> ## Documentation Index
> Fetch the complete documentation index at: https://docs.cloud.cdata.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Data Security

> The ***Data Security*** page enables you to add and configure preset and custom security rules.

<Note>Interested in getting early access to the Data Security feature? Contact [support@cdata.com](mailto:support@cdata.com).</Note>

The Data Security feature lets you detect and control sensitive data as it moves into and out of Connect AI. You define security rules that identify sensitive values, such as credit card numbers or personal identifiers, and choose how to handle each match: take no action, raise a warning, redact the value, or block it. You can also apply different actions to inbound and outbound data.

In Connect AI, **inbound** data is the content of the queries and requests you submit, and **outbound** data is the content Connect AI returns in the query results. Each rule can apply a different action to each direction.

Use preset rules for common, built-in data types, or create custom rules that match your own patterns with a regular expression.

Access **Data Security** by selecting **Manage > Data Security** in the Connect AI navigation menu.

<Frame>
  <img src="https://mintcdn.com/cdata/3gMfTODtAccCQnjP/en/images/data_security.png?fit=max&auto=format&n=3gMfTODtAccCQnjP&q=85&s=69386096d412810f6ad7ef753565df16" alt="Main Data Security page" width="1354" height="805" data-path="en/images/data_security.png" />
</Frame>

The **Data Security** main page contains the following information about each security rule:

* **Rule Name**–the name of the preset category, or in the case of custom rules, the user-defined name of the rule. This column also displays a short description of the rule and its regulation/region tag(s). The regulation tags indicate the compliance regulations it helps address (for example, **CCPA / CPRA**, **GLBA**, **PCI DSS**, and **HIPAA**). The region tags indicate where the regulation applies (for example, **Global** and **US**).
* **Detection Method**–how the rule identifies a match. Preset rules use **Pattern match** (a built-in pattern for a known data type), while custom rules use **Regex**, where you provide your own regular expression and a confidence score.
* **Inbound Rule**–the action applied to matching data coming into the system.
  * **None**–takes no action on matching data. The rule still detects the match, but the data passes through unchanged.
  * **Warn**–passes the matching data through unchanged, exactly as **None** does, but records the match in the logs for review.
  * **Redact**–masks or removes the matching sensitive values before the data enters the system, while allowing the rest of the data through.
  * **Block**–prevents data containing a match from entering the system.
* **Outbound Rule**–the same actions applied to matching data leaving the system: **None**, **Warn**, **Redact**, or **Block**.
* **Status**–whether the rule is **Enabled** or **Disabled**.
* **Rule Actions**–the icons in the last column represent the various actions you can perform on a security rule.
  * **Edit (🖉)**–edit the selected security rule (custom rules only).
  * **Delete (🗙)**–delete the selected security rule.

<Note>
  **How Redact and Block behave:** When you apply **Redact**, each matching value is replaced in place while the rest of the data is returned unchanged. On outbound data, text, numeric, and date values are redacted. Text values are redacted to XXXX, numeric values are redacted to 0, and date values are redacted to 1900-01-01. When there is a date in a varchar type column and a redact rule is set, the date is converted to a redacted datetime format (1900-01-01) rather than a redacted text format (XXXX).

  When you apply **Block**, a match stops the operation. An inbound match halts the query and returns an error to the caller, and an outbound match prevents the matching results from being returned.
</Note>

## Filtering

The section above the Rules table allows you to filter by rule name, regulation type, and/or region.

Use the **Regulation Type** and **Region** filters to filter by specific tags.

## Add a Rule

You can add a rule from preset categories, or add a custom rule.

### Add a Preset Rule

To add a preset rule:

<Steps>
  <Step>
    On the main **Data Security** page, click **Add**. The **Add Rule** dialog appears.
  </Step>

  <Step>
    Click **Preset Categories**.
  </Step>

  <Step>
    Either click a preset rule type (such as PCI DSS) or click **I don't know my type — show me all**, then click **Next**.
  </Step>

  <Step>
    Search by **Name**, **Regulation Type**, or **Region** for the rule. Select one or more rules to add. Select the checkbox next to **Entity** to select all.

    <Frame>
      <img src="https://mintcdn.com/cdata/3gMfTODtAccCQnjP/en/images/data_security_add_preset.png?fit=max&auto=format&n=3gMfTODtAccCQnjP&q=85&s=05b3dc8a3caac08686a855f1dbac402c" alt="Add preset rule" width="901" height="970" data-path="en/images/data_security_add_preset.png" />
    </Frame>
  </Step>

  <Step>
    Click **Confirm**.
  </Step>

  <Step>
    The rules are added as **Enabled**. Configure each rule by setting its **Inbound Rule** and **Outbound Rule**. To hold a rule before using it, toggle **Enabled** off.
  </Step>

  <Step>
    Click **Save Changes** to save the added rules.
  </Step>
</Steps>

### Add a Custom Rule

To add a custom rule:

<Steps>
  <Step>
    On the main **Data Security** page, click **Add**. The **Add Rule** dialog appears.
  </Step>

  <Step>
    Click **Custom Rule**.
  </Step>

  <Step>
    In the **Add Rule** dialog, enter the following:

    * **Rule Name**–the user-defined name of the rule.
    * **Regex Pattern**–the regular expression used to identify a match for this rule.
    * **Score**–the confidence score, between 0 and 1, that a match must meet before the rule acts on it. Higher values require a closer match.
    * **Context Keywords**–optional keywords associated with the rule that help refine detection and reduce false positives.
    * **Inbound Detection**–the action applied to matching data coming into the system: **None**, **Warn**, **Redact**, or **Block**.
    * **Outbound Detection**–the same actions applied to matching data leaving the system: **None**, **Warn**, **Redact**, or **Block**.

    <Frame>
      <img src="https://mintcdn.com/cdata/3gMfTODtAccCQnjP/en/images/data_security_add_custom.png?fit=max&auto=format&n=3gMfTODtAccCQnjP&q=85&s=3ee65e2793c3f94e267c4bbeb91278a0" alt="Add custom rule" width="599" height="742" data-path="en/images/data_security_add_custom.png" />
    </Frame>
  </Step>

  <Step>
    Click **Confirm**.
  </Step>

  <Step>
    The rule is added as **Enabled**. To hold a rule before using it, toggle **Enabled** off.
  </Step>

  <Step>
    You can edit the **Inbound Rule**, **Outbound Rule**, and **Status** on the main page. To edit the **Rule Name** or **Detection Method**, click the **Edit (🖉)** button.
  </Step>

  <Step>
    Click **Save Changes** to save the rules on the **Data Security** page.
  </Step>
</Steps>
