The Redact Mask

 

The Redact mask replaces characters with a redaction character.

This mask operates on text-type fields (eg. VARCHAR, NVARCHAR, CHAR, NCHAR) and numeric-type fields (eg. INT, NUMERIC, BIGINT, etc).

You can specify full or partial masking of the target field.

 

By default, the Redact mask shall replace all alphanumeric characters ('A'..'Z', 'a'..'z', '0'..'9') with the character 'X' and preserve all other characters - as shown in the default Redact mask panel above.

For example, the value '1234-5678-9012-3456' would be replaced with 'XXXX-XXXX-XXXX-XXXX'.

If you want to mask all characters (and not just alphanumerics) then ensure that the 'Non-Alphanumeric characters' checkbox is selected. In this case, the value '1234-5678-9012-3456' would be replaced with 'XXXXXXXXXXXXXXXXXXX'.

Note: For masking Credit Card numbers or other Primary Account Numbers, please consider using the PAN Mask which has been specifically designed for that purpose.

Please also consider the Randomize Mask, particularly if you require that unique original values remain unique after they are masked.

 

Non-English Characters

This mask will properly mask Unicode data and you can specify any Unicode character as the replacement character.

Please note that the term 'Alphabetic' in this mask refers only for recognizing and filtering characters in the English alphabet.

If you wish to mask non-English characters then you must select the Redact 'Non-Alphanumeric characters' checkbox. Similarly, if you are using the Partial Masking options then you should use the 'All' unit (instead of the 'Alphabetic' or 'AlphaNumeric' units.)

 

Masking Range

This panel allows you to specify a partial range of an original value to be selected for masking. The default, as shown in the mask above, shall select the entire value.
  

Select Range

This defines what part of each value shall be selected for masking (subject further to the First and Last parameters below). Everything outside of this range shall be preserved.

Entire Field - The entire value is selected.

Before Substring - Only that part of the value from the appears before the specified substring in the value shall be selected for masking. The substring and remainder of the value shall be preserved.

After Substring - Only that part of the value from the appears after the specified substring in the value shall be selected for masking. The substring and part of the value that appears before the substring shall be preserved.

Substring

The substring that shall be considered the delimiter of the masking range.

Every character in this field is significant including quotes and spaces. Therefore, unless you want to search the field for a quotes and spaces do not include them in this field.
    

Preserve or Mask:

If Preserve is selected from the combo box then the First and Last parameters shall describe how many characters from the original value shall be preserve in the masked value.

If Mask is selected from the combo box then the First and Last parameters shall describe how many characters in the original value shall be masked. All other characters shall be preserved.

First

This specifies how many of the first count of characters (of the adjacent character unit) shall be preserved or masked (as specified by "Preserve or Mask" described above).

The character unit combo box offers the selection:

All                    - Every character is counted, including non-alphanumerics. ie. This yields a fixed offset.
 Alphabetic        - Only alphabetic characters are counted ('A'..'Z', 'a'..'z')
 Numeric           - Only numeric characters are counted
 AlphaNumeric   - Only alphanumeric characters are counted

Last

This specifies how many of the last count of characters (of the adjacent character unit) shall be preserved or masked (as specified by "Preserve or Mask" described above).
   

 

Numeric Fields

The Redact mask is capable of masking numeric-type fields. In this case, the redaction character must be a digit ('0'..'9').

For example, you can specify that the first few digits of each number in a column should be preserved and the remainder set to zeroes. The sign character shall not be affected. i.e. Positive numbers shall remain positive. Negative numbers shall remain negative, unless the masking sets the value to zero.

 

Deterministic Tab:

The Deterministic tab shall show that the Redact mask is always Deterministic. i.e. The masked value value always be the same for a given input value. Therefore, the settings on the Deterministic tab cannot be modified.

Examples

 

Example:

Mask the last 4 digits of phone numbers with zeroes.

  

Since we're only replacing the last 4 numeric characters (digits) this has the benefit of preserving not only any formatting of original values, but also any other general but significant information, such as country codes and area codes, shall be preserved; however, you must consider whether this is sufficiently anonymous for your purposes. Note: Generally speaking, the Randomize Mask is better suited for masking telephone numbers because it has the capability to generate distinct masked values for distinct original values (rather than generating duplicates as would likely happen if the last 4 digits of all telephone numbers were set to '0000')  

 

Example:

Mask the first 6 characters with '*'.

   

 
  

Example:

Preserve only the first 2 alphabetic characters and the last 3 digits while masking all other alphanumeric characters using the '@' character (preserving non-alphanumeric characters).
   

   

 

Example:

Redact telephone numbers after the first hyphen ("-") from the left; however, within this range preserve only the first digit and last two digits.

   

 

 

Size Limitations:

The following are the maximum character lengths per value to be masked:

MySQL: 65,535
 Oracle: 2,000
 SQL Server: 2GB