Skip to main content

Gate: PII Detection

info

This plugin supports all intercept modes (request, response, request_response)

caution

This plugin is not compatible with the AWS Lambda Authorizer deployment type.

This plugin detects and redacts PII information contained in an HTTP request or response. The plugin is built using a mix of named entity recognition and regular expressions.

Configuring Gate

GATE_PLUGINS_<PLUGIN NUMBER>_TYPE=anonymizer
GATE_PLUGINS_<PLUGIN NUMBER>_PARAMETERS_ANONIMIZERS_DEFAULT_TYPE=<action>
GATE_PLUGINS_<PLUGIN NUMBER>_PARAMETERS_ANONIMIZERS_PHONE_NUMBER_TYPE=<action>

In the Environment variables configuration, <PLUGIN NUMBER> defined plugin execution order.

Gate offers a rich set of options to customize detection behavior. In particular for each PII type you can:

  • customize the detection with regexp to increase accuracy
  • decide on the behavior: whether to replace, mask, tokenize, encrypt or simply log the presence of sensitive data

Currently we support:

  • email addresses (EMAIL_ADDRESS)
  • phone number (PHONE_NUMBER)
  • urls (URL)
  • credit cards (CREDIT_CARD)
  • IBAN (IBAN)
  • SSN (US_SSN)
  • UK NHS numbers (UK_NHS)
  • US ITIN (ITIN)
  • US driver license (US_DRIVER_LICENSE)

Once sensitive data is detected we have multiple options:

  • replace
  • mask
  • hash
  • encrypt
  • keep

PII anonymization policies

info

By default gate runs in keep mode. Meaning the PII is detected but not modified.

As an example, this is the configuration to monitor by default, mask phone numbers, tokenize email addresses, encrypt urls and replace credit cards.

    - id: pii_anonymizer
      type: anonymizer
      enabled: false
      parameters:
        anonymizers: |
          DEFAULT:
            type: keep
          PHONE_NUMBER:  # (123) 456-7890 ➔ (123) 456-****
            type: mask
            masking_char: "*"
            chars_to_mask: 4
            from_end: true
          EMAIL_ADDRESS:  # [email protected] ➔ 8e621e3d0368631d263d07a351fa8d34fba0d17c15fbcdec11a5f58008d022a0
            type: hash
            hash_type: sha256  # either sha256 (default), sha512 or md5
          URL:  # https://john.smith.me ➔ KshULhOqJrLmuHOsQ/ArGHQK8Wrjg0BKdypb/77PYf+64v/FqB3zufbVlnGD4sn4
            type: encrypt  # Replaces value with Base64-encoded AES-CBC encrypted value with PKCS#7 padding and a prepended IV
            key: abcdefghijklmnop  # AES key, must be 128, 192 or 256 bits
          CREDIT_CARD:  # 4111111111111111 ➔ <CREDIT_CARD>
            type: replace
            new_value: <CREDIT_CARD>  # Defaults to <TYPE>

Custom detections

You can specify your own types using regex patterns, as shown below: or more regex patterns, as shown below, to improve the detection accuracy.

    - id: pii_anonymizer
      type: anonymizer
      enabled: false
      parameters:
        analyzer_ad_hoc_recognizers: |
          - name: Zipcode regex
            supported_language: en
            supported_entity: ZIP
            patterns:
            - name: zipcode
              regex: "(\\b\\d{5}(?:\\-\\d{4})?\\b)"
              score: 0.01

In this example we are specifying the following data:

  • supported_language : the language this regex should be applied to
  • supported_entity: the entity type to apply the regex on
  • One or more patterns, each with a regexp and a score which represents the confidence in the PII detection.