Skip to content

Masking Sensitive Data

Wallarm provides the Mask sensitive data rules to configure data masking for sensitive data not to leak outside the trusted environment. These rules cut the original value of the specified request point before sending the request to the postanalytics module and Wallarm Cloud. This article describes how to use these rules.

Overview

In the hybrid Wallarm installations, when you manage the Wallarm filtering nodes in your infrastructure, and Wallarm manages the Wallarm Cloud component, it is crucial that sensitive data in your requests remains secure within your infrastructure and is not transmitted to any third-party service including Wallarm Cloud.

This goal is achieved using the shared responsibility model: from its side, Wallarm never transmits data excessing the protection goal and stores all the obtained data securely - to your side, Wallarm transfers a full visibility of what data is sent from node to Cloud and a set of tools to shape this transfer under your needs - masking of sensitive data is one of these tools.

Other deployment forms

While in on-premise installations data never leaves your security perimeter, and in security edge all data is outside this security perimeter, you can still use masking rules to restrict access to the sensitive data by the users of Wallarm Console.

Side effects

Consider that using Mask sensitive data rules can affect:

Creating and applying rule

To set and apply data mask:

  1. Proceed to Wallarm Console:

    • Rules โ†’ Add rule or your branch โ†’ Add rule.
    • Attacks / Incidents โ†’ attack/incident โ†’ hit โ†’ Rule.
    • API Discovery (if enabled) โ†’ your endpoint โ†’ Create rule.

  2. Choose Change requests/responses โ†’ Mask sensitive data.

  3. In If request is, describe the scope to apply the rule to.

  4. In In this part of request, specify request points for which its original value should be cut.

  5. Wait for the rule compilation and uploading to the filtering node to complete.

Let us say your application accessible at the example.com domain uses the PHPSESSID cookie for user authentication and you want to deny access to this information for employees using Wallarm.

To do so, set the Mask sensitive data rule as displayed on the screenshot.

Note that options you add to In this part of request should go in a particular order to reflect in which order Wallarm will apply parsers to read the required request element.

Marking sensitive data