top of page
This site was designed with the
.com
website builder. Create your website today.Start Now

Implementing data masking in REST API data with Apigee

Introduction

Data masking is the process of hiding original data with random characters or data and is an essential component of a comprehensive data security plan. Data masking reduces the exposure of the sensitive data with an organization.

Data masking can dynamically or statically protect sensitive data by replacing it with fictitious data that looks realistic to prevent data loss in different use cases.

Data masking dynamically vs statically

Dynamically data masking means that data is changed at the point it’s requested, in this case the Apigee API Proxy.

Statically data masking means that the data is changed in the origin, usually the database, so typically the original raw data cannot be retrieved.

Apigee Edge provides two different mechanisms: hiding and masking, the difference between both is that hidden variables doesn't appear in the trace and debug sessions, and masked values are replaced with asterisks.

Apigee Proxy configuration - Hiding sensitive data

You can prevent sensitive data from appearing in the Trace tool and debug sessions by creating custom variables prefixed with "private.".

For example, when using the Key Value Map Operations policy to retrieve values from an encrypted key value map, format the variable names as follows to ensure the values don't appear in Trace or debug sessions:

<Get assignTo="private.hiddenData">

Apigee Proxy configuration - Masking sensitive data

Apigee Edge lets you define 'mask configurations' to mask specific data in trace and debug sessions. Masking configurations can be set globally (at the organization-level) or locally (at the API proxy level). Role-based capabilities govern which users have access to the data that is defined as sensitive.

When data is masked, it is replaced with asterisks in the trace output. For example:

<description>**********</description>

Modify the API created at the other blog post for API Creation using Apigee (--- Link ---).

Test the Apigee OAuth API Proxy using Apigee and Curl

After modifying the API to mask the result from the mocked API, you can test your helloAPI API using cURL or a web browser.

Request

In a terminal window, run the following cURL command. You should use your organization name in the URL.

curl http://<org_name>-test.apigee.net/hello

Response

You should see the following:

{ "status": "*********" }

bottom of page