Header background

Privacy spotlight: Control compliance in Dynatrace with multiple layers of sensitive data masking

Dynatrace advanced data privacy controls offer unprecedented control over how sensitive data is captured and processed by Dynatrace. This blog post explains how our multi-layered data masking capabilities allow you to exclude, substitute, and hide sensitive data points for end-to-end control and protection. Additionally, we introduce our new at-capture masking capabilities.

Stay compliant in an ever-changing environment

As a platform for unified observability and security, Dynatrace provides intelligent answers that help you accelerate digital business transformation. Observing complex environments involves handling regulatory, compliance, and data governance requirements. This continuously evolving landscape requires careful management and clarity regarding how sensitive data is used. This is particularly important when dealing with large volumes of data.

Dynatrace multi-layered masking capabilities allow you to conveniently stay on top of these requirements. They ensure you get answers from your invaluable data while effortlessly taking care of sensitive data points related to digital compliance requirements for GDPR, CCPA, HIPAA, LGPD, PCI-DSS, and more—at scale throughout the Dynatrace data lifecycle!

Control how sensitive data is used

Empower yourself with complete control as you effortlessly select the data you want to capture with Dynatrace. The whole experience is designed to fit into your individual data governance and compliance framework. To reach this granular level of control, Dynatrace offers data masking features on multiple levels that can be applied in layers:

Masking at capture: Data is persistently masked at first contact with Dynatrace. When using Dynatrace OneAgent®, captured data doesn’t leave the monitored environment.

Masking at storage: Data is persistently masked upon ingestion into Dynatrace. (Besides masking, you can also set up other customized operations via the ingest pipeline configuration).

Masking at display: Sensitive data points are stored in their original form but are only readable by users with the right permissions.

With this three-layer design, you enjoy maximum flexibility in managing sensitive data points end-to-end.

Leverage three masking layers

Masking at capture and masking at storage operations exclude targeted sensitive data points. Data points that undergo this operation are not recoverable or re-engineerable, making it the perfect solution for controlling which sensitive data points are ingested by Dynatrace. Other tools typically rely on attributes and markers that require unnecessary manual effort. This includes digging through each monitored data source and adding tags to the sensitive data points; this process is usually expensive, exhausting, error-prone, and unscalable.

Dynatrace offers a more user-friendly approach, leveraging a mix of pre-defined patterns to be recognized and excluding selected sensitive data points like credit card numbers, email addresses, end-user IP addresses, and more.

Sometimes, you might need to configure additional masking rules; this is possible using the respective settings (see the illustration below). Especially when working with log data, keeping the context of the original data points is often crucial. For such cases, Dynatrace offers the option to replace sensitive data points with a hash or a self-defined string, calling out the replaced data point type (for example, <emailaddress>).
Read more about these options in Log Monitoring documentation.

Masking at display hides data points from the readers who don’t have sufficient permissions, giving you granular control down to the record level. Instead of limiting access to all the valuable information about a monitor or a whole webpage, this approach hides selected data points based on fully configurable permission policies, helping your teams stay productive while enforcing your data governance rules.

Privacy masking overview

Upgraded masking at capture for OneAgent

With recent upgrades to OneAgent version 1.285+ *, we introduced new extended at-capture masking capabilities and now provide masking rules for the most commonly encountered sensitive data points in URIs and exception messages. You can select to mask email addresses, query parameters, financial and payment card numbers, IDs, and other numeric values that might not be needed. The selected rules can be configured for a whole environment or, more granularly, for specific process groups. When enabled, such data points are masked directly at first contact with OneAgent and never leave your monitored environment.

*Does not include RUM JavaScript, which will be delivered in an upcoming release.

Granular masking configuration made simple

Dynatrace masking settings can be configured for a whole environment or granularly for specific monitored entities like process groups, log sources, etc.

Configuring masking at capture settings for a whole environment has never been more straightforward. Go to Settings > Preferences > Data privacy. Choose your preferred configuration for masking at first contact using the settings on the OneAgent Side Masking and IP Masking tabs.

OneAgent Side Masking screenshot in Dynatrace IP Masking screenshot in Dynatrace

The settings on the General tab remain unchanged and govern the privacy settings executed on the server side (masking at storage), offering a second layer of control. Emerging industry standards indicate that relying solely on one layer of protection is no longer sufficient. Dynatrace provides multiple-layer protection out-of-the-box to help ensure your sensitive data is safeguarded.

Open the available tabs to explore and easily tailor your data privacy settings.

Data privacy screenshot in Dynatrace

While environment-level settings effectively ensure a base standard, specific use cases may require special handling of sensitive data points. To fine-tune your masking settings, select the entity you want to adjust and leverage the entity-specific settings. See the process-group settings example in the screengrab below.

Process group instance screenshot in Dynatrace OneAgent Side Masking screenshot in Dynatrace

Why the Dynatrace solution is unique

Masking at capture

A single toggle lets you turn on the masking of selected sensitive data points at first contact with Dynatrace, so sensitive data never leaves your environment.

Multiple layers of protection

In addition to masking at capture, you can leverage:

Masking at storage to manage data directly ingested into Dynatrace or have an additional safety layer of masking.

Masking at display to effortlessly govern access to sensitive data points.

Easily configurable masking

  • Control your sensitive data points with simple and granular configuration.
  • Choose a setup that applies to your whole Dynatrace environment or configure masking for specific process groups, or log data sources.
  • Dynatrace masking capabilities scale with your ingested data volume.

What’s next

We’re working on further improvements to our easy-to-use masking toolkit and will soon extend the masking at-capture capabilities to RUM JavaScript. Stay tuned to this Privacy Spotlight blog series to learn more about these continuous improvements.

Check out Dynatrace Documentation for data masking and other privacy controls.

Learn more about our commitment to providing you with control and transparency over your customers’ personal data in the Dynatrace Trust Center.

Share your feedback, suggestions, and ideas with us in the Dynatrace Community.

New to Dynatrace? Open a free trial environment right now and see Dynatrace in action.