This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Dynamic Data Masking - possible delay

Posted on 06-05-2023 08:07 AM
pw1236
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

Hello. 

Currently I'm working on a masking data using Dynamic Data Masking feature that is available in BigQuery. I couldn't find any information about guarantees or SLA that this product provide (or doesn't) related needed time to make sure that masking is working for every user. I need to know what is the maximum delay between the data policy tag being to a column and when the all of the end users actually will see the masked data. What are best practices regarding that to prevent a situation where user has an access to data that shouldn't?

Thank you for any advice and/or informations.

 

Regards,

Przemek.

0 2 713
Topic Labels
0 Likes
2 REPLIES 2

Posted on --/--/---- --:-- AM
kvandres
Staff
Reply posted on --/--/---- --:-- AM

Good day @pw1236,

Welcome to Google Cloud Community!

After you've implemented masking it will be effective immediately and there should be no delays after you've implemented masking. If a user tries to query a column data, Bigquery will check if the user has the necessary permissions to access the column data. Please also note that column level access is also enforced with dataset ACLs. dataset ACLs are basically the access permission on your datasets, so before the user can access that column data, the user needs the access permissions in both dataset and policy tag. You can check this link for more informations: https://cloud.google.com/bigquery/docs/control-access-to-resources-iam
https://cloud.google.com/bigquery/docs/column-level-security-intro#column-level_security_workflow
You can also check this link if you want to know more about the roles used for access control in column level: https://cloud.google.com/bigquery/docs/column-level-security-intro#identify_what_needs_to_be_tagged

For best practices of defining access using policy tags in BigQuery, you can identify first what needs to be tagged, and create a category of a taxonomy. here is a guide and a sample use case: https://cloud.google.com/bigquery/docs/column-level-security-intro#example_use_case and you can also try applying it by team or user level, (e.g. team A has full access to the column data that contains confidential data, team B can only access the masked column data while team C has no access to the column data), This can be achieved using masking, policy tags and column level access control settings. You can check this link for more information: https://cloud.google.com/bigquery/docs/column-data-masking-intro#role-interaction
If a user has access to the data that shouldn't although you have applied policy tag and masking. You can check if the user is a member of two groups that have different roles Fine-Grained Reader role and Mask Reader role, in this case the user may have inherited the Fine-Grained Reader role. You can check this link for more information about authorization inheritance: https://cloud.google.com/bigquery/docs/column-data-masking-intro#role-interaction

You can also check this link if you want to learn more about the best practices on how to create policy tags: 
https://cloud.google.com/bigquery/docs/best-practices-policy-tags
Hope this will help!

Posted on --/--/---- --:-- AM
pw1236
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

Hello @kvandres ,

thank you for you response and clarification. I will take a look at the documentation once again and just do some testing regarding and get back if will reply in this thread if I found some unexpected results.

 

Kind regards,

Przemek.

0 Likes