After data is passed to the Tealeaf system, the first place in which data can be cleansed is on the Tealeaf Passive Capture Application (PCA) server.
Cleansing data at the PCA server is known as passive capture privacy.
The PCA server is the optimal place for blocking internal employee access to customer-sensitive information.
- Visitor account number
- Social Security numbers
- Credit card information
In addition to preventing access to customer-sensitive information, you can use PCA privacy management tools enable to encrypt customer-sensitive data, which can then be decrypted at a later time in the process. Blocking or encrypting data on the PCA using privacy rules ensures that the rest of the Acou (Tealeaf) system does not ever have plain-text access to customer-sensitive data that belongs to visitors of your web site.
How to decide if implementing privacy on the PCA server is the right thing to do
Implement PCA privacy if you want to:
- Block private data
- Encrypt private data that must recalled later
- Drop traffic that does not need to be captured
- Drop the response or "body" of unnecessary hits
TextBlockURLFields
action configured by default in Rule 1.Performance implications of PCA privacy
Through the PCA Web Console, you can configure privacy rules to find beginning and ending text patterns, between which the text can be blocked. Privacy also enables regular expression pattern matching, so complicated text patterns can be applied. Using regular expressions is expensive to process.
Prebuilt privacy rules
Tealeaf provides prebuilt rules that enable the blocking or encryption of data fields that have been marked in the response with the appropriate comments.
When you build your web application, you can mark content in the response with HTML comments. These comments are not visible to the user. However, Tealeaf can scan the response for them and then blocks or encrypts accordingly.
Your Social Security No. is 123-12-1234
This information may be necessary for the visitor to your site, yet for security reasons, it should be blocked from the data captured by Tealeaf or encrypted so that only those Tealeaf users that have been authorized can see it.
Example of blocking data
Your Social Security No. is <!-- TLTIHB--> 123-12-1234<!-- TLTIHE-->
Tealeaf Privacy can be configured to recognize these specific tags and then to block the data between them.
Your Social Security No. is <!-- TLTIHB-->XXXXXXXXXXX<!-- TLTIHE-->
To enable this privacy rule, additional configuration is required.
Example of encrypting data
Your Social Security No. is <!-TLTENB-->123-12-1234<!--TLTENE-->
Your Social Security No. is <!--TLTENB-->@@@@@@@@@@@<!--TLTENE-->
To enable this privacy rule, additional configuration is required.
Enable prebuilt rules
In the privacy configuration, Tealeaf provides a number of preconfigured privacy rules, which can be modified and enabled to meet the requirements of your application
Manage multiple levels of data security
If multiple levels of encryption are required, you can add more bracketing comments, with each set representing a different security level.
Your Social Security No. is
<!--TLTTrustStandardB--><!--TLTTrustSilverB-->
<!--TLTTrustGoldB-->123-12-1234<!--TLTTrustGoldE--><!--TLTTrustSilverE-->
<--TLTTrustStandardE-->
Your Social Security No. is
<!--TLTTrustStandardB--><!--TLTTrustSilverB--123-12-1234<!--TLTTrustSilverE-->
<!--TLTTrustStandardE-->
Group to create | Bracketing tags to reference |
---|---|
TealeafTrustStandard | <!--TLTTrustStandardB-->...<!--TLTTrustStandardE--> |
TealeafTrustSilver | <!--TLTTrustSilverB-->...<!--TLTTrustSilverE--> |
TealeafTrustGold | <!--TLTTrustStandardB-->...<!--TLTTrustStandardE--> |
TealeafTrustGold example
Your Social Security No. is
<!--TLTTrustGoldB-->123-12-1234<!--TLTTrustGoldE-->
TealeafTrustGold
user, the user would see the actual social security number. For all non-TealeafTrustGold
users, the number appears as several @ signs. Output:
Your Social Security No. is
<!--TLTTrustGoldB-->@@@@@@@@@@@<!--TLTTrustGoldE-->
TealeafTrustSilver example
If only the Gold and Silver groups are permitted to see the email address, then following the example, Gold users must also be included in the Silver security group.
Your Email Address is
<!--TLTTrustSilverB-->test@example.com<!--TLTTrustSilverE-->
Your Email Address is
<!--TLTTrustSilverB-->@@@@@@@@@@@@@@@@<!--TLTTrustSilverE-->
Steps for enabling multiple levels of security
The following is a general approach to enabling multiple levels of data security in Tealeaf, after applying the above standards in your web application. You are likely to need to modify these steps to meet your enterprise requirements.
- Create Tealeaf user groups for each type of security to employ. In the above example, you might create the following groups.
- TealeafTrustStandard
- TealeafTrustSilver
- TealeafTrustGold
Note: If you are using tiered levels of security clearance, then users with the highest level of clearance must be included in all of the lower levels. - Bracket all sensitive data with the appropriate HTML comments, as shown in the examples.
- Add Tealeaf users to the appropriate groups.
- Create and enable the privacy rules.
- Deploy Privacy rules accordingly.
- For Tealeaf Passive Capture Application:
You can deploy privacy rules to be applied at the point of capture, which ensures that the sensitive data is never in an unprotected state in Tealeaf. However, PCA privacy rules can impede performance of real-time processing.
- For Windows Pipeline:
You can deploy privacy rules in the Windows pipeline on the Processing Server(s). However, using the Privacy session agent to block or encrypt data means that the data has not been secured until it passes through the PCA and the Transport Service to the Processing Server. Tealeaf does employ application and database security methods to protect general access.
- For Tealeaf Passive Capture Application:
- Test the availability of sensitive data for one user from each privacy group.
Design privacy rules
Several types of privacy rules inherently require high CPU/time requirements and can affect PCA performance.
These types of rules include the following:
- Rules that search the entire response of the hit
- Rules that use regular expressions, instead of plain text to match patterns
- Rules that use both start and end pattern regular expressions
- Rules that encrypt data
# of characters in data * # of preceding characters to match
Including several rules with these types of regular expressions can raise the processing requirement for each hit to dangerously high levels. Whenever possible, use plain text to identify the start and end pattern of what you wish to block or encrypt.
In your rule configuration, you may also use the Stop Processing flag, which stops evaluating the data if you need to block only the first occurrence of the data. This flag allows privacy to stop searching after the rule has been triggered. For example, if you know that a customer's login ID is displayed only once on any page, then this flag is useful for limiting the processing required to block it. For text sequences occurring at the beginning of the response, the Stop Processing flag can make a considerable difference in processing requirements.
Test privacy
PCA privacy management also enables testing to identify and eliminate potential processing issues.
For example, if you have a single page that requires encryption of a specific text sequence, you can create a test to trigger that rule only when the page's URL appears in the URL section of the request buffer. Privacy passes on evaluating any page that does not contain the URL, resulting in a dramatic decrease in processing overhead.
The test for the request value is far less intensive than the processing of the entire response of the hit for a text sequence.