Data Elements

An overview of the data elements used to protect the data.

1: Example - Creating a Token Data Element
2: Example - Creating a FPE Data Element
3: Example - Creating a Data Element for Unstructured Data

Data Elements are the most critical elements of data protection. Data Elements determine how cryptographic algorithms are applied to data.

Typically, there is one Data Element per data type. For example, name, address, or credit card number. This allows for granular enforcement of control over sensitive data.

Protegrity supports two types of Data Elements:

Structured: Used for fine-grained field- and column-level protection. For example, a name attribute in a JSON file, or a column in a database table storing customer names.
Unstructured: Used for course-grained file protection. It is only applicable to the Protegrity File Protector.

To create, view and manage Data Elements, navigate to Policy Management from the main menu, and choose Data Elements & Masks. The Data Elements tab opens by default.

Creating Data Elements

Before creating a Data Element, understand the type and format of data that you are protecting, and what is your desirable output. For example, if length and format preservation are required, tokenization or Format Preserving Encryption (FPE) are the recommended methods.
For guidance regarding the protection methods, refer to the section Protection Method Reference.

To add a new Data Element:

On the ESA Web UI, navigate to Policy Management > Data Elements & Masks.
The Data Elements tab appears by default.
Click Add New Data Element.
The New Data Element screen appears.

Specify the following common properties for each Data Element:

Property	Description
Type	Type of the Data Element to be created. For example, structured or unstructured.
Name	Unique name identifying the data element. The maximum length of the data element is 55 characters.
Description	Text describing the Data Element.
Method	Types of data protection to apply: Tokenization Encryption Format Preserving Encryption (FPE) Hashing Masking Monitoring Depending on the chosen protection method, additional configuration options appear. For example, Encryption has an option to use Initialization Vectors, while Tokenization shows different tokenization options depending on the data type. For more information about the available protection methods and their properties, refer to the section Protection Methods Reference.

Click Save.

Note: You can use the Policy Management REST API to create Data Elements.

Managing Data Elements

After a Data Element is created, it cannot be modified. You can only provide a new description for the Data Element.

Deleting Data Elements

A Data Element can be deleted. It must first be removed from all policies where it has been attached before it can be removed.

To remove a Data Element:

On the ESA Web UI, navigate to Policy Management > Data Elements & Masks.
The Data Elements tab appears by default.
Select the Data Element from the list, and click the Delete action.
A confirmation dialog box appears.
Click OK.
A message Data Element has been deleted successfully appears.

Warning: The Delete action cannot be reversed. By deleting a Data Element, you are effectively removing the cryptographic material associated with that Data Element. You will lose the ability to re-identify the data protected with that Data Element. You can only restore Data Elements by restoring the Policy from a backup file.

1 - Example - Creating a Token Data Element

This example shows how to create numeric tokenization data element that is used to tokenize numerical data.

Note: You create token data elements for all protectors, except for the FileProtector.

To create a structured data element:

On the ESA Web UI, navigate to Policy Management > Data Elements & Masks > Data Elements.
Click Add New Data Element.
The New Data Element screen appears.
Select Structured from Type.
Type a unique name for the data element in the Name textbox.

Note: Ensure that the length of the data element name does not exceed 55 characters.

Type the description for the data element in the Description textbox.
Select the protection method from the Method drop-down. In this example, select Tokenization.
Select the tokenization data type from the Data Type drop down. In this example, select Numeric (0-9).
For more information about the different data types, refer to the section Protection Methods Reference.
Select the tokenizer from the Tokenizer drop-down.
For more information about the different token elements, refer to the section Protection Methods Reference.
If the Tokenizer should leave characters in clear, then set the number of characters from left and from right in the From Left and From Right text boxes.
For more information on the maximum and minimum input values for these fields, refer to the section Minimum and Maximum Input Length in the section Protection Methods Reference.
If the token length needs to be equal to the provided input, then select the Preserve length check box.
If you select the Preserve length option, then you can also choose the behavior for short data tokenization in the Allow Short Data drop-down.

Click Save.

A message Data Element has been saved successfully appears.

2 - Example - Creating a FPE Data Element

This example shows how to create an FPE data element that is used to encrypt Plaintext Alphabet data.

To create a structured FPE data element:

On the ESA Web UI, navigate to Policy Management > Data Elements & Masks > Data Elements.
Click Add New Data Element.
The New Data Element screen appears.
Select Structured from Type.
Enter a unique name for the data element in the Name textbox.
Note: Ensure that the length of the data element name does not exceed 55 characters.
Type the description for the data element in the Description textbox.
Select FPE NIST 800-38G from the Method drop-down.
Select a data type from the Plaintext Alphabet drop-down.
Configure the minimum input length from the Minimum Input Length text box.
Select the tweak input mode from the Tweak Input Mode drop-down.
For more information about the tweak input mode, refer to the section Tweak Input in the Protection Methods Reference Guide.
Select the short data configuration from the Allow Short Data drop-down.
Note: FPE does not support data less than 2 bytes, but you can set the minimum message length value accordingly.
For more information about length preservation and short tokens, refer to section Length Preserving.
Note: If you create a short data token in a policy and then deploy the policy, the Forensics displays a policy deployment warning indicating that the data element has unsupported settings.
Enter the required input characters to be retained in the clear in the From Left and From Right text box.
For more information about this setting, refer to the section Left and Right Settings.
Configure any special numeric data handling request, such as Credit Card Number (CCN), in the Special numeric alphabet handling drop-down.
For more information about handling special numeric data, refer to the section Handling Special Numeric Data.
Click Save.

A message Data Element has been created successfully appears.

3 - Example - Creating a Data Element for Unstructured Data

This example shows how to create an AES-256 data element that is used to encrypt a file.

Note: Unstructured data elements are exclusively applicable to Protegrity File Protector.

To create an unstructured data element:

On the ESA Web UI, navigate to Policy Management > Data Elements & Masks > Data Elements.
Click Add New Data Element.
The New Data Element screen appears.
Select Unstructured from Type.
Type a unique name for the data element in the Name textbox.
Note: Ensure that the length of the data element name does not exceed 55 characters.
Type the required description for the data element in the Description textbox.
Select AES-256 from the Method drop-down list.
If you want to enable multiple instances of keys with the data element, then check the Use Key ID (KID) checkbox.
Click Save.

A message Data Element has been saved successfully appears.