The following article describes how to enable data anonymization for Web Application Firewall (WAF). WAF inline customers can activate anonymization by upgrading to Alert Logic appliance version 220.127.116.11, available as of September 01, 2022.
Data privacy requirements such as GDPR, HIPAA, the Australian Privacy Act 1988, the UK Data Protection Act 2018, and others put restrictions on how Personally Identifiable Information (PII) must be handled. For Protected Health Information (PHI), the web application owner is required to keep data confidential and prevent anyone without a legitimate need to access it.
Data anonymization masks client input, such as headers, request parameters, and cookies with repeated letters of random length over the data being anonymized. When enabled, data is anonymized across all proxies within the appliance. Anonymization is irreversible and only applies to data being logged by Alert Logic Web Security Manager.
Follow these steps to enable data anonymization in the Alert Logic console:
- In the Alert Logic console, navigate to the main menu icon () > Configure > WAF > Appliances.
- Select Manage Appliance to the right of the appliance for which you want to enable the header.
- Select System > Configuration from the left-hand navigation.
- Scroll down to the section header Data Anonymization.
- Select the checkbox to Enable Data Anonymization.
- Click the question mark to view the additional details/warnings for this feature.
- Click Save Settings at the bottom-right of the screen.
Additional Data Anonymization Configuration
The following options can be found under the Enable Data Anonymization checkbox and allow you to further configure your data anonymization.
Source IP Masking
Source IP masking anonymizes the source IP by reducing it to a subnet. Possible values to choose from are:
- Off (default) – IP is not masked
- /24 – IP is masked within range of 256 IP addresses; for example, 10.10.10.10 becomes 10.10.10.0.
- /16 – IP is masked within range of 65,536 IP addresses; for example, 10.10.10.10 becomes 10.10.0.0.
- /8 – IP address is masked within range of 16,777,216 IP addresses; for example, 10.10.10.10 becomes 10.0.0.0.
This feature allows you to configure exceptions for request elements, which can be enabled to avoid anonymization. This feature allows for exceptions for named input of the following types:
- Query (both URL query elements and request body)
Click Add New to enable more than the default four exceptions.
Users can click Add New if they wish to employ more than the default four exceptions allowed.
Log Data Export
When enabled via the Allow unredacted data export checkbox, log data will be exported (such as S3 log exports) in its original form and prior to anonymization as specified with the Logging to external service feature.
Note: The log data export feature was released with version 5.0.3 on November 18, 2022.
Lock Data Anonymization
Lock data anonymization allows you to limit further configuration of the feature at two levels:
- Prevent data anonymization from being disabled locks the feature for permanent enablement. This prompts the following warning message:
- Lock data anonymization configuration locks the current configuration within the feature, such as configurations for Source IP masking or exceptions. Once saved, these configurations will remain as they are. This prompts the following warning message: