You may need to mask sensitive data in API traffic for data privacy or compliance reasons before routing that traffic to the Cequence Unified API Protection (UAP) platform. Sensitive data masking is often required when the UAP platform is deployed as software-as-a-service (SaaS).
When you deploy the Cequence UAP platform in an environment you manage yourself, none of the traffic leaves the environment you control, which often reduces or eliminates the need to mask sensitive data.
Cequence data masking uses format-preserving encryption (FPE) to mask the raw values with values of equivalent types, in order to preserve the API schema. Cequence uses role-based access control (RBAC) to restrict users from inspecting the unmasked values in the web UI of the Cequence UAP platform.
Cequence implements masking by using format-preserving encryption (FPE), as described in NIST standard SP 800-38G, which causes the values to be replaced by alternative values that are of the same length and type. For example, 10-digit integer values will get masked with 10-digit integer values that do not match the original value. Similarly, a 100-character string will get masked with a 100-character string that does not match the original string.
Note: Since the masked values are semantically similar to the original sensitive values, none of the product functionality, such as spec generation, or sensitive data detection, is negatively affected by enabling masking.
Format-preserving encryption does not permit the original values to be reconstructed or reverse-engineered from the masked values, preventing potential bad actors from reconstructing the original sensitive data values.
Note: Cequence supports data masking for JSON content bodies. Cequence does not support data masking for double-byte character set (DBCS). DBCS refers to a character set used by certain languages like Chinese and Japanese, which have more symbols than can be represented by a single byte. Each character is 2 bytes in length.
Note: In case of direct API gateway integrations from SaaS based gateways, such as the Apigee or Kong SaaS integrations using Cequence plugins, you must deploy Bridge in your environment to mask data before the data is sent to the SaaS deployment of the Cequence UAP platform.
Cequence Deployment Options
You can deploy the Cequence UAP platform partially or completely on your own premises, or opt for a full SaaS experience.
SaaS Deployment
When you use the SaaS version of the Cequence UAP platform, there are no requirements to deploy any software to your datacenter or cloud. The only configuration needed are network changes to route traffic to the Cequence UAP platform.
On-premises Deployment
An on-premises deployment of the Cequence UAP platform is hosted and managed entirely in a physical or cloud environment that you control. In this form of deployment, you host and manage both the Cequence UAP platform and the Defender (inline), Bridge or Sensor (passive) data plane proxy components. An on-premises depolyment requires you to make network changes to route traffic to the Cequence Defender, Bridge or Sensor in your environment.
Hybrid Deployment
In this form of deployment, Cequence manages the UAP platform as SaaS and the traffic sources (the Cequence Defender or Cequence Sensor components) send traffic to the Cequence UAP platform from an environment you manage. A hybrid deployment enables you to send traffic from multiple Defender, Bridge or Sensor instances to the same Cequence UAP platform instance.
Data masking and Cequence Data Plane components
Data masking requires that at least one of the Cequence data plane components be deployed to your environment. Cequence has the following data plane components:
- Cequence Network Sensor
- Cequence Defender
- Cequence Bridge
- Cequence eBPF Sensor
Of these components, the Defender and Bridge support data masking.
Cequence Network Sensor passively monitors your network traffic, interpreting the communication between the client and server. Network Sensor sends a copy of each request and response to the Cequence UAP Platform for analysis. Network Sensor is well-suited for integration with mirroring technologies such as Amazon VPC Traffic Mirroring.
Cequence Defender is deployed inline, in the path of network traffic, as a reverse proxy in front of the application being protected. Cequence Defender sends a copy of each request and response to the Cequence UAP Platform for analysis. Use Cequence Defender when your use case requires active mitigation of unwanted traffic instead of passive threat detection. Cequence Defender supports policies from the Cequence UAP platform to block, rate-limit, insert-header and take other actions on traffic.
Cequence Bridge aggregates traffic from multiple sources and sends that traffic to the Cequence UAP platform. Cequence Bridge is included by default within the Sensor and Defender. When you deploy Cequence Sensor or Cequence Defender, you do not also need to deploy Cequence Bridge. Cequence Bridge is particularly useful when integrating with API Gateway plugins, such as the MuleSoft policy plugin, or the Apigee Shared Flow. These integrations cannot perform sensitive data masking themselves. Cequence Bridge masks this data before sending the data to the Cequence UAP platform.
The Cequence eBPF sensor is a specialized sensor that uses eBPF (Extended Berkeley Packet Filter) technology to integrate with applications.
Cequence Data Masking Configuration
You can configure regular expressions for the types of values to mask. In a SaaS deployment, you can deploy either the Cequence Defender or Sensor component on your premises to mask the data prior to it being sent to Cequence UAP SaaS. These components are enabled with data masking functionality and can inspect content before sending the content to the SaaS deployment of the Cequence UAP platform for analysis. To set up a data masking configuration, go to Sensitive Data Expressions in the Cequence UAP platform web UI.
In a hybrid deployment scenario, a Defender or Sensor is already sending traffic to the SaaS deployment of the Cequence UAP platform. Use the existing component to configure data masking.
Click the Mask Captured Data checkbox to enable sensitive data masking. Values that match the regular expression are masked before being sent out of customer premises to the Cequence UAP platform.
You can also configure the “Include Fields” or “Exclude Fields” to include or exclude specific parameter names within the API payload for sensitive values. When Include Fields are configured, Cequence only inspects the configured field names for the configured sensitive value expressions. Configure Exclude Fields to prevent inspection of specified parameters.