Protecting PII from Unauthorized Viewing with Data Masking

What Is PII?

PII is personally identifiable information (PII) that can be used to identify, contact, or locate a person. 

For example, PII includes phone numbers, home addresses, and email aliases as well as social security numbers, credit card numbers, and medical history. All global organizations have some requirements for protecting the PII of customers and staff. PII compliance regulations vary by industry and country. However, some of the most common data-protection regulations are HIPAA, PCI DSS, GDPR, and SOX.

What Is Data Masking?

Data masking is a process used to protect PII or other types of sensitive information — such as passwords — from unauthorized access via obfuscation. 

An example of data masking is the representation of typed passwords with bullets (•) or asterisks (*) in an application form. You can also use data masking to prevent sensitive data — such as employee salaries or customers’ credit card numbers — from displaying in applications used by IT staff such as debuggers and monitoring tools.

Protecting PII from Unauthorized Viewing Using Data Masking

To monitor and debug PHP applications, developers and administrators need to analyze the information in log files. That’s because they contain a detailed record of the data applications collect, share, and generate. For example, log files include metrics about application performance, memory usage, request status, and application error messages. 
And sometimes — even though it’s not a best practice — log files could contain PII information associated with logins, user profiles, and other sensitive data that people enter in forms.

Risks of Not Masking PII Data

Typically, developers and site administrators are not authorized to view the PII of your employees and customers. If you do not mask PII data in logs from displaying when developers work on your PHP applications, you risk:

• Exposing sensitive data and jeopardizing PII compliance.
• Slowing issue resolution and overall efficiency by having data compliance officers scrub data before debugging and code maintenance can take place. 

You Can Mask PII from Displaying When Working on Code with Zend Server

With Zend Server, you can mask the PII in PHP log files from displaying when monitoring, analyzing, and debugging code using tools such as Z-Ray, Code Tracing, and URL Insights. As a result, developers can instantly access the information they need to tune and debug code, and you help ensure PII compliance. 

To mask data that displays on Zend Server screens, you configure rules that restrict what information Zend Server collects from applications. For example, you can mask the PII information — such as emails, names, credit card information, and social security numbers entered by any user —that Zend Server collects when monitoring:

• Individual functions.
• All the functions in a class, including function/method arguments and their return values.
• Methods.
• SQL queries across a variety of databases.
• High-level requests (GET, POST, and COOKIE).
• Return values.
• Session data.

And you can mask PII information that could display in the Z-Ray debugger when analyzing: 

• Engine execution, including virtual breakpoints.
• Custom logic built using the Z-Ray API.
• HTTP requests.
• PHP middleware requests — such as Zend Framework Expressive and Mezzio — via the Zend Server plugins.

Protecting Passwords with Zend Server

Let’s walk through how you can mask a password from displaying when debugging a Drupal site using data masking in Zend Server. For the purposes of this example, let’s pretend that you are a Drupal administrator and you have not configured any data masking rules. When you log into Zend Server, you will see a window that looks something like this: 

After you enter your name and password, you’ll be viewing your site from the Zend Server administrative console. The toolbar on the bottom of the screen are tabs that are running in the live Z-Ray debugger/profiler. When you click on the lower left button to see information about your site’s successful (200) requests, your Z-Ray display might look something like this: 

You can see all the data collected from your login request, including your username and password. To hide that information, I’ll go to:

1. Security > privacy to enable data masking.
2. Masked identifiers > keys, and add “pass” since it’s the key under which the password is transmitted.

Let’s log in again and look at the same request:

Notice anything different? The password is now shown as “****”. 

Protecting PII Entered in Forms from Displaying in Zend Server Functions 

Let’s look at another example of protecting PII. This time, let’s pretend I am a developer who created a custom contact form that has a social security number (SSN) field. When I test the form using Zend Server, I will see a window that looks something like this:

After I submit the completed form, I use Z-Ray to look at the function calls, including insights about memory usage. I will see a window that looks something like this:

The value I entered for SSN is unmasked and clearly visible: 111-22-3456. 

To hide the SSNs that people will be entering in my form, I can:

•    Mask the field itself as I did in the first example. 
•    Mask SSNs by using a regular expression match which we’ll do in this next example. 

To demonstrate, let’s set a pattern to recognize and mask SSNs by matching expressions:

If I submit the request again, the value is now masked.

Meet Requirements for PII Compliance While Increasing Application Insight 

You can meet your PII compliance requirements and give developers and administrators the detailed insight they need to rapidly tune and debug applications by using data masking in Zend Server. 

Try data masking in Zend Server yourself by taking advantage of the free 30-day trial.

 Start Free Trial

Related Resources

• 101 Guide: PHP Security
• Blog: PHP Encryption with Libsodium
• Blog: Tips for PHP Security
• Blog: Managing Security Risks in the PHP Engine and Web Applications
• Webinar: PHP Engine Security
• Blog: An Easier Way to Update PHP and Secure Your Apps