Have you started just now with your Vault journey or you have been a pro in the Platform Security space? If either of those answers are "YES" then this read is for you!
Overview
If you are thinking that data privacy is similar to encryption then why do we need another application like data anonymization then you have probably started at the right note. As i was in a similar state of confusion when I started with data privacy
To start getting hands dirty - you need to have 3 plugins which need to be activated:
a) Data Discovery: This plugin is responsible for all the patterns and discovery jobs to find that sensitive data onto your instance
b) Data Privacy: This plugin is used to create anonymization policies and techniques you need to anonymize a part of or complete set of data
c) Data Privacy (Classic): This plugin is responsible for all the data privacy roles you need to configure the data anonymization pieces.
Tip: This is a dependent plugin of data privacy. If for some reasons you do not see the Out-of-box data privacy roles then exclusively install this plugin.
Once you have activated all the above plugins assign yourself data_privacy_admin and other data privacy roles (4 in total) to perform stuff.
Important: Data anonymization actually converts the data before its written to even database (not as same as encryption)
Concept of anonymization and Demo
The primary concept behind building this data anonymization is to prevent users to view PII information when it should not be exposed.
Let me break it down into two ways
a) Scheduled data anonymization - This is usual data anonymization when you implement data anonymization policy on any attribute of sys_user table or any other table field.
Post creation of data anonymization policy and after you publish the policy - there needs to be a scheduled job which is created (you need to elevate your role to - "data_privacy_processor" to be able to schedule the job).
You can "Dry -run" this job to see what data will be anonymized due to this policy (this dry-run will not transform any of the data yet!!). Example - when I dry run my job to see the tables and records affected it displays something like this below:
Remember - The job is executed only once (and there is a reason for it). Its not like any scheduled job!
If you turn on the "cloning" toggle button during creation of anonymization policy, then the job will always be in "Ready to Schedule" status and not complete. The cloning configuration looks something like as below:
The idea behind this configuration is that when clone down happens from production to any sub-production instance, then an Out-of-box clean up script called "Apply Data Privacy Policies" is executed which executes this very job and anonymize the data brought in from production.
b) Realtime data anonymization : This new feature anonymizes any PII data in already classified fields based on the active patterns in the instance.
Example: Lets say we need to activate the pattern for Social Security Number (SSN), classify the fields which can contain this SSN (in my case Incident-business impact) and create a RTA (Realtime Anonymization policy) for it.
It will be a 4 step process
a) Configure (create a custom pattern if there is no OOTB one) and activate the data pattern:
b) Configure the target tables which may contain this SSN:
In my case its Incident as field "business impact" belongs to Incident and not task table (we are not using child table filter criteria as explained down below)
c) Now Classify the field "Incident- business impact" (for my example I will classify it under "Internal" class
d) Finally create a RTA policy for this field. Snapshots below:
After publishing the policy, it looks as follows:
Note: There is no scheduled job to be created here as this is a real-time policy!!
Lets test it out on any one incident
After saving the record:
**Issues with this as I am writing this article: There have been few issues related to this in journal fields for both workspaces and UI16.
Lets catch up on some of new features for the Data Privacy app that was released on store.
NEW! features in store app (Xanadu compatible)
a) Journal field(s) support : Starting from the new version 5.X of this app, journal fields like work notes, comments are supported and can be identified with PII and other classified data.
Complete list of supported data types can be found here.
Glimpse of what you will experience with the above add-on 👇
b) Child table filter while creating data anonymization policy :So this is a cool feature if you are trying to create and anonymize fields on any specific child tables.
Example: Even if you classify the task table then also you could implement data anonymization policy for incident and change request table ONLY.
Glimpse of this:
There has to be improvements in every product with customer use cases and ideas pouring in from people who use the product day in day out. There were couple of them from my customers
- Include a filter based anonymization where specific records only get anonymized and not every record
- Support for data anonymization in attachments
Lets see what the future releases have in store.
Feel free to post comments (with feedback) on this article and drop a shoutout (Like - 👍)
