Getting Started with ALTR & Snowflake
Configure ALTR's Snowflake Service User
Connect Snowflake Databases
Connect Columns to ALTR
Creating Policy & Manage Data
Classification
Analytics
Column Access Policies
Views
Thresholds
Row Access Policy
Audit Logs
Settings
Vault Tokenization
Tokenization API
Management API
ALTR Driver JDBC Installation
ALTR Driver ODBC Installation
Configure Tableau to Gain User Level Observability
Integrating ALTR Notifications with AWS S3
TDS Proxy Installation
CDM Installation
Custom Masking and Extensibility Functions
Bring Your Own Key for Vaulted Tokenization
Open-Source Integrations
Vaulted Tokenization is a scalable tokenization solution to bolster your organization’s data security and governance. Vaulted Tokenization enables you to tokenize and detokenize values, substituting sensitive data with non-sensitive tokens at high throughputs. It supports the scale of technologies such as Snowflake where a you may need to quickly tokenize or detokenize datasets containing millions or billions of values.
Vaulted Tokenization supports Deterministic and Non-Deterministic tokens and is accessible through an API to perform the following:
Vaulted tokenization is available to Enterprise Plus customers. To leverage Vaulted Tokenization, you need an active Tokenization API user in ALTR.
1. It’s secure
2. It’s operational
3. It’s retrievable
4. It’s scalable
A look behind the scenes: When a value is tokenized, it is substituted for a random UUID with no mathematical relationship to the original value. The original value is encrypted and stored in a token vault to support detokenization. When an authorized user requests to exchange a token for a value, a lookup is performed in the token vault for that token. If the token exists, its corresponding value is decrypted and returned.
Deterministic tokenization: Vaulted tokenization optionally supports deterministic tokens, where a value is returned the same token every time it is tokenized. Deterministic tokens enable users to perform joins and where clauses in queries on tokenized data without having to detokenize it; so they can still operate on data even if they don’t have access to it in plaintext. Deterministic and non-deterministic tokens have different tokenization headers returned when tokenized: vaultd_{token} and vaultn_{token} respectively.
A tokenization API user is required to access Vaulted Tokenization. Enterprise Plus customers can create tokenization API users on the API tab of the Applications page.
Note: Vaulted Tokenization is not available over the pubic internet; users have to whitelist the IPs of their applications when creating the API key in order to use Vaulted Tokenization.
Accessing Vaulted Tokenization: To access Vaulted Tokenization with an authorized API user, API requests can be made in vault.live.altr.com.
Note: ALTR’s API documentation includes information on the various endpoints for Vaulted Tokenization. The endpoints allow users to tokenize data, detokenize data, and delete tokenized data from the token vault.
API Authorization: Vaulted Tokenization requires an authorization header containing information on the API key and hashed API secret. See the API documentation for more information on how to generate the authorization header.
Tokenization: /api/v1/batch tokenizes batches of string values up to 1024 characters in length. A single batch can tokenize up to 4096 values at a time. For optimal throughput, ALTR recommends batches of 1024 values. To enable deterministic tokenization, the API user must be given access to deterministic tokenization in ALTR and the determinism header on the API call must be set to TRUE.
Detokenization: /api/v1/batch detokenizes batches of tokens. Users can detokenize up to 4096 values at a time. For optimal throughput, ALTR recommends batches of 1024 tokens.
Deleting tokens: Deleting a token will permanently remove a token and its value from the token vault, making it inaccessible for future use. When deleted, there is no reference remaining to a token or value; if data for a deleted deterministic token is re-tokenized, this will produce a new randomly-generated token.
Rate Limiting: If you make too many requests, Vaulted Tokenization’s API may return a 429. If you encounter a 429 response, wait up to thirty seconds before trying again. Vaulted Tokenization requires time to reach scale; when integrating your application with Vaulted Tokenization we recommend maintaining a limited number of simultaneous requests. As Vaulted Tokenization reaches scale, those requests will complete much faster.