Skip to main content
Interested in getting early access to the Data Security feature? Contact support@cdata.com.
The Data Security feature lets you detect and control sensitive data as it moves into and out of Connect AI. You define security rules that identify sensitive values, such as credit card numbers or personal identifiers, and choose how to handle each match: take no action, raise a warning, redact the value, or block it. You can also apply different actions to inbound and outbound data. In Connect AI, inbound data is the content of the queries and requests you submit, and outbound data is the content Connect AI returns in the query results. Each rule can apply a different action to each direction. Use preset rules for common, built-in data types, or create custom rules that match your own patterns with a regular expression. Access Data Security by selecting Manage > Data Security in the Connect AI navigation menu.
Main Data Security page
The Data Security main page contains the following information about each security rule:
  • Rule Name–the name of the preset category, or in the case of custom rules, the user-defined name of the rule. This column also displays a short description of the rule and its regulation/region tag(s). The regulation tags indicate the compliance regulations it helps address (for example, CCPA / CPRA, GLBA, PCI DSS, and HIPAA). The region tags indicate where the regulation applies (for example, Global and US).
  • Detection Method–how the rule identifies a match. Preset rules use Pattern match (a built-in pattern for a known data type), while custom rules use Regex, where you provide your own regular expression and a confidence score.
  • Inbound Rule–the action applied to matching data coming into the system.
    • None–takes no action on matching data. The rule still detects the match, but the data passes through unchanged.
    • Warn–passes the matching data through unchanged, exactly as None does, but records the match in the logs for review.
    • Redact–masks or removes the matching sensitive values before the data enters the system, while allowing the rest of the data through.
    • Block–prevents data containing a match from entering the system.
  • Outbound Rule–the same actions applied to matching data leaving the system: None, Warn, Redact, or Block.
  • Status–whether the rule is Enabled or Disabled.
  • Rule Actions–the icons in the last column represent the various actions you can perform on a security rule.
    • Edit (🖉)–edit the selected security rule (custom rules only).
    • Delete (🗙)–delete the selected security rule.
How Redact and Block behave: When you apply Redact, each matching value is replaced in place while the rest of the data is returned unchanged. On outbound data, text, numeric, and date values are redacted. Text values are redacted to XXXX, numeric values are redacted to 0, and date values are redacted to 1900-01-01. When there is a date in a varchar type column and a redact rule is set, the date is converted to a redacted datetime format (1900-01-01) rather than a redacted text format (XXXX).When you apply Block, a match stops the operation. An inbound match halts the query and returns an error to the caller, and an outbound match prevents the matching results from being returned.

Filtering

The section above the Rules table allows you to filter by rule name, regulation type, and/or region. Use the Regulation Type and Region filters to filter by specific tags.

Add a Rule

You can add a rule from preset categories, or add a custom rule.

Add a Preset Rule

To add a preset rule:
1
On the main Data Security page, click Add. The Add Rule dialog appears.
2
Click Preset Categories.
3
Either click a preset rule type (such as PCI DSS) or click I don’t know my type — show me all, then click Next.
4
Search by Name, Regulation Type, or Region for the rule. Select one or more rules to add. Select the checkbox next to Entity to select all.
Add preset rule
5
Click Confirm.
6
The rules are added as Enabled. Configure each rule by setting its Inbound Rule and Outbound Rule. To hold a rule before using it, toggle Enabled off.
7
Click Save Changes to save the added rules.

Add a Custom Rule

To add a custom rule:
1
On the main Data Security page, click Add. The Add Rule dialog appears.
2
Click Custom Rule.
3
In the Add Rule dialog, enter the following:
  • Rule Name–the user-defined name of the rule.
  • Regex Pattern–the regular expression used to identify a match for this rule.
  • Score–the confidence score, between 0 and 1, that a match must meet before the rule acts on it. Higher values require a closer match.
  • Context Keywords–optional keywords associated with the rule that help refine detection and reduce false positives.
  • Inbound Detection–the action applied to matching data coming into the system: None, Warn, Redact, or Block.
  • Outbound Detection–the same actions applied to matching data leaving the system: None, Warn, Redact, or Block.
Add custom rule
4
Click Confirm.
5
The rule is added as Enabled. To hold a rule before using it, toggle Enabled off.
6
You can edit the Inbound Rule, Outbound Rule, and Status on the main page. To edit the Rule Name or Detection Method, click the Edit (🖉) button.
7
Click Save Changes to save the rules on the Data Security page.