Obfuscations
Admin Console
The Nullafi Shield Admin Console provides a graphical user interface for configuring policy, viewing status, and examining event data. It is a web application which can be accessed using any web browser. The Admin Console is available after the Shield container is started. Access is governed by the defined container options (see Deployment). In the simplest case, browsing to the container host’s IP address on the mapped NULLAFI_HTTP_PORT will open the Admin Console login screen, and using the NULLAFI_USERNAME and NULLAFI_PASSWORD will allow the administrator to log in.
Policy
The policy engine is at the heart of Nullafi Shield. It does the work of examining the data being accessed, classifying it, and deciding whether it should be passed through to the user. The Policy section of the Admin Console is where rules are created to control the engine’s behavior.
Obfuscations
An Obfuscation combines Data Types and Mask Formats into a reusable policy object that can be referenced when building Rules. For example, an Obfuscation can tell Shield “If you find an email address (Data Type), replace the username with asterisks but leave the domain visible (Mask Format), and if you find an IP address, replace it with its MD5 hash.”
New Obfuscation
To define a new obfuscation, click on the Add New Obfuscation button in the upper right hand corner. The editing window will slide out from the right. To define an Obfuscation: 1. Type the Name and (optionally) Description into the text fields 2. For each Definition, choose a Data Type and Mask Format from the dropdown boxes, then click on the Add button. 3. Click on Save in the lower right
Conditional Maching (JSON and CSV responses only)
Right next to the definitions tab you can click on the Conditional Matching for an advanced use of the Obfuscation mechanism, from there you can configure filters based on the data types to either Match or Bypass a piece of data from the obfuscation allowing a flexible configuration on top of the data type definitions. You can configure multiple conditional matchings, for each one you need to follow the steps below:
- Select a Data Type from the dropdown, to ensure we're going to apply the condition for the correct data type.
- Select a Filter Type from the dropdown.
- Set the Parent Level (a number or min. 1) of the data to apply that filter. This configure the level of parents from where the filter matches that will be start to apply. For JSON objects that has a hierarchical structure this defined the scope of impact of this filter.
- Depending on the Filter type (Date, String or Number) we'll support different filter configurations:
- Date: For this filter you can setup a filter based on range of dates or relative date/time (eg."Within the last 3 days" or "More than 5 hours")
- String: Similar to a Custom Data Type you can write a regex that will be used as a filter for this String Value.
- Number: You have the option to set a range of numbers (eg. "Lower or equal than 10" or "Greater or equal 5")
- Select the Behaviour for this condition
- Match: Similar to Application Configuration this options set this filter as a requirement for the obfuscation of the data to happen, any piece of data (JSON object or CSV line) that applies that filter will obfuscate it's siblings and child data according to what is configured on the Definitions Tab.
- Bypass: Has the exact opposite behaviour than Match, which means that if a piece of data matches this filter configuration it won't obfuscate even in the case that a data type included on the obfuscation definition matches a data type detect on any of it's siblings or child data.
A use-case example of this filter is when you have Hubspot configured to receive your e-mails you might want to only obfuscate the e-mail messages that where received more than 3 days ago, so that you can still read any recent e-mail activity but protect PII data of older e-mails that might have already been read. For this you can use a configuration bellow:
- On the Definitions Tab you can select "Hubspot Email" Data Type and the Mask Format as "Fully Obfuscate"
- Click Add to finish the definitions configuration.
- Click on the Conditional Matching tab to configure your filter.
- Select the Data Type "Hubspot Object Timestamp" from the Data Type Dropdown
- Select the Type "Date" from the Filter Type Dropdown.
- Keep the Parent Level as 1 (most of scenarios keeping the parent level as 1 should be fine)
- On the Data Filter Dropdown select "More than" option
- On the input you can type the number 3
- On the dropdown right next to it you can select the "days" option
- Click Add than Click Save down the sidebar to save this obfuscation.
- With this Obfuscation you can replicate the use-case described above to obfuscate Hubspot Email Messages that are older than 3 days.
Edit Obfuscation
To edit an existing obfuscation, hover your mouse over the Obfuscation Name, click on the three-dot menu that appears, and choose Edit. The editing window will slide out from the right. Within the editing window, a similar three-dot menu is available for each Definition and Conditional Matching configured.
Delete Obfuscation
To delete an obfuscation, hover your mouse over the Obfuscation Name, click on the three-dot menu that appears, and choose Delete.