Identity and Access Management
Book
MidPoint
- Compliance
  - ISO 27001
    - 5.1
    - 5.2
    - 5.3
    - 5.4
    - 5.5
    - 5.6
    - 5.7
    - 5.8
    - 5.9
    - 5.10
    - 5.11
    - 5.12
    - 5.13
    - 5.14
    - 5.15
    - 5.16
    - 5.17
    - 5.18
    - 5.19
    - 5.20
    - 5.21
    - 5.22
    - 5.23
    - 5.24
    - 5.25
    - 5.26
    - 5.27
    - 5.28
    - 5.29
    - 5.30
    - 5.31
    - 5.32
    - 5.33
    - 5.34
    - 5.35
    - 5.36
    - 5.37
    - 6.1
    - 6.2
    - 6.3
    - 6.4
    - 6.5
    - 6.6
    - 6.7
    - 6.8
    - 7.1
    - 7.2
    - 7.3
    - 7.4
    - 7.5
    - 7.6
    - 7.7
    - 7.8
    - 7.9
    - 7.10
    - 7.11
    - 7.12
    - 7.13
    - 7.14
    - 8.1
    - 8.2
    - 8.3
    - 8.4
    - 8.5
    - 8.6
    - 8.7
    - 8.8
    - 8.9
    - 8.10
    - 8.11
    - 8.12
    - 8.13
    - 8.14
    - 8.15
    - 8.16
    - 8.17
    - 8.18
    - 8.19
    - 8.20
    - 8.21
    - 8.22
    - 8.23
    - 8.24
    - 8.25
    - 8.26
    - 8.27
    - 8.28
    - 8.29
    - 8.30
    - 8.31
    - 8.32
    - 8.33
    - 8.34
Identity Connectors
Support
Trainings
Evolveum
Community
Library
Case Studies
Talks
Glossary
Frequently Asked Questions
About

ISO/IEC 27001 Control 8.11: Data masking

Control

Data masking should be used in accordance with the organization’s topic-specific policy on access control and other related topic-specific policies, and business requirements, taking applicable legislation into consideration.

Necessity of MidPoint

MidPoint is optional for implementation of this control.

Implementation of this control without midPoint is feasible. However, midPoint provides considerable advantages for implementation of this control, making the implementation more efficient and reliable.

Implementation Overview

Provisioning flexibility of midPoint can be used to provide some data masking capabilities.

Implementation Details

MidPoint contains very flexible provisioning engine at its core. Mappings and expressions supported by the engine can be used to mask data when midPoint provisions the data to target systems. Projection links are used to keep track of the data. Persona functionality could be used to create consistent masked data across several systems. Mappings can be used to select data elements to provision to target systems, minimizing the set of data stored in external systems. Similarly, authorization mechanism can be used to limit access to sensitive data in midPoint repository and user interface.

Implementation Notes

Pseudonymity and anonymity and very hard to achieve. As the usual purpose of data masking is to maintain some structure of original data, som data leaks (de-anonymization) are likely. Therefore we recommend not to rely on data masking as the only protection mechanism, use it only as a supplementary mechanism. Protect your development and test environments accordingly using access control techniques.
MidPoint has a built-in mechanism for exporting anonymized data for the purposes of data mining research.

Rationale

While midPoint does not have off-the-shelf support for data masking, similar results can be achieved by using mappings and expressions.

Was this page helpful?

YES NO

Thanks for your feedback