Data loss prevention (DLP)

About data loss prevention link

Data Loss Prevention (DLP) is a method of ensuring that sensitive data isn’t logged or leaked. Gloo Gateway accomplishes this by performing a series of regex replacements on the response body.

DLP for response bodies and headers link

When you apply a DLP rule, Gloo Gateway completes a series of regex replacements on the body of each response that it processes. For example, consider the following response body that is returned to Gloo Gateway.

{
   "fakevisa": "4397945340344828",
   "ssn": "123-45-6789"
}

With DLP enabled, Gloo Gateway applies a transformation to the response that masks sensitive data.

{
   "fakevisa": "XXXXXXXXXXXX4828",
   "ssn": "XXX-XX-X789"
}

DLP for access logs link

Before you begin link

1. Follow the Get started guide to install Gloo Gateway, set up a gateway resource, and deploy the httpbin sample app.

2. Get the external address of the gateway and save it in an environment variable.

   export INGRESS_GW_ADDRESS=$(kubectl get svc -n gloo-system gloo-proxy-http -o jsonpath="{.status.loadBalancer.ingress[0]['hostname','ip']}")
   echo $INGRESS_GW_ADDRESS

   kubectl port-forward deployment/gloo-proxy-http -n gloo-system 8080:8080

Predefined actions for response bodies link

1. Send a request to the httpbin app that returns a fake social security number and VISA credit card number in your response. Verify that the sensitive information is returned unmasked.

   curl -vik http://$INGRESS_GW_ADDRESS:8080/anything?fakeamex=349191317465935&ssn=123-45-6789 -H "host: www.example.com:8080"

   curl -i localhost:8080/anything?fakeamex=349191317465935&ssn=123-45-6789 -H "host: www.example.com"

   Example output:

   ...
   {
     "args": {
       "fakeamex": [
         "349191317465935"
      ],
       "ssn": [
        "123-45-6789"
       ]
     },
     "headers": {
       "Accept": [
         "*/*"
       ],
       "Host": [
         "www.example.com:8080"
       ],
   ...
    
    
    
    
   

2. Create a RouteOption resource to define your DLP rules. The following example uses DLP predefined actions to mask the credit card and social security numbers.

   kubectl apply -f- <<EOF
   apiVersion: gateway.solo.io/v1
   kind: RouteOption
   metadata:
     name: dlp
     namespace: httpbin
   spec:
     options:
       dlp:
         actions:
         - actionType: SSN
         - actionType: ALL_CREDIT_CARDS
   EOF

3. Create an HTTPRoute resource that exposes httpbin app on the dlp.example domain and applies the DLP rules that you defined.

   kubectl apply -f- <<EOF
   apiVersion: gateway.networking.k8s.io/v1
   kind: HTTPRoute
   metadata:
     name: httpbin-dlp
     namespace: httpbin
   spec:
     parentRefs:
     - name: http
       namespace: gloo-system
     hostnames:
       - dlp.example
     rules:
       - filters:
           - type: ExtensionRef
             extensionRef:
               group: gateway.solo.io
               kind: RouteOption
               name: dlp
         backendRefs:
           - name: httpbin
             port: 8000
   EOF

4. Send a request to the httpbin app on the dlp.example domain. Verify that the sensitive information is now masked.

   curl -vik http://$INGRESS_GW_ADDRESS:8080/anything?fakeamex=349191317465935&ssn=123-45-6789 -H "host: dlp.example:8080"

   curl -i localhost:8080/anything?fakeamex=349191317465935&ssn=123-45-6789 -H "host: dlp.example"

   Example output:

   ...
   {
     "args": {
       "fakeamex": [
         "XXXXXXXXXXX5935"
       ],
       "ssn": [
         "XXX-XX-X789"
       ]
     },
     "headers": {
       "Accept": [
         "*/*"
       ],
       "Host": [
         "dlp.example:8080"
       ],
   ...
    
    
    
    
   

5. Optional: Clean up the resources that you created.

   kubectl delete routeoption dlp -n httpbin
   kubectl delete httproute httpbin-dlp -n httpbin

Custom actions for response bodies link

In this example, you mask data in responses by using a custom DLP action.

1. Send a request to the httpbin app along the /json path. Requests to this path return a slideshow example with attributes, such as the author, title, and slideshow items. Verify that you see the author attribute unmasked.

   curl -vik http://$INGRESS_GW_ADDRESS:8080/json -H "host: www.example.com:8080"

   curl -i localhost:8080/json -H "host: www.example.com"

   Example output:

   {
     "slideshow": {
       "author": "Yours Truly",
       "date": "date of publication",
       "slides": [
         {
           "title": "Wake up to WonderWidgets!",
           "type": "all"
         },
         {
           "items": [
             "Why <em>WonderWidgets</em> are great",
             "Who <em>buys</em> WonderWidgets"
           ],
           "title": "Overview",
           "type": "all"
         }
       ],
       "title": "Sample Slide Show"
     }
   }
    
   

2. Create a RouteOption resource to define your DLP rules. The following example creates a custom rule that captures the author in the response body and replaces the name of the author with _ characters.

   kubectl apply -f- <<EOF
   apiVersion: gateway.solo.io/v1
   kind: RouteOption
   metadata:
     name: dlp
     namespace: httpbin
   spec:
     options:
       dlp:
         actions:
         - customAction:
             maskChar: "_"
             name: test # only used for logging
             percent:
               value: 100
             regexActions:
             - regex: '"author": [^"]*"([^"]*)"'
               subgroup: 1
   EOF

3. Create an HTTPRoute resource that exposes httpbin app on the dlp.example domain and applies the DLP rules that you defined.

   kubectl apply -f- <<EOF
   apiVersion: gateway.networking.k8s.io/v1
   kind: HTTPRoute
   metadata:
     name: httpbin-dlp
     namespace: httpbin
   spec:
     parentRefs:
     - name: http
       namespace: gloo-system
     hostnames:
       - dlp.example
     rules:
       - filters:
           - type: ExtensionRef
             extensionRef:
               group: gateway.solo.io
               kind: RouteOption
               name: dlp
         backendRefs:
           - name: httpbin
             port: 8000
   EOF

4. Send a request to the httpbin app on the dlp.example domain. Verify that the author is now masked.

   curl -vik http://$INGRESS_GW_ADDRESS:8080/json -H "host: dlp.example:8080"

   curl -i localhost:8080/json -H "host: dlp.example"

   Example output:

   {
     "slideshow": {
       "author": "_____ _____",
       "date": "date of publication",
       "slides": [
         {
           "title": "Wake up to WonderWidgets!",
           "type": "all"
         },
         {
           "items": [
             "Why <em>WonderWidgets</em> are great",
             "Who <em>buys</em> WonderWidgets"
           ],
           "title": "Overview",
           "type": "all"
         }
       ],
       "title": "Sample Slide Show"
     }
   }
    
   

5. Optional: Remove the resources that you created.

   kubectl delete routeoption dlp -n httpbin
   kubectl delete httproute httpbin-dlp -n httpbin