Understanding Data Protection Policies

• Category (e.g., PII)
• Resources (All, certain servers, all + certain topics, or regular expressions)
• Fields (e.g., "creditcard", "creditno", "cardno" or regular expressions)
• Masking Type (either random chars, or specific redaction methods)

These policies are applied on key, value and headers (converted to string) directly after decoding the data. The quick processors and filters are applied afterwards. It's also important to note that in case of decoding failure, no "raw" data is sent to the user to troubleshoot. Instead, the user will only receive a "failed" message.

Incompatible Codecs

Certain codecs are incompatible with data protection policies. For instance, the string and CSV codecs are deactivated when a data protection policy applies to a corresponding topic. This limitation means that certain codecs are not available for use with topics subject to a data protection policy.

Note: If your team is using custom codecs, make sure that you have implemented proper error handling (i.e., throwing a DecodingException if decoding is not possible) so that no data is leaked as custom codecs are available on topics covered by a Data Protection Policy.

Creating and Managing Data Protection Policies

Step 1: Access Data Protection Policies

Navigate to the Administration panel and click on the new menu entry, "Data Protection Policies". This will open a view with a list of your existing policies.

Step 2: Create a New Data Protection Policy

As a Kadeck administrator, you have the rights to create data protection policies. Click on "Add Policy" and you'll be prompted to fill out the following information:

• Name of the policy
• Status (active/inactive)
• Description
• Resources (Either specific name or regular expressions: connectionId and topicName, or connection.* and topic.* , etc.)
• Fields
  • Name (incl. support for regular expressions, e.g. .*ID for all fields that end with ID)
  • Redaction method
• Impact (LOW, MEDIUM, HIGH)
• Classification (PCI, PII, HIPAA-PHI, SSN, GDPR-SPD)

Step 3: Choosing Redaction Methods

Depending on the type of data you're dealing with, choose a suitable redaction method. These range from fully redacting matched values, replacing them with random characters, or showing certain parts of the data. The priority level of the redaction methods dictates the order of application. More specific policies with higher priority are applied first.

You also can select “no redaction”. This way, only the access to the data is audited.

Step 4: Apply the Policy

Save the policy. It will be applied to all relevant data, depending on the resources and fields specified in the policy. It's important to note that all applicable data policies will always be applied.

Note: If multiple policies apply to a particular field, the redaction method with the higher priority will be applied. If multiple redaction methods with the same priority are configured for a field, only the first one will get applied.

Auditing

Every time a user views data with a data policy or when a policy is created, read, updated, or deleted (CRUD), the event is logged for audit purposes.