Data Obfuscation

The data obfuscation feature in gradient fox allows your organization to stay compliant by masking sensitive information from the Kafka topic data that users can view. This feature helps your company adhere to policies set forth by your organization and local regulations. The obfuscation settings in gradient fox enable fine-grained control over what data is masked and how the obfuscation is performed.

Obfuscation Settings

The obfuscation settings screen allows you to define detailed configuration of the policies that you want to enforce. The obfuscation settings are centered around the concept of obfuscation groups. Each group is meant to enforce a certain policy within your organization, but you can also structure your groups in a different manner as well. You can have as many obfuscation groups as you need to uphold the data protection rules within your company.

During the obfuscation process there is a possibility for errors to occur. For example, the input data is not in the specified format (e.g. not an email address) or the structued value cannot be parsed (e.g. not valid JSON). In those cases, the user will see an error message such as 'Unable to read JSON' instead of the actual data.

Limiting Obfuscation Scope

By default configured obfuscations will apply to all users and user groups. You can add exclusions to this rule by excluding obfuscation groups from applying to specific user groups. If a user belongs to a group that has an obfuscation exclusion, then the obfuscation rules of that obfuscation group will not apply and they can see the topic data in the clear.

You can find more information about this in the User Management Single Sign-On section of the documentation.

Adding Obfuscation Groups

You can add a new obfuscation group using the Add Group button on the Obfuscation-page. It will bring up a dialog where you can enter a unique name for the group as well as a group category. The category can be any string that helps you categorize your obfuscation groups, for example PII, PHI or any other free-form text. After adding the group you must add resources and fields to start enforcing your obfuscation policies.

Obfuscation Group Resources

The first task after creating a new group is to specify which topics the group should apply to. In order to do that, you need to configure group resources which define the cluster and the topic name. For the cluster you can also select All, in which case the obfuscation will apply to the specified topic in any cluster you have configured. Notice that a specific topic can only appear in one resource group. The same topic name can appear in two groups as long as the cluster is different.

Obfuscation Group Fields

The Fields-section of the obfuscation group defines what exactly is obfuscated and how the data will be obfuscated. First you need to define which part (location) of the message will be obfuscted.

• Key - The key of the message will be the target of this obfuscation.
• Value - The value of the message will be the target of this obfuscation.
• Header - A specific header of the message will be the target of this obfuscation. You must configure the header name.

Next you need to specify the format of the data in the given location.

• Single Value - The specified location (i.e. Key/Value or Header) contains just a single value, for example an email address or a social security number. In this case the entire value will be obfuscated by the obfuscation method you select.
• Structured - The specified location contains a JSON value, stored either as a string or Avro-encoded value. In this case you must also specify the field name that contains the data that will be obfuscated.

The last step is to define the obfuscation method that will be used to mask the original data.

• Mask - Each character in the input data will be replaced by an asterisk. This will reveal the length of the original data.
  

  Example: user@example.com -> ****************

• Show First N - Same as masking but the first N characters will be in the clear.
  

  Example: user@example.com -> us**************

• Show Last N - Same as masking but the last N characters will be in the clear.
  

  Example: user@example.com -> **************om

• Hash - SHA-256 hashing algorithm will be applied to the input data.
  

  Example: myuser@example.com -> b4c9a289323b21a01c3e940f150eb9b8c542587f1abfd8f0e1cc1ffc5e475514

• Truncate - The input will be replaced by a single asterisk. This is the safest and quickest method as the input data does not need to be parsed.
  

  Example: user@example.com -> *

• Email Mask User - The input data is assumed to be an email address. The user part will be masked but N characters from the start will be in the clear.
  

  Example: user@example.com -> us**************

• Email Mask Domain - The input data is assumed to be an email address. The domain part will be masked but N characters from the start will be in the clear.
  

  Example: user@example.com -> user@ex*********

• Email Mask User & Domain - The input data is assumed to be an email address. Both the user and domain parts will be masked but N characters of each from the start will be in the clear.
  

  Example: user@example.com -> us**@ex*********