Fundamentals

Explore what Skyflow can do

This guide is an introduction to using Skyflow Studio and Skyflow’s Management and Data APIs. Following this guide, you’ll use Skyflow’s Quickstart vault and data governance engine to securely share and govern access to vault data for different types of users. You’ll also insert, read, tokenize, and detokenize data in your vault.

Prerequisites

Explore a vault

This guide uses the Quickstart vault template. This vault is a training tool to help people learn how to use Skyflow. Every account contains one or more workspaces, and workspaces contain vaults.

Every Skyflow trial account comes with a Quickstart vault. Navigate to your Quickstart vault or create a new one:

  1. Sign in to Skyflow Studio.
  2. Click Add Vault > Start with a template.
  3. Under Quickstart, click Create.

The Quickstart vault has a predefined schema with two tables (credit_cards and persons) and fake rows of data.

The role and policies assigned to your user account determine your amount of access to the data. Even though you’re the owner of the vault, most fields are redacted or partially redacted by default. A column’s definition in the vault schema and your user account’s policies determine whether data is full or partially redacted when you access it.

Column settings fall into four categories:

  • General: Things like the column name, uniqueness, regular expression validation, and transient field status.
  • Tokens: The kind of non-sensitive token to substitute for sensitive data in the column.
  • Redaction: How to obscure data to prevent unauthorized access to sensitive data.
  • Encryption: Operations allowed to perform over fully encrypted data through polymorphic encryption. All data within a vault is encrypted at rest and during transit.

To view the card_number column’s settings,

  1. In the credit_cards table, click the card_number column’s down arrow.
  2. Choose View column.

When you’re done investigating the column settings, close the column editor dialog.

Perform an encrypted operation

One of the ways you can retrieve records from the vault is through SQL queries. Through polymorphic encryption, your query operations run against fully encrypted data and return results without ever decrypting any of the data.

To perform an SQL query,

  1. Navigate to the persons table.

  2. Click SQL query.

  3. Below the green comments in the text area, type the following SQL statement:

    1select * from persons where state = 'California'

  4. Click Run.

The encrypted operation runs against your vault, and the results display in the table.

Share limited access to a vault

Within any product or organization, different users and services have different requirements for seeing and interacting with sensitive customer data. Skyflow takes a zero-trust approach to this, where no user or service has access to any data unless explicitly granted. With Skyflow’s data governance engine, you can create simple policies that control what a user can see and how they see it.

To control a user’s access to vault data, you create a role, create access policies, attach the policies to the role, then assign the role to the user. The following examples show to a marketing role and a customer support role might have different policies and access to the same data.

Create a marketing role

The marketing role flags read access to specific fields at different levels of visibility.

  1. From the vault schema page, click the Access in the side navigation.

  2. Click Add new role.

  3. For Name, enter “Marketing Role”.

  4. For Description, enter a value. For example, “Limited vault access”.

  5. Click Create.

  6. Click Attach Policies, and replace the placeholder content with the following policies:

    1ALLOW READ ON persons.name, persons.email_address, persons.state WITH REDACTION = PLAIN_TEXT
    2ALLOW READ ON persons.date_of_birth WITH REDACTION = MASKED
    3ALLOW READ ON persons.ssn WITH REDACTION = REDACTED

    The first line grants plaintext read access to the name, email, and state for each person record in the persons table. The second line grants read access to the data of birth of a person but as a masked value. The final line grants read access to the fully redacted SSN.

  7. Click Create, enter “Marketing Policy” for the policy name, then click Save.

  8. Click Enable, then close the dialog.

Create a customer support role

While the marketing role and policy have limited access to the vault, the customer support role and policies are even more restrictive.

  1. Click Add new role.

  2. For Name, enter “Customer Support Role”.

  3. For Description, enter a value. For example, “Restrictive vault access”.

  4. Click Create.

  5. Click Attach Policies, and replace the placeholder content with the following policies:

    1ALLOW READ ON persons.name, persons.state WITH REDACTION = PLAIN_TEXT
    2ALLOW READ ON persons.ssn WITH REDACTION = MASKED
    3ALLOW READ ON persons.date_of_birth, persons.email_address WITH REDACTION = REDACTED

    The first line grants plaintext read access to the name and state for each person record in the persons table. The second line grants read access to the SSN of a person but as a masked value. The final line grants read access to the fully redacted date of birth and email.

  6. Click Create, enter “Customer Support Policy” for the policy name, then click Save.

  7. Click Enable, then close the dialog.

Share the vault

To see these policies in action, add a user with the Marketing role and add a user with the Customer Support role, then sign into those accounts in Incognito browser windows.

Add users

  1. In the Access section, click the People tab.
  2. Click Add people.
  3. Invite an email address to add to your vault. You might add “+marketing” to your email username depending on your email provider, like in “jane.doe+marketing@acme.com”.
  4. For Roles, select Marketing Role, then click Add.
  5. Click Add people.
  6. Invite an email address to add to your vault. Depending on your email provider, you might add “+customer-support” to your email username, like in “jane.doe+customer-support@acme.com”.
  7. For Roles, select Customer Support Role, then click Add.

View the marketing policies in action

  1. Open an incognito browser window.

  2. Sign in to Skyflow Studio using your account sign-in URL and the marketing email address you just added to your vault.

  3. Click Open on the Quickstart vault.

    Skyflow restricts the view of the data based on the Marketing policy you created and assigned to this user.

  4. When you’re done browsing the vault as this user, close the incognito window.

View the customer support policies in action

  1. Open another incognito browser window.

  2. Sign in to Skyflow Studio using your account sign-in URL and the customer support email address you just added to your vault.

  3. Click Open on the Quickstart vault.

    Skyflow restricts the view of the data based on the Customer Support policy you created and assigned to this user.

  4. Keep this window open.

Edit the policy

With Skyflow’s governance engine, you control how much data a user or service can access in a vault. You can update the rules at any time as business requirements change, and changes go into effect without any code deployments or implementation changes.

  1. Back in your first window, navigate to the Access section, then click Roles.

  2. Find the Customer Support Role row, then click View.

  3. Find the Customer Support Policy row, then click Edit.

  4. Move “persons.date_of_birth” from the “REDACTED” policy into the “MASKED” policy. Your policies should look like the following:

    1ALLOW READ ON persons.name, persons.state WITH REDACTION = PLAIN_TEXT
    2ALLOW READ ON persons.ssn, persons.date_of_birth WITH REDACTION = MASKED
    3ALLOW READ ON persons.email_address WITH REDACTION = REDACTED

  5. Click Save, then close the dialog.

Add a row restriction

You can restrict view access to records based on record data. For example, you can restrict the customer support role to only be able to view customer records in one state by adding a row restriction.

  1. Back in your first window, navigate to the Access section, then click Roles.

  2. Find the Customer Support Role row, then click View.

  3. Find the Customer Support Policy row, then click Edit.

  4. Add a row restriction policy with “WHERE” statements so customer support agents can view only persons in the state of Arizona:

    1ALLOW READ ON persons.name, persons.state WITH REDACTION = PLAIN_TEXT WHERE persons.state = 'Arizona'
    2ALLOW READ ON persons.ssn, persons.date_of_birth WITH REDACTION = MASKED WHERE persons.state = 'Arizona'
    3ALLOW READ ON persons.email_address WITH REDACTION = REDACTED WHERE persons.state = 'Arizona'

    The first line grants plaintext read access to the name and state but only for people in the state of Arizona.The second line grants read access to the SSN and date of birth as a masked value but only for people in Arizona. The final line grants read access to the email as a fully redacted value but only for people in Arizona.

  5. Click Save, then close the dialog.

In your incognito window, refresh the vault schema page. The vault data now only shows records matching the state of Arizona.

By using a combination of column and row level restrictions, you can severely reduce the scope of a potential data breach, even in a worst-case scenario where someone’s credentials become compromised.

Manipulate vault data

A data privacy vault needs data, and you can perform a full suite of CRUD (Create, Read, Update, Delete) operations on the records in your vault. See the full list of data operations in the Data API.

Note: Need a quick tutorial? Watch a short video that shows you how to use both Studio and Data APIs to manipulate data in your vault.

Performing data operations with the Data API requires the table name and Skyflow ID of the record you want to operate on:

$export TABLE_NAME=$TABLE_NAME
>export SKYFLOW_ID=$SKYFLOW_ID

Insert data

  1. In the vault schema page, right-click anywhere in the records area, then choose Insert Record.
  2. Enter field values, then click Save.

Get data

Getting data from a vault is as straightforward as browsing the vault schema page and viewing the records there.

To find specific records, use the SQL filter as described in Perform an encrypted operation. For a list of available SQL statements, see Execute Query.

Update data

  1. In the vault schema page, find the record and column you want to update.
  2. Right-click the record row, then choose Update Record.
  3. Update the fields with new values, then click Save.

Delete data

  1. In the vault schema page, find the record and column you want to update.
  2. Right-click the record row, then choose Delete Record.
  3. Click Yes, delete.

Next steps

Continue exploring what Skyflow can do by