Orchestrated Masking Policies
Private preview
This feature is only available to select accounts. Contact your Immuta representative to enable this feature.
Orchestrated masking policies (OMP) reduces conflicts between masking policies that apply to a single column, allowing policies to scale more effectively across your organization. Furthermore, OMP fosters distributed data stewardship, empowering policy authors who share responsibility of a data set to protect it while allowing data consumers acting under various roles or purposes to access the data.
When multiple masking policies apply to a column, Immuta combines the exception conditions of the masking policy so that data subscribers can access the data when they satisfy one of those exception conditions. Multiple masking policies will be enforced on a column if the following conditions are true:
- Policies use the same masking type.
- Policies use the
for everyone except
condition.
Requirements
Databricks Spark or Starburst (Trino) integration
Supported masking policy types
OMP supports the following masking types:
- Constant
- Hashing
- Format preserving masking
- Null
- Regex
- Rounding
Global policy logic
Previous policy logic
Governors can apply policies to all columns in a data source or target specific columns with tags or a regular expression. Without orchestrated masking policies enabled, when multiple global policies apply to the same columns, Immuta could only apply one of those policies.
Consider the following example to examine how policies behaved when one tag is used in two different policies:
- Mask PII Global Policy 1: Mask using hashing the value in columns tagged
email
except when user is acting under the purposeEmail Campaign
. - Mask PII Global Policy 2: Mask using hashing the value in columns tagged
email
except when user is acting under purposeMarketing
.
For columns tagged email
, only one of these policies is enforced. The Mask PII Global Policy 2 is not applied
to the data source, so Immuta is not enforcing the masking policy properly for users who should be able to see emails
because they are acting under the Marketing purpose.
Consider the following example where multiple masking policies apply to columns that have multiple tags, resulting in one policy applying:
- Global Policy 3: Mask using hashing the value in columns tagged
Employee Data
unless users are acting under the purposeRetention Analysis
. - Global Policy 4: Mask using hashing the value in columns tagged
HR Data
unless users are acting under the purposeEmployee Satisfaction Survey
.
If a column is tagged Employee Data
and HR Data
, Immuta will only apply one of the policies.
Orchestrated masking policy logic
With orchestrated masking policies, Immuta applies multiple global masking policies that apply to a single column by combining the policy exceptions with OR. For these policies to combine, the masking type must be identical and the policy must use the for everyone except condition.
Consider the following example, both of these policies will apply to the data source:
- Mask PII Global Policy 1: Mask using hashing the value in columns tagged
email
except when user is acting under the purposeEmail Campaign
. - Mask PII Global Policy 2: Mask using hashing the value in columns tagged
email
except when user is acting under purposeMarketing
.
Users acting under the purpose Marketing
or Email Campaign
will be able to see emails in the clear.
However, in the following example, only one of these policies will apply to the data source because one masks using a constant and the other masks using hashing:
- Global Policy 5: Mask using the constant
REDACTED
the value in columns taggedEmployee Data
unless users are acting under the purposeRetention Analysis
. - Global Policy 6: Mask using hashing the value in columns tagged
HR Data
unless users are acting under the purposeEmployee Satisfaction Survey
.
Limitations
- No UI enhancements were made in this release. Multiple masking policies applied to the same column are visible
on a data source, but there is no indication that the exceptions are combined with
OR
. - Masking types must match exactly for the policies to be combined. For example, both policies must mask using rounding.
- Existing policies will not automatically migrate to the new policy logic when you enable the feature. To re-compute existing policies with the new logic, you must manually trigger global policy changes by staging and re-enabling each policy.