Transformations provide a mechanism to present data held in Vault in a way that reduces data exposure. This is very helpful when a server is compromised, as it prevents attackers from accessing all the data.
For example, a phone number can be masked so that only the last four digits are readable, like this
***-****-2795. Each transformation is associated with a data type.
Combined with Vault’s access policies, transformations enable you to enforce and restrict access to specific views of the data, practically reducing exposure risk. For example, a public web application collects SSNs and stores them in Vault. An access policy can be configured to allow the application to read a masked SSN value only, reducing the potential of exposing SSNs stored in the system. The SSNs are now protected, even in the case of a compromised web server (through IDOR, SQL injection, remote-code execution, etc.).
You can customize your own data types and transformations (a beta feature, see Custom types and transformations), or use the built-in transformations to:
- Mask sensitive data types, such as SSN, email, phone number, credit card number, and bank account number.
- Transform resolutions. For example, turning a birth date into an age or an address into a city.
- Enforce privacy controls. For instance, disallow marketing users access to email addresses if consent is not given.
- Allow exclusive access to SSNs by their owner by validating the end-user's JWT token, mitigating OWASP's A01:2021 – Broken Access Control.
- Disallow US-based admins from accessing EU persons' data.
See Manage transformations for more information on transformations.