Overview

In order to meet compliance regulations, Conduktor Console provides a Data Masking feature that enables you to obfuscate personal and sensitive data within the Console. As a Console administrator, you can secure and govern such data by creating Data Masking policies, so that users can’t see them.
Data Masking does not impact how the underlying data is stored. The data will only be masked within the Console. For masking, or encrypting, the underlying Kafka data, you can use the Conduktor Gateway.
Policies will be applied when consuming Kafka messages in the Console, as shown below. We can see that the phone number, the IBAN, and the card number, have been masked with some *****. Example of masked data Here is the list of policies applied in this case. List of policies

Create a data masking policy

In order to create a Data Masking policy and protect your data, go to Settings > Data Policies. List of policies Click New Policy and fill in the required details:
Policy detailDescription
Policy NameUnique name for identifying your policy
ComplianceThe compliance regulation the policy adheres to (e.g. GDPR, PCI-DSS)
Information KindThe kind of information for obfuscation (e.g. PII, Financial)
Masking RuleHow the obfuscation should be implemented (e.g. hide-all, hide-last-3)
Risk LevelCategorization for the risk level associated with the policy
FieldsList of fields that should be obfuscated. It’s based on JSON, and can be a path. If you want to hide multiple fields, you can click on Add field.
ResourcesList of resources where the policy must be applied, like clusters or topics. To add new resources, you can click on Add resource.
Exclude Users or Groups from policyIn case you want some users or groups to see the data, you can exclude them from the policy.
Policy config In the case above, the policy will mask the field credit_card, for all the users except people from the group “Order Owners”, on the topic prefixed by payment- of the Prod Kafka Cluster.

Validate a policy

Once you have created a policy, you should validate it through the Conduktor Console.
  • Navigate to a topic that contains data where your policy should be applied
  • Check that the expected fields are obfuscated using the appropriate masking rule
Example of masked data We can see that the name and the credit_card are completely hidden, as we defined in the masking rules.
When the message key or value can’t be transformed into a JSON-like structure, the whole message won’t be displayed.