The Redact Mask

 

The Redact mask replaces characters with a redaction character.

This mask operates on text-type fields (eg. VARCHAR, NVARCHAR, CHAR, NCHAR) and numeric-type fields (eg. INT, NUMERIC, BIGINT, etc).

You can specify full or partial masking of the target field.

Redact data mask

 

By default, the Redact mask shall replace all alphanumeric characters ('A'..'Z', 'a'..'z', '0'..'9') with the character 'X' and preserve all other characters - as shown in the default Redact mask panel above.

For example, the value '1234-5678-9012-3456' would be replaced with 'XXXX-XXXX-XXXX-XXXX'.

If you want to mask all characters (and not just alphanumerics) then ensure that the 'Non-Alphanumeric characters' checkbox is selected. In this case, the value '1234-5678-9012-3456' would be replaced with 'XXXXXXXXXXXXXXXXXXX'.

Note: For masking Credit Card numbers or other Primary Account Numbers, please consider using the PAN Mask which has been specifically designed for that purpose.

Please also consider the Randomize Mask, particularly if you require that unique original values remain unique after they are masked.

 

Non-English Characters

This mask will properly mask Unicode data and you can specify any Unicode character as the replacement character.

Please note that the term 'Alphabetic' in this mask refers only for recognizing and filtering characters in the English alphabet.

If you wish to mask non-English characters then you must select the Redact 'Non-Alphanumeric characters' checkbox. Similarly, if you are using the Partial Masking options then you should use the 'All' unit (instead of the 'Alphabetic' or 'AlphaNumeric' units.)

 

Partial Masking

Preserve or Mask:

If Preserve is selected from the combo box then the First and Last parameters shall describe how many characters from the original value shall be preserve in the masked value.

If Mask is selected from the combo box then the First and Last parameters shall describe how many characters in the original value shall be masked. All other characters shall be preserved.

First

This specifies how many of the first count of characters (of the adjacent character unit) shall be preserved or masked (as specified by "Preserve or Mask" described above).

The character unit combo box offers the selection:

All                    - Every character is counted, including non-alphanumerics. ie. This yields a fixed offset.
Alphabetic        - Only alphabetic characters are counted ('A'..'Z', 'a'..'z')
Numeric           - Only numeric characters are counted
AlphaNumeric   - Only alphanumeric characters are counted

Last

This specifies how many of the last count of characters (of the adjacent character unit) shall be preserved or masked (as specified by "Preserve or Mask" described above).

 

Numeric Fields

The Redact mask is capable of masking numeric-type fields. In this case, the redaction character must be a digit ('0'..'9').

For example, you can specify that the first few digits of each number in a column should be preserved and the remainder set to zeroes. The sign character shall not be affected. i.e. Positive numbers shall remain positive. Negative numbers shall remain negative, unless the masking sets the value to zero.

 

Examples

Example:

Suppose that you want to mask the last 4 digits of phone numbers with zeroes. This could be achieved using the Redact mask with the settings shown in the panel below:

Since we're only replacing the last 4 numeric characters (digits) this has the benefit of preserving not only any formatting of original values, but also any other general but significant information, such as country codes and area codes, shall be preserved; however, you must consider whether this is sufficiently anonymous for your purposes. Note: Generally speaking, the Randomize Mask is better suited for masking telephone numbers because it has the capability to generate distinct masked values for distinct original values (rather than generating duplicates as would likely happen if the last 4 digits of all telephone numbers were set to '0000')

Sample before and after values:

 Before  After
 986-1234  986-0000
 (415) 986-1234  (415) 986-0000
 + 61 3 9010-5511  + 61 3 9010-0000

 

Example:

Suppose that you want to mask the first 6 characters with '*'. This could be achieved using the Redact mask with the settings shown in the panel below:

Sample before and after values:

 Before  After
 TEL-891234  ******1234
 456  ***

 

Example:

Suppose that you want to preserve only the first 2 alphabetic characters and the last 3 digits while masking all other alphanumeric characters using the '@' character (preserving non-alphanumeric characters).

Sample before and after values:

 Before  After
 ABCD1234  AB@@@234
 S2-1A-7654T  S@-@A-@654@

Deterministic Tab:

The Deterministic tab shall show that the Redact mask is always Deterministic. i.e. The masked value value always be the same for a given input value. Therefore, the settings on the Deterministic tab cannot be modified.

 

Size Limitations:

The following are the maximum character lengths per value to be masked:

MySQL: 65,535
Oracle: 4,000
SQL Server: 2GB