DEV Community

Yilia for API7

Posted on • Originally published at api7.ai

Data Masking: Securing Data Safety and Compliance with API7 Enterprise

Protecting sensitive data has become increasingly crucial in today's data-driven world. Safeguarding sensitive data such as personal privacy, financial information, and business secrets during storage, processing, and transmission poses a significant challenge for enterprises. Therefore, data masking technology has emerged as a critical means of protecting data. This article aims to explore the definition of data masking, its practical applications in business, and how API7 Enterprise provides an efficient and flexible solution.

What Is Data Masking?

Data masking is a data protection technology aimed at preventing the exposure of sensitive information in various environments. It achieves this by altering, substituting, or removing sensitive data while retaining the data format and utility, thus supporting secure application testing and data analysis without compromising privacy.

The Importance of Data Masking

The key roles of data masking include but are not limited to:

  • Privacy Protection: Safeguarding sensitive information such as Personally Identifiable Information (PII), bank account details, and security codes to prevent unauthorized access to such information.

  • Compliance: Assisting enterprises in complying with data protection regulations such as GDPR, HIPAA, and PCI DSS.

  • Data Security: Mitigating data leakage risks in development and testing environments by using desensitized data.

Data masking not only serves as an effective means of protecting sensitive information but also becomes a prerequisite for ensuring data security and business continuity. By adhering to legal regulations and maintaining customer trust, it enables enterprises to leverage data for analysis and application development, supporting business decisions and innovation without exposing sensitive information.

Data masking for Compliance

Data Masking Feature of API7 Enterprise

API7 Enterprise offers an efficient and flexible data masking solution supporting various data processing scenarios, including request and response handling. Here are some key features of API7 Enterprise in data masking.

Request Processing

  • Sensitive Information Masking: API7 Enterprise can identify and mask sensitive information in requests, such as credit card numbers and security codes, preventing these details from being logged or stored in plain text. By replacing or concealing certain data, it reduces the risk of data leakage without affecting business processes.

  • Support for Multiple Data Types: Supports masking of Query parameters, Headers parameters, POST form fields, or JSON-formatted content in requests.

Response Processing

  • Separation of Logs and Responses: API7 Enterprise can distinguish between data in logs and responses. For instance, it can retain certain information in responses while masking or deleting it in logs.

  • Flexible Masking Configuration: Offers various masking methods such as regular expression rewriting, data deletion, and value replacement to accommodate different business needs.

Data Security

Use Cases

Here are some practical applications of API7 Enterprise's data masking feature:

  1. Credit Card Information Masking: Masking credit card numbers, expiration dates, and CVVs (Card Verification Value) in requests while keeping partial information in logs replaced with asterisks (*), ensuring sensitive information is not logged or mishandled.

  2. Removal of Sensitive Request Headers: Automatically removing sensitive fields like Authorization from request or response headers to prevent them from being logged, reducing security risks.

  3. Customized Masking of Response Data: Tailoring masking of response data as needed, for example, replacing some digits of credit card numbers with asterisks while ensuring this operation only affects log records without altering the actual data sent to clients.

Configuration Examples

API7 Enterprise's data masking configuration is intuitive and flexible, enabling complex data masking requirements through simple JSON configurations. It supports various masking methods such as regular expressions, value replacement, and data deletion, providing comprehensive protection for sensitive information. This article includes configuration examples for masking request logs, response bodies, and response logs.

Request Data Masking

{
   "request": [
       {
           "type": "query",
           "name": "credit_card",
           "action": "regex",
           "regex": "(.*)-(.*)-(.*)-(.*)",
           "value": "$1-****-****-$4"
       },
       {
           "type": "query",
           "name": "password",
           "action": "replace",
           "value": "*****"
       },
       {
           "type": "header",
           "name": "Authorization",
           "action": "remove"
       },
       {
           "type": "body",
           "format": "json",
           "name": "users[*].password",
           "action": "replace",
           "value": "*****"
       },
       {
           "type": "body",
           "format": "urlencode",
           "name": "password",
           "action": "replace",
           "value": "*****"
       },
       {
           "type": "body",
           "format": "multipart",
           "name": "password",
           "action": "replace",
           "value": "*****"
       }
   ]
}
Enter fullscreen mode Exit fullscreen mode

By employing the above configuration, the request undergoes six steps before being logged:

  1. Convert the value stored in the Query parameter credit_card to the format 1234-****-****-5678 using regular expressions.

  2. Modify the value of the password stored in the Query parameter to *****.

  3. Remove the Authorization field from the request header.

  4. Modify the value of the password stored in the users array field in the request body to ***** using JSON Path syntax.

  5. Modify the value of the password stored in the x-www-form-urlencoded request body to *****.

  6. Modify the value of the password stored in the multipart request body to *****.

This ensures that eligible values are replaced or removed, allowing the request logs to be safely stored, achieving both data security and compliance.

Response Data Masking

{
   "response": [
       {
           "type": "header",
           "name": "X-New-Access-Token",
           "action": "remove",
           "scope": ["log"]
       },
       {
           "type": "body",
           "name": "credit_card",
           "action": "replace",
           "value": "*****",
           "scope": ["log"]
       },
       {
           "type": "body",
           "format": "json",
           "name": "credit_card",
           "action": "regex",
           "regex": "(.*)-(.*)-(.*)-(.*)",
           "value": "$1-****-****-$4",
           "scope": ["response"]
       }
   ]
}
Enter fullscreen mode Exit fullscreen mode

This configuration example illustrates how to mask credit card numbers in the response body to ensure proper protection of sensitive information returned to clients.

With the above configuration, the response undergoes three steps before being returned to the client:

  1. Specify the removal of the X-New-Access-Token from the response header before writing to the response log to avoid logging it.

  2. Specify replacing the value of credit_card in the response body with ***** before writing to the response log to avoid logging it.

  3. Specify replacing the value of credit_card in the response body with the format 1234-****-****-5678 before returning it to the client.

Conclusion

Data masking serves as an effective means of data protection, crucial for preventing unauthorized access. Compared to other API management platforms with data masking capabilities, API7 Enterprise stands out in terms of flexibility, processing efficiency, and ease of use. Designed for rapid deployment and flexible customization, API7 Enterprise is an ideal choice for various business scenarios.

Moreover, in conjunction with industry compliance requirements such as PCI DSS, API7 Enterprise's data masking feature not only protect sensitive data for customers and businesses but also facilitate smooth compliance audits. This not only reduces the compliance burden on enterprises during data processing but also enhances customer trust and market competitiveness!

Top comments (0)