Data Gurad - Mask Data checkbox

Hi Nik

 

 

1) Does enabling "Masking Data" prevent the end users to view the cc/ssn data (i.e encodes it so they will see *****).

 

 

ASM can either block the response or mask the data. Here's more detail from the online help:

 

 

* If the security policy’s enforcement mode is Transparent and the Mask Data check box is checked, the system encodes the sensitive data by returning asterisks to the client instead of the sensitive data. (The system also returns asterisks if the enforcement mode is Blocking, the Data Guard: Information leakage detected violation Block check box is cleared, and the Alarm check box is checked.)

 

* If the security policy’s enforcement mode is Blocking, and the Block check box for the Data Guard: Information leakage detected violation is checked, the system blocks the response.

 

 

2) If i want none of my users to view the ssn/cc data (as there is a business justification/need), then do i allways ensure that the "Mask data" checkbox is enabled.

 

 

Yes, you'd want to either block the full response or mask the data.

 

 

3) d) Once im sure of the traffic , Enable back the "Mask Data" - as it will now be applied to traffic identified as illegitimate only.

 

 

I don't think ASM masks or blocks responses with content that matches a data guard pattern based on other violations. If the response matches a pattern it will be masked or blocked, depending on the blocking settings for data guard.

 

 

The default GUI based config options for this don't allow you to make decisions on masking or blocking based on who the user is. If the application restricts access to specific URIs to allow only some users, you could define those URIs in the data guard list to not check.

 

 

Aaron