value.
- Example: A mask declared as