During the use of ES, if sensitive data is stored in the ES cluster, it cannot be easily viewed by people. What? Troubleshooting? That's not enough, compliance is above all else

During the use of ES, if sensitive data is stored in the ES cluster, it cannot be easily viewed by people. What? Troubleshooting? That's not enough, compliance is above all else.

I don't know if everyone has encountered the scenario described above, or if you did, what would you do?

We often say that solving problems requires grasping the essence of the problem. The essence of humanity is a repeater, and the essence of the above issues is "sensitivity".

Since the essence of the problem is data sensitivity, then turn sensitive data into ordinary data. This not only meets compliance requirements, but also promotes everyone's work.

Without much talk, let's demo. In the following demo process, we mainly use easysearch, not for anything else, as it comes with desensitization function.

Prepare sensitive data

In the following data, the fields description and country are sensitive. When restricted users view, sensitive data displays desensitized content.
POSTmovies/_ Doc/1
{
Year: 2023,
Title: "Thisamovie",
Description: "I am sensitive data"
}
POSTmovies/_ Doc/2
{
Year: 2023,
Title: "Whatrulookingat",
Description: "I am sensitive data",
Country: I am sensitive data
}

Establish hash desensitization roles and assign them to users

By default, the easysearch security module uses the BLAKE2b algorithm, but you can use any hash algorithm provided by the JVM. This list typically includes MD5, SHA-1, SHA-384, and SHA-512. For this test, we will use the default algorithm to create a masked_ Movie character. This character can only view the movies index, and the description and country fields will be desensitized for viewing. The desensitization method is the default BLAKE2b algorithm.
PUT
_ Security/role/masked_ Movie
{"cluster": [],
'indices':[{
"Names": ["movies"],
Field_mask ": [" description "," country "],
Privileges: ["read"]}
} PUT_security/user/movie-user
{
"Password": "password",
Roles: [masked_movie]
}

Hash desensitization effect

Restricted user viewing effect

High authority user viewing effect

Security_ Run_ As: movie user "). The effect is as follows:

Related Links
https://www.infinilabs.com/docs/latest/easysearch/references/security/access-control/run-as/

Canonical desensitization

:://:: shell Canonical desensitization

PUT_ Security/role/masked_ Movie_re
{
Cluster: [],
'indices':[{
"Names": ["movies"],
Field_mask:[
Description:/(.) (**,
Country:/(.) (**],
'privileges': [' read ']
}]
}
PUT_security/user/movie-user-re
{
"Password": "password",
"Roles": ["maskd_movie_re"]
}

Canonical desensitization

Restricted user viewing effect

Flow analysis and desensitization

Everyone knows that we also have a product called InfiniGateway, which can perform ES traffic analysis. When conducting traffic analysis, the content of the request is captured and returned. Due to the fact that 'desensitization' is completed in easysearch, the data recorded by the Gateway is already desensitized. Let's take a look and replace the accessed URL with the gateway port.

Curl kumovie user re: pas swordhttp://localhost:8000/movies/_search?pretty

Viewing Data Recorded by Gateway

Mmm, fragrant! Alright, that's the end of this demo. If you have any good ideas or scenarios that need to be addressed, please feel free to communicate.

Disclaimer: The content of this article is sourced from the internet. The copyright of the text, images, and other materials belongs to the original author. The platform reprints the materials for the purpose of conveying more information. The content of the article is for reference and learning only, and should not be used for commercial purposes. If it infringes on your legitimate rights and interests, please contact us promptly and we will handle it as soon as possible! We respect copyright and are committed to protecting it. Thank you for sharing.(Email:[email protected])