Data masking

Data masking hides sensitive information to keep it safe. It replaces real data with similar substitute values so the original data remains protected when it’s not required.

This policy is used to mask sensitive data at the application level. At the application level, you must configure an Identify and Authorize policy to identify the application for which the masking is applied. If no application is specified, then the policy is applied for all the other requests. Fields can be masked or filtered in the request messages received. You can configure the masking criteria for the XPath, JSON Path, and Regex expressions based on the content type.

In IBM API Studio, the kind DataMasking identifies the policy.

Example of a Data masking policy in code view.

kind: DataMasking
apiVersion: api.ibm.com/v2
metadata:
  name: datamasking
  version: 1.0
  namespace: wm_project
spec:
  enabled: false
  matchApplications:
    - 2d4e28ae-6209-44ec-ba4e-64c5fcc9b63d
    - 495d12eb-1712-46a0-9b23-142a3374e3a9
  transformations:
      set:
        - jpath: jpathexpression1
          maskValue: jpathmask1
        - xpath: xpathexpression1
          namespaces:
            - prefix: ps1
              URI: http://test.com
            - prefix: ps2
              URI: http://test2.com
          maskValue: xpathmask1
        - regex: regexexpression1
          maskValue: regexmask1
        - jpath: jpath
          maskValue: value1
        - xpath: xpath
          maskValue: value2
        - regex: regex
          maskValue: value3
      remove:
        - xpath: ${request-x}
        - jpath: ${request-j}
        - regex: ${request-r}
        - xpath: ${request-1}
        - jpath: ${request-2}
        - regex: ${request-3}
  applyForTransactionLogging: true
  applyForPayload: true

For the DataMasking policy kind, configure these specifications:

Code view Form view Description
matchApplications Consumer applications

Specifies the applications for which the masking criterion must be applied.
applyForTransactionLogging Apply for transaction logging

Specifies whether the data masking criterion is applied to transaction logging.
applyForPayload Apply for payload

Specifies whether the data masking criterion is applied to the request payload.
transformations Masking criteria

You can configure the following under transformations in code view and Masking criteriain the form view.

  • transformations. You can apply the following transformations:

    • setMask. Defines how to transform the response payload for incoming requests by masking sensitive data.

      Each entry specifies the path of the element to mask, the value to replace it with, and optional namespace mappings. You can configure multiple masking rules.

      You can specify the path as an XPath, JSON path, or Regex, depending on the payload format.

      • maskValue. Defines the replacement value for the masked element.
      • namespaces. Lists the XML namespace mappings to use when the path is defined with xPath.
        • prefix. Specifies the namespace prefix.
        • URI. Specifies the namespace URI.

    • remove. Specifies which field to remove from the response.