We have some terminology that may be entirely intuitive and some specific to the product. We have some common terms defined below.
Shared accounts where users can collaborate across many vaults at once.
A partition for storing data within a VGS organization. An organization can have many vaults.
Every vault has unique vault id - it’s a string value beginning with the prefix
tnt, for example
An individual account that can be added to an organization, to work on a certain vault, and forthcoming, have different defined roles.
An entity that makes a request through the VGS platform.
Outbound routes and all sftp proxies are authenticated. Credentials are required to access these zones.
An endpoint exposed to a customer that allows sending data from one point to another. A Route has a source and a destination that determines the flow of traffic through the vault. Filters are then attached to the Route to determine what data is transformed and segmented as it passes through the Route.
A set of conditions that define when data should be operated on as it passes through a Route. When the conditions are evaluated to true, then a set of operations (pipeline) are executed according to the phase.
An entry in the vault. A record has raw value, fingerprint and identifier. Identifiers present on redacted data and used to find the raw value on data revealing. Identifier can have multiple formats, currently supported record identifier formats are UUID, PDF, and FP (format preserving).
Records currently come in two varieties:
- Aliases - text based records
- Documents - binary based records, for example PDFs
To remove sensitive information from the payload and replace them with a different value.
To restore sensitive data pieces on previously redacted payload.
A transformation or action on information. When a filter is matched it will apply a series of operations on the matched data.
* OPERATIONs before the REDACT or REVEAL of the data * OPERATIONs after the REDACT or REVEAL of the data
The storage value controls how aliases are stored. A persistent mode allows storing data on a permanent basis. Volatile storage has an expiration of 1 hr.
A set of operations. The output of each operation in the pipeline is the input for the subsequent operation.
Each message passed through a route has a phase.
The host that sits of the remote side of the route from the client who is initiating the request.
Upstream host + path.
The part of the payload passing through the proxy that will be operated on when a policy is matched (can be HEADER or BODY).
Formats comes in several varieties to choose from based on your use case.
- Generic - VGS Alias: Can be used for any piece of data, alphanumeric data is fine. Format returns a surrogate value like
tok_sandbox_xxxxxxxxxxxxxxxxxxxxxxxxxwhere the x’s are alphanumeric characters.
- Generic - Numeric Length Preserving: Can be used for any number that needs to have it’s length maintained for form validation or other reasons where the length returned matters.
- Payment Card - Format Preserving, Luhn Valid (6T4): To be used for Payment cards when you need them to still go through a validation check and capture the BIN (Bank Identification Number) and the last four digits. Example
4111111111111111becomes something like
- Payment Card - Format Preserving, Luhn Valid (T4): To be used for Payment cards where you do not need a BIN but it is still Luhn Valid to pass validation checks on your system.
5555555555554444would become something like
- Payment Card - Prefixed, Luhn Valid, 19 Digits Fixed Length: This format makes it easy to distinguish between real sensitive data and the surrogate values. For example
9914040119524511881The prefix here is
1reserved for versioning of this format.