Insight Masking

Getting Started Guide

September 13, 2024 (5th Edition)

About this document
  • This is a getting started guide of Insight Masking Manager on EC2 instances.

    • Start Insight Masking Manager on an EC2 instance from AMI.

  • Follow the instructions in the Insight Masking documents for further details.

  • For the Japanese version of documents, please contact customer support from the website.

1. Prepare Insight Masking

1.1. Start Insight Masking on EC2 instances

  • Start an EC2 instance with the following settings:

    • AMI: Select Insight Masking AMI at AWS Marketplace.

    • Instance type: 2 vCPUs or more, 8GB RAM or more (t3.large or higher is recommended.)

    • Storage: 50GB or more (Refer to the installation manual for more details.)

      • Required storage size depends on target data size and storage usage settings. In case Amazon S3 is used, additional storage is not required because only log files are stored in EC2.

    • Swap space: 2GB or more

      • In the Advanced details section, add the following commands to the user data:

        #cloud-config
        swap:
          filename: /swapfile
          size: 2G
          maxsize: 2G
    • Security group: SSH (22), HTTP/HTTPS (80, 443)

      • Port 80 is used for the Web-UI.

        • For more details on SSL (443) use, refer to the setting manual from the Insight Masking Manager Web-UI.
          http://<Insight Masking Manager IP address>/manual/index.html

2. Web-UI access

  • You can access the Insight Masking Manager Web-UI from the following URL:

    http://<Insight Masking Manager IP address>/

    mask login
    Login view
  • If you subscribe to Insight Masking with Bring-Your-Own-License (BYOL), you will be asked to enter the license for Insight Masking.

2.1. Create a user account

  • Access the Insight Masking Manager Web-UI.

  • Login with the administrator account’s E-mail address and password.
    The E-mail address of the administrator is "admin@masking.com" and the password is your EC2 instance id.

  • Select [User Management] on the left menu, and then the list of users is displayed. Click [ADD] on the right top of the screen.

  • On [Add User], enter a username and E-mail address and click [OK].

  • A temporary password is issued. Login again as the user account with the login info.

  • The temporary password is copied on the clipboard and no notification would be sent by E-mail.

  • After logging in as the user with the temporary password, please change the password immediately.

Refer to the setting manual for more user management details.

3. Mask data in a CSV file on S3 buckets

This guide provides a step-by-step guide to mask a CSV file on Amazon S3 buckets.

Refer to the setting manual for further details.

3.1. Prerequisite

3.1.1. Prepare S3 buckets for input data and masked data

Insight Masking can use two different S3 buckets for input data and masked data.

This guide uses the following buckets:

  • insight-masking-input : input data

  • insight-masking-output : masked data

3.1.2. Set bucket info on Insight Masking setting

To mask CSV/Fixed-length/Dump/Parquet files, set a source environment where the input data is stored and a target environment where the masked data is output.

  • Login to the Insight Masking Manager Web-UI with the administrator account.
    The E-mail address of the administrator is "admin@masking.com" and the password is your EC2 instance id.

  • Set the source environment.

    • Select [Settings] on the left menu. For the "Source" environment in FILE SHARING, select [Read data from S3 (Amazon Simple Storage Service)].

    • In [Bucket name], enter the Amazon S3 bucket name where the input data is stored.

    • In [S3 Data Sub-Path], enter the path of the folder on Amazon S3 where the input data is stored. (Usually the root directory "/".)

  • Set the target environment.

    • Select [Settings] on the left menu. For the "Target" environment in FILE SHARING, select [Write masked result to S3 (Amazon Simple Storage Service)].

    • In [Bucket name], enter the Amazon S3 bucket name where the masked data will be stored.

    • In [S3 Masked Sub-Path], enter the path of the folder on Amazon S3 where the masked data will be stored. (Usually the root directory "/".)

  • Click [GENERATE IAM POLICY] to download the IAM Policy JSON file.

3.1.3. Set an IAM policy

3.1.3.1. Create an IAM Policy
  • Create an IAM policy to allow access to S3 buckets. The following JSON content is included in the downloaded JSON file:

    {
    	"Version": "2012-10-17",
    	"Statement": [
    		{
    			"Sid": "ListObjectsInBucket",
    			"Effect": "Allow",
    			"Action": [
    				"s3:ListBucket"
    			],
    			"Resource": [
    				"arn:aws:s3:::insight-masking-input",
    				"arn:aws:s3:::insight-masking-output"
    			]
    		},
    		{
    			"Sid": "AllObjectActions",
    			"Effect": "Allow",
    			"Action": "s3:*Object",
    			"Resource": [
    				"arn:aws:s3:::insight-masking-input/*",
    				"arn:aws:s3:::insight-masking-output/*"
    			]
    		}
    	]
    }
    • Open the IAM Management console.

    • Click [Policies] from the left menu and click [Create Policy].

    • Select the [JSON] tab, and paste the downloaded JSON contents.

    • Follow the screen to the next step and create the policy.

3.1.3.2. Create an IAM role
  • Create an IAM role for the policy.

    • Open the IAM Management Console.

    • Select [Roles] on the left menu and click [Create role].

    • Select [EC2] from [Use case] and click [Next].

    • Select your created IAM policy from [Add permissions] and click [Next].

    • Set the role name and click [Create role].

3.1.3.3. Assign the IAM role to the EC2 instance
  • Assign the IAM role to the Insight Masking Manager on the EC2 instance.

    • Open the EC2 Management Console.

    • Select [Instances] on the left menu.

    • Select the instance for Insight Masking Manager and click [Security] - [Modify IAM role] from [Actions].

    • Select your created IAM role and click [Update IAM role].

3.2. Apply S3 bucket info on Insight Masking Manager

  • Login to the Insight Masking Manager Web-UI with the administrator account.

    • Select [Settings] on the left menu and click [APPLY].

    • Connection to S3 buckets will be established. Sometimes, you need to retry. It shows a green check mark if it’s succeeded.

      s3 setting
      Connect to S3 buckets

3.3. Mask a CSV file on the S3 bucket

3.3.1. Put an input CSV file on the S3 bucket

  • Upload the plain data to be masked to the input S3 bucket.

3.3.2. Create mask config

  • Log in to the Insight Masking Manager Web-UI with a user account.

  • Click the [+] icon and Create a "Project" with the project name and comment.

    project_new
    Create a project
  • On [Overview], select the [CSV] tab and click the [ADD] button.

  • Select a target file or a target folder in the S3 bucket.

    add_csv
    Add CSV files
  • Select [Tables] on the left menu and set the masking status "ENABLE" in the file list.

    mask_setting_file
    Enable masking for each file
  • Select [COLUMNS] from [Actions].

  • Select all columns from the list and set the status "ENABLE".

    mask_setting_col
    Enable masking for each column
    • The default algorithm is "Keep type" or "Keep digits".

    • The masking algorithm can be changed by selecting [EDIT] from [Actions].

      mask_setting_col_detail
      Masking setting for a column

3.3.3. Mask the CSV file

  • Select [Export] on the left menu.

  • Click [START MASKING].

  • Click [SAVE CONFIG].

    save_mask_setting
    Save config

3.3.4. Confirm masked CSV file

  • Select [Report] on the left menu.

  • Confirm [Last Log] that shows the saved masking setting has been processed.

  • Confirm [Report Log] that shows the list of masking execution reports.

    • Click [VIEW REPORT] to display the report in a new tab.

    • Click [DOWNLOAD LOG] to download the masking execution Report.

      setting_saved
      The Last Log shows the process log of the masking
  • Masked CSV files are created in the output S3 bucket with the prefix "(project id)/".

    • "(project id)" can be found on [Overview].