We have some terminology that may be entirely intuitive and some specific to the product. We have some common terms defined below.
Shared accounts where users can collaborate across many vaults at once.
A partition for storing data within a VGS organization. An organization can have many vaults.
Every vault has unique vault id - it’s a string value beginning with the prefix
tnt, for example
An individual account that can be added to an organization, to work on a certain vault, and forthcoming, have different defined roles.
An entity that makes a request through the VGS platform.
Outbound routes and all sftp proxies are authenticated. Credentials are required to access these zones.
An endpoint exposed to a customer that allows sending data from one point to another. A Route has a source and a destination that determines the flow of traffic through the vault. Filters are then attached to the Route to determine what data is transformed and segmented as it passes through the Route.
- Inbound route - sits in front of an upstream host and redacts, reveals, and enriches data as it passes through.
- Outbound route - sits in the stream of traffic from a host or network and redacts, reveals, and enriches data as it passes through.
A set of conditions that define when data should be operated on as it passes through a Route. When the conditions are evaluated to true, then a set of operations (pipeline) are executed according to the phase.
An entry in the vault. A record has raw value, fingerprint and identifier. Identifiers present on redacted data and used to find the raw value on data revealing. Identifier can have multiple formats, currently supported record identifier formats are UUID, PDF, and FP (format preserving).
Records currently come in two varieties:
- Aliases - text based records
- Documents - binary based records, for example PDFs
To remove sensitive information from the payload and replace them with a different value.
To restore sensitive data pieces on previously redacted payload.
A transformation or action on information. When a filter is matched it will apply a series of operations on the matched data.
* OPERATIONs before the REDACT or REVEAL of the data * OPERATIONs after the REDACT or REVEAL of the data
The storage value controls how aliases are stored. A persistent mode allows storing data on a permanent basis. Volatile storage has an expiration of 1 hr.
A set of operations. The output of each operation in the pipeline is the input for the subsequent operation.
Each message passed through a route has a phase.
The host that sits of the remote side of the route from the client who is initiating the request.
Upstream host + path.
The part of the payload passing through the proxy that will be operated on when a policy is matched (can be HEADER or BODY).
Formats comes in several varieties to choose from based on your use case.
- Generic - VGS Alias: Can be used for any piece of data, alphanumeric data is fine. Format returns a surrogate value like
tok_sandbox_xxxxxxxxxxxxxxxxxxxxxxxxxwhere the x’s are alphanumeric characters.
- Generic - Numeric Length Preserving: Can be used for any number that needs to have it’s length maintained for form validation or other reasons where the length returned matters. This does not support numbers less than 3. If the number is less than 3, then a generic VGS alias will be generated.
- Payment Card - Format Preserving, Luhn Valid (6T4): To be used for Payment cards when you need them to still go through a validation check and capture the BIN (Bank Identification Number) and the last four digits. Example
4111111111111111becomes something like
4111119381251111. If the payment card is an invalid Luhn or incomplete length, then a generic VGS alias will be generated.
- Payment Card - Format Preserving, Luhn Valid (T4): To be used for Payment cards where you do not need a BIN but it is still Luhn Valid to pass validation checks on your system.
5555555555554444would become something like
9399630812244444. If the payment card is an invalid Luhn or incomplete length, then a generic VGS alias will be generated.
- Payment Card - Prefixed, Luhn Valid, 19 Digits Fixed Length: This format makes it easy to distinguish between real sensitive data and the surrogate values. For example
9914040119524511881The prefix here is
1reserved for versioning of this format. The 4th and 5th digits represent the first two digits of the original PAN and the last four digits represent the last four from the original PAN. If the payment card is an invalid Luhn or incomplete length, then a generic VGS alias will be generated.
- SSN - Format Preserving (A4): Can be used for social security number (SSN). Possible to use ssn with dashes or without. For example
567-34-5672would have alias like
123-945-5672, last four digits are the same.
- Account Number - Numeric Length Preserving (A4): Could be used for numeric account number. The length of the value could be in range from 7 to 17. It keep last four digits untouched.
- Account Number - Alphanumeric Length Preserving (A4): Could be used for alphanumeric account number. The length of the value could be in range from 7 to 17. It keep last four characters untouched.