Options to reduce exposure of sensitive data
- Updated: 2024/06/14
Options to reduce exposure of sensitive data
The Process Discovery Platform offers several options to reduce exposure of sensitive data in screen shots and keyboard input.
The following four options describe methods to reduce exposure of sensitive data.
User based access control
- Visualizations (Flow, Path, Butterfly pages and URLs specified by a higher role)
- Uploaded assets (docx, xlsx, etc.)
| Role | Dashboard | Observers | Events | Instance Viewer | Process Explorer | Butterfly | Client Dashboard | Mining Runs | Status Page | Event Log Exports | Processes Page | PDDs | Diagram Composer | Process Boundary Detection | Signature Jobs | Applications | Web Applications | Application Strategy | Review | Template Registry | Domain List | Application List | Manage Cycles | Manage integration/plugin | Manage Account Settings | Manage Users |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Admin | Home Dashboard | Able to Start/Stop recording | Able to anonymize events | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Power | Home Dashboard | Unable to Start/Stop recording | Unable to anonymize events | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | ||||||
| Discovery | Home Dashboard | Unable to Start/Stop recording | Unable to anonymize events | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Review | |||||||||||
| Data Review | Review | |||||||||||||||||||||||||
| Limited | Client Dashboard (and assets linked by a higher user) |
Cycle based access control
Control the events a user has access to based on the cycle they are assigned. A cycle is a filtered set of events. The following image demonstrates the permitted users and the dates of the events they have access to. See, Create a cycle
Application or Observer specific metadata disabling
- Fully Disable Collection for specific Applications or
Web applications. See, Create a URL and application list.Note: Web applications are not 100% guaranteed as URLs might not always be captured due to network delays.
- Disable specific sets of metadata, globally or by applications (ex: chrome,
word, excel). See, Configure Observer activity.
- Keys pressed - If keystroke collection is disabled, keystrokes are masked and only control character information is sent. (ex: CTRL+C key was pressed). This is an important way to ensure sensitive data input by user is not captured.
- Clipboard content
- Title of the window in focus Note: Title is almost always required for the platform to categorize screens and find processes at the screen level.
- Screen shot of the screen at the time of the event Note: A screen shot is almost always required for the platform to categorize screens and find processes at the screen level.
Privacy Enhanced Gateway (PEG)
The above options are accomplished through configuration of various Process Discovery components (such as access control setup, sensors and application) that comes as part of the standard installation and does not require any additional tools.
If the above options are not sufficient, AAI provides a separate tool/client that sits on the customer’s network, called Privacy Enhanced Gateway (PEG), to redact sensitive content in the screen shot images. PEG enables the redaction to happen within the customer owned private network (VPC) before the images get to the Process Discovery platform cloud. See, Getting started with Privacy Enhanced Gateway.
- Allow list or deny words. Default allow list is from dictionary words where customers can add to this list. Deny list is null by default but customers can add to this list as needed.
- Regex specific to a filter (ex: Application, Observer, etc).