Search…
Data redaction
The topic explains how to mark headers as sensitive and apply a redaction strategy from Traceable platform. The topic also explains how to create a custom redaction rule.
Traceable redacts your data to ensure data privacy when the data leaves your environment. You can configure custom redaction rules in Traceable or rely on Traceable's learning to identify sensitive headers and other parameters. Traceable agent deployed in your environment periodically pulls the redaction rules from the Traceable platform.
Data redaction for headers is a two-step process:
  1. 1.
    Identifying sensitive headers
  2. 2.
    Applying a redaction rule

1. Identifying a sensitive header

There are two ways in which a sensitive header can be identified.
  • Manually mark a header sensitive from the DNA tab of the API Endpoint details page
  • Traceable observes the data and marks the headers sensitive based on its learning
A redaction strategy has to be applied separately after a header is marked sensitive. You can choose a redaction strategy by selecting one of the options from the Sensitive data handling drop-down list. The redaction strategy applies to all the headers listed in the table.

Manually mark headers or parameters as sensitive

The DNA tab of the API Endpoint details page displays the various headers and other parameters for the API. You can view all the API headers by clicking on the Show Headers check-box. If you wish to mark a header as sensitive, you can do so by hovering the mouse under the Sensitive column and clicking on the lock icon. To remove the sensitive tag from a header, click on the lock icon again.
When you mark a header as sensitive, it applies globally to all the APIs in your environment.
Mark sensitive parameter
When you mark a header as sensitive, it is listed under Sensitive headers on the Settings > Data page as shown above. You can also mark other parameters, like query, body, and so on as sensitive. However, such sensitive parameters are not added to the Sensitive headers table on the Settings > Data page.

Traceable identified sensitive headers

Traceable detects sensitive headers and other API parameters based on its learning. The sensitive headers are listed under Sensitive headers on the Settings > Data page.
You can change the Sensitive Data Type of the header or delete it by clicking on the header as shown in the screenshot above. The sensitive data type is the type of header, for example, email ID, street address, credit card number, and so on.
The other sensitive parameters that Traceable identifies are available in the DNA tab of the API Endpoint details tab.

2. Apply redaction strategy

The next step after identifying a sensitive API header is to apply a redaction strategy. The redaction strategy is applied from the Settings > Data page. The redaction strategy that you choose is applied to all the sensitive headers listed in the table and globally to all the API endpoints.
You can choose one of the following redaction strategies from the Sensitive data handling drop-down list:
  • Redact
  • Obfuscate
  • Collect
The redaction strategy only applies to sensitive headers and not to other sensitive parameters. If you wish to apply a redaction strategy to other sensitive parameters, create a custom redaction rule.

Automatic secret redaction

You can also automatically redact sensitive information by toggling the Enable automatic secret redaction button on the Settings > Data page. Secret data like passwords, authentication token are by default redacted by Traceable. When you toggle the button to enable automatic secret redaction, Traceable redacts such secret information.

Custom redaction rules

You can also create custom redaction rules to redact your data. These redaction rules apply globally to all the API endpoints. Click on Create Rule on the Settings > Data page and provide the details to create a custom rule. The custom rules expect RE-2 syntax regular expressions. The custom redaction rules are created for API headers, key, value, or complex data. You can choose one of the following redaction action for the custom rule:
  • Redact
  • Obfuscate
  • Collect
The custom redaction rules also apply globally to all the API endpoints.
The redaction process also redacts the HTTP response body parameters.

Sensitive response parameter and risk score

Traceable marks an API as sensitive if the API contains at least one sensitive response parameter. A sensitive parameter contributes to the risk score of the API. For example, let us assume there is an API that does not have any sensitive response parameter. You created a redaction rule which redacts a response parameter in that API. The response parameter will be marked as sensitive and hence the API is also marked as sensitive. Since the API now has a sensitive response parameter, it will add to the risk score of the API.
It may also happen that the redaction rule marks an already marked sensitive parameter. In such a case there is no effect on the risk score.
Last modified 3mo ago