Skip to content

Introduction

Nullafi Shield provides data access controls so you can quickly, easily, and comprehensively protect sensitive data. With Nullafi, your users see only the data they need to see, giving your organization unprecedented control over data access. Use us to intelligently recognize and mask sensitive data before it gets to the users’ device, no matter where it originates, what field it’s in, or how it’s labeled.

Nullafi® Shield™ provides proprietary data access controls so you can quickly, easily, and comprehensively protect sensitive data, automate policy enforcement, and eliminate risks such as data leakage, snooping, and improper downloading—all while allowing business to continue without interruption. Nullafi intelligently recognizes and masks sensitive data in transit before it gets to the user’s device, no matter where it originates, what field it’s in, or how it’s labeled. You get simple-yet-powerful controls to granularly manage, monitor, and block data access for any user in any application. With Nullafi, your users see only the data they need to see, giving you unprecedented control.

Architecture Overview

Nullafi Shield sits between applications and endpoints and dynamically obfuscates individual data elements according to your policy. By coordinating with your existing network controls, it can be inserted into the flow of every transaction without requiring specific application integrations.

Shield is deployed as an ICAP server, and can be inserted into network transactions by proper configuration of proxy servers anywhere in the network path. These might be either forward proxies, commonly deployed as Secure Web Gateways to protect end users, or reverse proxies, which might be used by application owners for load balancing or security.

Once integrated into the network, Shield examines each transaction and applies data access policies set by the administrator. Policies can consider the user’s identity, which application they are accessing, and what data types are being transmitted. When data types of interest are identified, they can be passed on to the user or redacted before they reach the endpoint according to granular and flexible replacement rules.

ICAP Protocol

As an ICAP Server, Nullafi Shield follows RFC 3507 to communicate with a web proxy. The web proxy can come from any number of providers that support the ICAP protocol. ICAP servers can operate in Request Modification and/or Response Modification mode. This document focuses on Response Modification (RespMod), as the data of interest is that returned from the web server (Response).

In Response Modification, the web proxy forwards the origin server’s response to the ICAP Server for modification before sending it to the requester. The diagram below illustrates this flow in more detail:

  origin-server
      | /|\
      |  |
   2  |  |  3
      |  |
     \|/ |            4
  ICAP-client    -------------->   ICAP-resource
  (surrogate)    <--------------   on ICAP-server
      | /|\            5
      |  |
   1  |  |  6
      |  |
     \|/ |
     client

In this flow, “client” is a browser such as Chrome or Firefox, “ICAP-client (surrogate)” is a web proxy such as Squid, “origin-server” is an external server such as Salesforce or Zendesk SaaS URLs, and “ICAP-resource on ICAP-server” is Nullafi Shield.