Baffle Advanced Data Protection provides the following default Data Protection Policies that you can apply in their original form or customize for an application.
- Default Encryption (CTR) Policy
- Default Format Preserving Encryption (FPE) Policy
- Default Masking Policy
This document explains each of the default Data Protection Policies. For information on the differences between FPE and data masking, see Format Preserving Encryption vs Data Masking.
About Data Protection Policies
A Data Protection Policy consists of a combination of rules, which in turn consist of conditions and modes as illustrated in the following diagram.
A Mode specifies the type of encryption or masking format applied to selected columns, and can be applied to a column individually, as well as included in a policy Rule. A policy is applied to the columns of a data store associated with an enrolled application. A policy specifies the mode, conditions for given columns, and the keys that are used. For information on how to add a policy to an application, see Create a Data Protection Policy.
NOTE: The data type of a column can affect the encryption or masking format used in a Data Protection Policy. For more information, see FPE Reference, Baffle Shield Supported Data Masking Formats and Patterns, and Data Masking Reference.
Default Encryption (CTR) Policy
The Default CTR Policy utilizes counter mode encryption (CTR) combined with Advanced Encryption Standard (AES) and Deterministic (DET) encryption. The Default CTR Policy applies to all data types.
- AES (advanced encryption standard) is included in the ISO/IEC 18033-3 standard and defined in FIPS PUB 197. AES became a U.S. federal government standard in 2002. AES is available in many different encryption packages and is the only publicly accessible cipher approved by the U.S. National Security Agency (NSA).
- CTR (counter mode) is an algorithm that uses a block cipher. CTR turns a block cipher into a stream cipher, generating the next keystream block by encrypting successive values of a "counter". The counter can be any function that produces a sequence guaranteed not to repeat for a significant amount of time.
- DET (deterministic encryption) always produces the same ciphertext for a given plaintext string and key, even over separate executions of the encryption algorithm.
NOTE: You are not allowed to edit the Default CTR Policy. However, you can create custom encryption modes that you can save to a library and apply as needed. For information on other Baffle Advanced Data Protection encryption types, see Encryption Mode Types.
Default Format Preserving Encryption (FPE) Policy
Format Preserving Encryption (FPE) is a 1-to-1 mapping of sensitive to non-sensitive data. The mapping format depends on the data type to which it is applied, and supported data types vary according to the database.
Default FPE formats
Encryption: Enabled
Masking: Disabled
NOTE: The database used and the data type of a column can affect the encryption format used in a Data Protection Policy. The data types for MySQL, SQL Server, and Postgres databases differ. For details on supported FPE data types and formats for different databases, as well as FPE transformations, see the FPE Reference.
|
Data Type |
Default FPE Format |
|
tinyInt, smallInInt, integer, bigInt, float |
fpe-int |
|
date, time, datetime, datetime2, datetimeoffset |
fpe-datetime |
|
smalldatetime |
fpe-smalldatetime |
|
char, nchar, varchar, nvarchar |
fpe-alphanum |
FPE data format transformations
For a list of supported FPE data formats and the FPE transformations for each, see the FPE Reference.
Default Masking Policy
Baffle Advanced Data Protection masks encrypted data so that any data returned to the user without decryption is presented in a friendly format. This supports applications that require data in a specific format but do not require realistic behavior of the data.
The default Masking Policy is applied to all data types. NOTE: The data type of a column can affect the masking format used in a Data Protection Policy. For more information, see Baffle Shield Supported Data Masking Formats and Patterns and Data Masking Reference.
Default data masking formats
Encryption: Disabled
Masking: Enabled
|
Data Type |
Default Mask Format |
|
bit, tinyint, smallint, int/integer, bigint |
FIXED “0” |
|
char, nchar, varchar, nvarchar, text, ntext |
FIXED “***” |
|
image, binary, varbinary |
FIXED “***” |
|
date |
FIXED “1999-12-31” |
|
datetime |
FIXED “1999-12-31 00:00:00” |
|
datetimeoffset |
FIXED “1999-12-31 00:00:00 +00:00” |
|
time |
FIXED “00:00:00” |
|
decimal, money, numeric, float, real |
FIXED “0” |
Data masking transformations
Baffle Advanced Data Protection utilizes the following data masking transformations:
- Masking on client queries – masks literal values for masked columns.
- Masking on result sets – masks data values in the result set corresponding to masked columns.
Masking is applied as follows:
- Type-specific and column-specific default masking is performed on both client queries and result set data.
- Column-specific selective masking is performed both on client queries and result set data. This ensures data privacy for the masked fields.
- Result set limit masking is applied only to result set data. Literal values for columns for which selective masking has not been specified is not masked.
NOTE: Result set limit masking is applied globally. However, result set limit masking and column-specific selective masking can be combined such that client queries are masked for those columns in which selective masking is applied.
For more information
See the following topics for more on Baffle Advanced Data Protection data formats, encryption, and data masking:
- Assigning and Customizing Default Data Protection Policies
- Encryption Mode Types
- Format Preserving Encryption vs Data Masking
- Enable Partial Format Preserving Encryption
- Using Format Preserving Encryption
- Applying data masking formats
- Data Masking Reference
- Add, Edit, and View Data Formats in Baffle Manager Policy Builder
- Column Properties Reference
Comments
Please sign in to leave a comment.