About data loss prevention

Data Loss Prevention (DLP) is a method of ensuring that sensitive data isn’t logged or leaked. Gloo Gateway accomplishes this by performing a series of regex replacements on the response body.

DLP for response bodies and headers

When you apply a DLP rule, Gloo Gateway completes a series of regex replacements on the body of each response that it processes. For example, consider the following response body that is returned to Gloo Gateway.

  {
   "fakevisa": "4397945340344828",
   "ssn": "123-45-6789"
}
  

With DLP enabled, Gloo Gateway applies a transformation to the response that masks sensitive data.

  {
   "fakevisa": "XXXXXXXXXXXX4828",
   "ssn": "XXX-XX-X789"
}
  

DLP for access logs

Before you begin

  1. Follow the Get started guide to install Gloo Gateway, set up a gateway resource, and deploy the httpbin sample app.

  2. Get the external address of the gateway and save it in an environment variable.

Predefined actions for response bodies

  1. Send a request to the httpbin app that returns a fake social security number and VISA credit card number in your response. Verify that the sensitive information is returned unmasked.

    Example output:

       ...
       {
         "args": {
           "fakeamex": [
             "349191317465935"
          ],
           "ssn": [
            "123-45-6789"
           ]
         },
         "headers": {
           "Accept": [
             "*/*"
           ],
           "Host": [
             "www.example.com:8080"
           ],
       ...
       

  2. Create a RouteOption resource to define your DLP rules. The following example uses DLP predefined actions to mask the credit card and social security numbers.

      kubectl apply -f- <<EOF
    apiVersion: gateway.solo.io/v1
    kind: RouteOption
    metadata:
      name: dlp
      namespace: httpbin
    spec:
      options:
        dlp: 
          actions: 
          - actionType: SSN
          - actionType: ALL_CREDIT_CARDS
    EOF
      
  3. Create an HTTPRoute resource that exposes httpbin app on the dlp.example domain and applies the DLP rules that you defined.

      kubectl apply -f- <<EOF
    apiVersion: gateway.networking.k8s.io/v1beta1
    kind: HTTPRoute
    metadata:
      name: httpbin-dlp
      namespace: httpbin
    spec:
      parentRefs:
      - name: http
        namespace: gloo-system
      hostnames:
        - dlp.example
      rules:
        - filters:
            - type: ExtensionRef
              extensionRef:
                group: gateway.solo.io
                kind: RouteOption
                name: dlp
          backendRefs:
            - name: httpbin
              port: 8000
    EOF
      
  4. Send a request to the httpbin app on the dlp.example domain. Verify that the sensitive information is now masked.

    Example output:

       ...
       {
         "args": {
           "fakeamex": [
             "XXXXXXXXXXX5935"
           ],
           "ssn": [
             "XXX-XX-X789"
           ]
         },
         "headers": {
           "Accept": [
             "*/*"
           ],
           "Host": [
             "dlp.example:8080"
           ],
       ...
       

  5. Optional: Clean up the resources that you created.

      kubectl delete routeoption dlp -n httpbin
    kubectl delete httproute httpbin-dlp -n httpbin
      

Custom actions for response bodies

In this example, you mask data in responses by using a custom DLP action.

  1. Send a request to the httpbin app along the /json path. Requests to this path return a slideshow example with attributes, such as the author, title, and slideshow items. Verify that you see the author attribute unmasked.

    Example output:

       {
         "slideshow": {
           "author": "Yours Truly",
           "date": "date of publication",
           "slides": [
             {
               "title": "Wake up to WonderWidgets!",
               "type": "all"
             },
             {
               "items": [
                 "Why <em>WonderWidgets</em> are great",
                 "Who <em>buys</em> WonderWidgets"
               ],
               "title": "Overview",
               "type": "all"
             }
           ],
           "title": "Sample Slide Show"
         }
       }
       

  2. Create a RouteOption resource to define your DLP rules. The following example creates a custom rule that captures the author in the response body and replaces the name of the author with _ characters.

      kubectl apply -f- <<EOF
    apiVersion: gateway.solo.io/v1
    kind: RouteOption
    metadata:
      name: dlp
      namespace: httpbin
    spec:
      options:
        dlp: 
          actions: 
          - customAction:
              maskChar: "_"
              name: test # only used for logging
              percent: 
                value: 100
              regexActions:
              - regex: '"author": [^"]*"([^"]*)"'
                subgroup: 1
    EOF
      
  3. Create an HTTPRoute resource that exposes httpbin app on the dlp.example domain and applies the DLP rules that you defined.

      kubectl apply -f- <<EOF
    apiVersion: gateway.networking.k8s.io/v1beta1
    kind: HTTPRoute
    metadata:
      name: httpbin-dlp
      namespace: httpbin
    spec:
      parentRefs:
      - name: http
        namespace: gloo-system
      hostnames:
        - dlp.example
      rules:
        - filters:
            - type: ExtensionRef
              extensionRef:
                group: gateway.solo.io
                kind: RouteOption
                name: dlp
          backendRefs:
            - name: httpbin
              port: 8000
    EOF
      
  4. Send a request to the httpbin app on the dlp.example domain. Verify that the author is now masked.

    Example output:

       {
         "slideshow": {
           "author": "_____ _____",
           "date": "date of publication",
           "slides": [
             {
               "title": "Wake up to WonderWidgets!",
               "type": "all"
             },
             {
               "items": [
                 "Why <em>WonderWidgets</em> are great",
                 "Who <em>buys</em> WonderWidgets"
               ],
               "title": "Overview",
               "type": "all"
             }
           ],
           "title": "Sample Slide Show"
         }
       }
       

  5. Optional: Remove the resources that you created.

      kubectl delete routeoption dlp -n httpbin
    kubectl delete httproute httpbin-dlp -n httpbin