Additional Information on

Best practices when using Protegrity Anonymization

Mon, 01 Jan 0001 00:00:00 +0000

Ensure that the source file is clean based on the following checks:
- A column contains correct data values. For example, a field with numbers, such as salary, must not contain text values.
- Appropriate text as per the coding selected is present in the files. Special characters or characters that cannot be processed must not be present in the source file.
Move the anonymized data file and the logs generated to a different system before deleting your environment.

Protegrity Anonymization Risk Metrics

Mon, 01 Jan 0001 00:00:00 +0000

Definitions

The following definitions are used for risk calculations:

Data Provider or Custodian: The custodian of the data is responsible for controlling the sharing process by anonymizing the data. They also put in place additional controls to prevent the data from being misused or re‑identified.
Data Recipient: Person or institution who receives the data from the data provider.
Dataset: The collection of all records containing the data on subjects.
Adversary: A data recipient who has the motivation and capability to attempt re‑identification of the data. They may intend to use the data in ways that could be harmful to individuals represented in the dataset.
Target: Person whose details are in the dataset who has been selected by the adversary to focus the re-identification attempt on.

Types of risks

Protegrity Anonymization uses the Prosecutor, Journalist and Marketer risk models to access probability of re-identification attacks. A description of these risks are provided here.

AWS Checklist

Mon, 01 Jan 0001 00:00:00 +0000

Update the table using from your AWS account to configure the Protegrity Anonymization API.

Table: CLI Installation

Variable	Value	Obtain from
AWS Access Key ID		AWS > IAM > Users > <user_name> > Security credentials > Access key ID
AWS Secret Access Key		https://aws.amazon.com/blogs/security/how-to-find-updateaccess-keys-password-mfa-awsmanagement-console/
Default region name		AWS > EC2 > Region name from the upper-right corner
Default output format	json
metadata		AWS > EC2 > Region name from the upper-right corner
name		Specify a name
region
vpc
id		AWS > EC2 > Instance_Id > Networking > VPC ID
cidr		AWS > EC2 > Instance_Id > VPC_Id > IPv4 CIDR
subnets
private
us-east-1a		AWS > VPC > Subnets > Subnet > Availability Zone
id		AWS > VPC > Subnets > Subnet > Subnet ID
cidr		AWS > VPC > Subnets > Subnet > IPv4 CIDR
us-east-1b		AWS > VPC > Subnets > Subnet > Availability Zone
id		AWS > VPC > Subnets > Subnet > Subnet ID
cidr		AWS > VPC > Subnets > Subnet > IPv4 CIDR
nodeGroups
securityGroups
attachIDs		AWS > VPC > Security Groups > security_group > Security group ID

Working with Certificates

Mon, 01 Jan 0001 00:00:00 +0000

Use the commands provided in this section to work with and troubleshoot any certificate-related issues.

Verify the certificate and view the certificate information.
```
openssl verify -verbose -CAfile cacert.pem server.crt
```
Check a certificate and view information about the certificate, such as signing authority, expiration date, and other certificate-related information.
```
openssl x509 -in server.crt -text -noout
```
Check the SSL key and verify the key for consistency.
```
openssl rsa -in server.key -check
```
Verify the CSR and view the CSR data that was entered when generating the certificate.

values.yaml

Mon, 01 Jan 0001 00:00:00 +0000

The values.yaml file contains the configuration for setting up the Protegrity Anonymization API. Use the template provided with the Protegrity Anonymization API or copy the following code to a .yaml file and modify it as per your requirements before running it.

## PREREQUISITES
## Create separate namespace. Eg: kubectl create ns anon-ns. Update your namespace name in values.yaml.

## Running all pods in the namespace specific for Protegrity Anonymization API
namespace:
 name: anon-ns # Update the namespace if required.

## Prerequisite for setting up Database and S3 bucket Pod.
## This is to handle any new DB pod getting created that uses the same persistence storage in case the running Database pod gets disrupted.
## This persistence also helps persist Anon-storage data.
persistence:
 ## Update storageClassName based on the PV/PVC/Storage config.
 storageClassName: # Example: managed-premium for Azure, standard for AWS EKS, gp2 for AWS EC2, standard for GCP.
 fsType: ext4

## This section is required if the image is getting pulled from the Azure Container Registry
## create image pull secrets and specify the name here.
## remove the [] after 'imagePullSecrets:' once you specify the secrets
#imagePullSecrets: []
# - name: regcred

## This section is required if the S3 bucket image is getting pulled from the Azure Container Registry instead of Public Repo
## create image pull secrets and specify the name here.
## remove the [] after 'imagePullSecrets:' once you specify the secrets
#s3bucketImagePullSecrets: []
# - name: regcred

image:
 s3bucket_repo: quay.io/s3bucket/s3bucket # Public repo path for S3 bucket Image.
 s3bucket_tag: RELEASE.2025-04-03T14-56-28Z # Tag name for S3 bucket image.
 repository: <Repo_path> # Repo path for the Container Registry in Azure, AWS.
 anonapi_tag: <AnonImage_tag> # Tag name of the ANON-API Image.
 database_tag: <DatabaseImage_tag> # Tag name of the ANON-API Image.

 pullPolicy: Always


s3:
 enabled: false
 bucketName: "" # S3 bucket name for storage (must exist before installation)
 region: "us-east-1" # AWS region
 iamRoleArn: "" # IAM role ARN with S3 permissions (s3:ListBucket, s3:GetObject, s3:PutObject, s3:DeleteObject)


## Refer to the section in the documentation for setting up and configuring NGINX-INGRESS before deploying the application.
ingress:
 ## Add the host section with the hostname used as CN while creating server certificates.
 ## While creating the certificates you can use *.protegrity.com as CN and SAN as used in the below example
 host: anon.protegrity.com # Update the host according to your server certificates.

 ## To terminate TLS on the Ingress Controller Load Balancer.
 ## K8s TLS Secret containing the certificate and key must be provided.
 secret: anon-protegrity-tls # Update the secretName according to your secretName.

 ## To validate the client certificate with the above server certificate
 ## Create the secret of the CA certificate used to sign both the server and client certificate as shown in the example below
 ca_secret: ca-protegrity # Update the ca-secretName according to your secretName.

 ingress_class: nginx-anon
 ## IP Address of Ingress Server
 ## CMD: kubectl get service -n nginx
 ingressIP: <IP Address of Ingress Server> # Specify the external IP address obtained from above command.
 ## ingress connection timeout (connect/read/send time out interval)
 timeout: 600
## Typically the deployment includes checksums of secrets/config,
## So that when these change on a subsequent helm install, the deployment/statefulset
## is restarted, so set to "true" to disable this behaviour.
ignoreChartChecksums: false


## Create the volumes and specify the names here.
## remove the [] after 'volumes:' once you specify volumes
volumes: []
 #- name: gcs-secret ##This secret is used when user wants to read and write data to a Google cloud storage Refer DOC.
 #secret:
 #secretName: adc-gcs-creds

## Create the volumeMounts and specify the names here.
## remove the [] after 'volumeMounts:' once you specify volumeMounts
volumeMounts: []
 #- name: gcs-secret
 #mountPath: /home/anonuser/gcs

## Creating a service account for Anonymization
serviceaccount:
 name: anon-service-account

## Setting the pod security context
podSecurityContext:
 runAsNonRoot: true
 runAsUser: 1000
 fsGroup: 1000
 fsGroupChangePolicy: "OnRootMismatch"

# Configure the delays for Liveness Probe here
livenessProbe:
 initialDelaySeconds: 50
 periodSeconds: 40

#Configure the delays for Readiness Probe here
#Configure the delays for Readiness Probe here
readinessProbe:
 initialDelaySeconds: 60
 periodSeconds: 20
 timeoutSeconds: 5
 failureThreshold: 3


## ANON-APP ##
anonapp:
 name: anon-app-depl
 service:
 name: anon-app-svc
 port: 8090
 labels:
 appname: anonapp
 loglevel: INFO # To get logs at DEBUG: Set loglevel to DEBUG and do helm upgrade

## ANON-DATABASE ##
database:
 name: anon-db-sts
 labels:
 app: anon-db
 service:
 name: anon-db-svc
 port: 5432
 access_appdb:
 store: anondb
 username: anondbuser
 password: anondbpsw
 userContext:
 fsUser: 70
 fsGroup: 70
 fsGroupChangePolicy: "OnRootMismatch"
 persistence: ## Persistence Volume size
 accessMode: ReadWriteOnce
 size: 20Gi


## ANON-DASK ##
dask:
 scheduler:
 name: anon-scheduler-depl
 service:
 name: anon-dask-svc
 port: 8786
 daskUiPort: 8787
 labels:
 appname: dask
 worker:
 name: anon-worker-depl
## Increase the number of worker pods as per your requirement
 labels:
 app: dask-worker
 replicaCount: 1
 ## Resources defined for the worker pod
 worker_resources:
 requests:
 cpu: 2
 memory: 6Gi
 limits:
 cpu: 2
 memory: 6Gi

 ## Specs with which worker container should start
 containerSpecs:
 memLimit: "6G"
 nthreads: 2

 ## Worker pod env to read values from configMap manifest.
 ## A config Map(wrkr-specs) is used to set these values.
 workerPodEnv:
 - name: worker_mem_limit
 valueFrom:
 configMapKeyRef:
 name: wrkr-specs
 key: worker-mem-limit
 - name: num_threads
 valueFrom:
 configMapKeyRef:
 name: wrkr-specs
 key: num-threads
 hpa: 
 name: anon-worker-hpa
 autoscaling:
 minReplicas: 1 # Min number of worker pods which will be running when the cluster starts.
 maxReplicas: 3 # Max number of worker pods which will autoscale in the cluster.
 targetMemoryThreshold: 4Gi # Threshold memory-load beyond which worker pods will autoscale.

## FOR MORE INFO ABOUT PROCESSING LARGE DATASETS REFER TO THE DOCUMENTATION
########################################################################


## ANON-STORAGE ##
storage:
 ## Refer the following command for creating your own secret.
 ## CMD: kubectl create secret generic my-s3bucket-secret --from-literal=rootUser=foobarbaz --from-literal=rootPassword=foobarbazqux
 existingSecret: "" # Supply your secret Name for ignoring below default credentials.
 bucket_name: "anonstorage" # Default bucket name for S3 bucket
 secret:
 name: "storage-creds" # Secret to access s3bucket-server
 access_key: "anonuser" # Access key for s3bucket-server
 secret_key: "protegrity" # Secret key for s3bucket-server

 persistence:
 ## Path where PV would be mounted on the S3 bucket Pod
 mountPath: "/data"
 accessMode: ReadWriteOnce
 size: 20Gi
 service:
 name: anon-s3bucket-svc
 port: 8100
 securityContext:
 runAsUser: 1000
 runAsGroup: 1000
 fsGroup: 1000
 fsGroupChangePolicy: "OnRootMismatch"
 resources:
 requests:
 memory: 2Gi
 cpu: 1
 certsPath: "/etc/s3bucket/certs/"
 configPathmc: "/etc/s3bucket/mc/"

Setting up logging for the Protegrity Anonymization API

Mon, 01 Jan 0001 00:00:00 +0000

Logging is helpful to know the tasks being performed on the system. It is especially helpful to trace and resolve errors in the configuration and to see that a software is processing a request and is not stalled. You need to set up logging for the Protegrity Anonymization API if you require it. In logging, Protegrity Anonymization API captures the internal processing and saves it in a log file that you can view for further analysis. Update and use the script files provided here for logging as per your requirements.

Enabling Custom Certificates from SDK

Mon, 01 Jan 0001 00:00:00 +0000

Protegrity Anonymization API uses certificates for secure communication with the client. You can use the certificates provided by Protegrity or use your own certificates. Complete the configurations provided in this section to use your custom certificates with the SDK.

Before you begin

Ensure that the certificates and keys are in the .pem format.

Note: If you want to use the default Protegrity certificates for the Protegrity Anonymization API, then skip the steps to set up the certificates provided in this section.

Creating a DNS entry for the ELB hostname in Route53

Mon, 01 Jan 0001 00:00:00 +0000

This section describes the steps to configure hostnames specified in the values.yaml file of the Helm chart for resolving the hostname of the Elastic Load Balancer (ELB) that is created by the NGINX Ingress Controller.

Configure Route53 for DNS resolution.
- Create a private hosted zone in the Route53 service.
- In our case, the domain name for the hosted zone is protegrity.com.
- Select the VPC where the Kubernetes cluster is created.
Create a hostname for the ELB in the private hosted zone created in step 1.