Classification Rule Handling

Classification rules are handled according to flexible matching and grouping criteria.

Fire only with Marker

The Fire only with Marker rule allows for the grouping of Classifier rule types by the same exact name. Additionally, all returned rules using a marker must return data based on the same table name. If two, or more, rules are defined with the same marker then those rules will fire together and together such that if both rules fire on the same table then they both will be logged and their actions invoked. If on the other hand only one of them fires on a table then neither of the rules will be logged or have their actions invoked. Being able to have multiple rules fire together becomes important when you care about sensitive data appearing together within the same table. For example, you may want to know when a table has both a social security number and a Massachusetts drivers license.

Fire only with Marker is a constant value, can be named any value, and must have the exact same value across rules you want to group. This means that if one rule has a marker of ABC then the other rule that you want to group it with must also have a marker named ABC. Any other marker value and the rules are no longer grouped.

You must use at least two rules of any values based on looking for data within the same table name.

Continue on Match

Fire only with Marker is also based on the Continue on Match rule. As an example, if the following rules are defined such that Rule 3 does not match Continue on Match then no results are returned regardless if all three marker rules were positive. This is because you didn't get to run Rule 4 and the grouping does not fire because all Fire only with Markers must run and return positive results.

Rule 1. Firemarker rule ABC (continue on match)

Rule 2. Firemarker rule ABC (continue on match)

Rule 3. Firemarker rule ABC (continue on match)

Rule 4. Firemarker rule ABC (continue on match)

Unmatched Columns Only

Use this option for reducing the granularity of data results. Some organizations may want to do a survey of their data to discover which tables and columns have sensitive data without necessarily needing to find every type of sensitive data in that column. A new option for Continue on match, With Unmatched Columns only, means that as soon as the classifier finds a match for that column, it will ignore that column as it continues its processing.

Table 1. Summary of available classifier processing options
Continue on match With Unmatched Columns only Granularity of Result

No

N/A

Table. Classifier will stop processing rules after the first hit in the table.

Yes

Yes

Table and column. Classifier will record the first hit for any given column and ignore it thereafter for subsequent rules.

Yes

No

Detailed. Classifier will record hits for all columns for all rules.

Classification with Luhn algorithm

When a rule name begins with guardium://CREDIT_CARD, and there is a valid credit card number pattern in the Search Expression box, the classification policy will use the Luhn algorithm (a widely-used algorithm for validating identification numbers such as credit card numbers), in addition to standard pattern matching. The Luhn algorithm is an additional check and does not replace the pattern check. A valid credit card number is a string of 16 digits or four sets of four digits, with each set separated by a blank. There is a requirement to have both the guardium://CREDIT_CARD rule name and a valid [0-9]{16} number in the Search Expression box in order to have the Luhn algorithm involved in this pattern matching.