The Redact Mask
The Redact mask replaces characters with a redaction character.
This mask operates on text-type fields (eg. VARCHAR, NVARCHAR, CHAR, NCHAR) and numeric-type fields (eg. INT, NUMERIC, BIGINT, etc).
You can specify full or partial masking of the target field.
By default, the Redact mask shall replace all alphanumeric characters ('A'..'Z', 'a'..'z', '0'..'9') with the character 'X' and preserve all other characters - as shown in the default Redact mask panel above.
For example, the value '1234-5678-9012-3456' would be replaced with 'XXXX-XXXX-XXXX-XXXX'.
If you want to mask all characters (and not just alphanumerics) then ensure that the 'Non-Alphanumeric characters' checkbox is selected. In this case, the value '1234-5678-9012-3456' would be replaced with 'XXXXXXXXXXXXXXXXXXX'.
Note: For masking Credit Card numbers or other Primary Account Numbers, please consider using the PAN Mask which has been specifically designed for that purpose.
Please also consider the Randomize Mask, particularly if you require that unique original values remain unique after they are masked.
Non-English Characters
This mask will properly mask Unicode data and you can specify any Unicode character as the replacement character.
Please note that the term 'Alphabetic' in this mask refers only for recognizing and filtering characters in the English alphabet.
If you wish to mask non-English characters then you must select the Redact 'Non-Alphanumeric characters' checkbox. Similarly, if you are using the Partial Masking options then you should use the 'All' unit (instead of the 'Alphabetic' or 'AlphaNumeric' units.)
Partial Masking
Preserve or Mask:
If Preserve is selected from the combo box then the First and Last parameters shall describe how many characters from the original value shall be preserve in the masked value.
If Mask is selected from the combo box then the First and Last parameters shall describe how many characters in the original value shall be masked. All other characters shall be preserved.
First
This specifies how many of the first count of characters (of the adjacent character unit) shall be preserved or masked (as specified by "Preserve or Mask" described above).
The character unit combo box offers the selection:
All -
Every character is counted, including non-alphanumerics. ie. This yields a fixed
offset.
Alphabetic - Only alphabetic
characters are counted ('A'..'Z', 'a'..'z')
Numeric - Only
numeric characters are counted
AlphaNumeric - Only alphanumeric characters are counted
Last
This specifies how many of the last count of characters (of the adjacent character unit) shall be preserved or masked (as specified by "Preserve or Mask" described above).
Numeric Fields
The Redact mask is capable of masking numeric-type fields. In this case, the redaction character must be a digit ('0'..'9').
For example, you can specify that the first few digits of each number in a column should be preserved and the remainder set to zeroes. The sign character shall not be affected. i.e. Positive numbers shall remain positive. Negative numbers shall remain negative, unless the masking sets the value to zero.
Examples
Example:
Suppose that you want to mask the last 4 digits of phone numbers with zeroes. This could be achieved using the Redact mask with the settings shown in the panel below:
Since we're only replacing the last 4 numeric characters (digits) this has the benefit of preserving not only any formatting of original values, but also any other general but significant information, such as country codes and area codes, shall be preserved; however, you must consider whether this is sufficiently anonymous for your purposes. Note: Generally speaking, the Randomize Mask is better suited for masking telephone numbers because it has the capability to generate distinct masked values for distinct original values (rather than generating duplicates as would likely happen if the last 4 digits of all telephone numbers were set to '0000')
Sample before and after values:
Before | After |
986-1234 | 986-0000 |
(415) 986-1234 | (415) 986-0000 |
+ 61 3 9010-5511 | + 61 3 9010-0000 |
Example:
Suppose that you want to mask the first 6 characters with '*'. This could be achieved using the Redact mask with the settings shown in the panel below:
Sample before and after values:
Before | After |
TEL-891234 | ******1234 |
456 | *** |
Example:
Suppose that you want to preserve only the first 2 alphabetic characters and the last 3 digits while masking all other alphanumeric characters using the '@' character (preserving non-alphanumeric characters).
Sample before and after values:
Before | After |
ABCD1234 | AB@@@234 |
S2-1A-7654T | S@-@A-@654@ |
Deterministic Tab:
The Deterministic tab shall show that the Redact mask is always Deterministic. i.e. The masked value value always be the same for a given input value. Therefore, the settings on the Deterministic tab cannot be modified.
Size Limitations:
The following are the maximum character lengths per value to be masked:
MySQL: 65,535
Oracle: 4,000
SQL Server: 2GB