As part of the data protection services offered by IBM Security Guardium™, it is possible to hide or mask all or part of the result set of a query, in order to protect sensitive information from unauthorized entities or users.
This can be implemented through the use of a feature named REDACT (sometimes referred to as DATA REDACT, or SCRUB), which consists of configuring at least one EXTRUSION rule in any of the policies installed on a Guardium™ Collector and configuring the S-TAP to provide this type of service.
When configuring REDACT, a corresponding rule in the data security policy must include one regular expression, which Guardium™ uses to identify the data to be protected.
During the process, it may happen that the data is not masked correctly, even if the data to be protected matches with the provided PCRE (Perl Compatible Regular Expressions) regular expression. Specifically, if the regular expression uses the valid notation to represent a given number of characters, which is represented by curly braces ("{" and "}"), and the source database server is running on Microsoft™ Windows.
Assuming all the configurations required to use REDACT are correct, the main symptom is that the data to be protected is not masked.
Example.
When the problem occurs, the data in the result set that matches the configured regular expression is displayed in plain text.
Suppose that an EXTRUSSION rule is created to mask data that matches the regular expression ([0-9]{4})[0-9]{2}. From the graphical user interface (GUI), a simple test is performed with the data 987654321. The GUI shows the data matches the regular expression, so it is expected that Guardium™ masks 4 digits (the portion in parentheses) when some traffic contains this data and any other matching.
However, the data is not protected as expected, and is displayed as is instead.
The PCRE implementation for Microsoft™ Windows does not support the use of braces ("{" and "}").
Any version of IBM Security Guardium™ where REDACT is properly configured and the source database server is running on Microsoft™ Windows.
To solve the problem, you must create and implement an equivalent regular expression that does not use curly braces ("{" and "}") which correctly represents the data to be protected.
Example.
Continuing with the example given, a new regular expression is created, ([0-9][0-9][0-9][0-9])[0-9][0-9], which is equivalent to ([0-9]{4})[0-9]{2}. The new expression does not contain or use curly braces.
Again, a simple test is performed from the GUI. It shows that the new regular expression is valid and a match for the data 987654321.
This time, when an application runs a transaction which results in data matching the regular expression, that data will be masked properly as per the configuration.
Tip 1. There are many tools that make it easy to create and test regular expressions, for example, https://regexr.com.
The main consideration to take into account is that the regular expressions supported by Guardium™ must comply with the PCRE syntax.
|
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"ARM Category":[{"code":"a8m0z0000001es1AAA","label":"DATA REDACTION"}],"ARM Case Number":"","Platform":[{"code":"PF033","label":"Windows"}],"Version":"All Versions"}]
