Masking PII in CDRs

For GDPR compliance, you can configure the device to mask personally identifiable information (PII) in CDRs that are created by the device. This includes CDRs that the device displays in the Web interface and CLI, as well as CDRs that it sends to syslog, REST, RADIUS, Local Storage, or OVOC (depending on configuration).

Depending on configuration, the PII that the device masks includes telephone numbers, URI user parts, display names, IP addresses, hostnames, and URI host parts.

The device masks PII in all CDR fields, except the following (based on destination):

OVOC: SrcIP, DestIP, SigSrcIP, SigDstIP, SigRmtIP, OldDestIP, and NewRemIP.
Non-OVOC: SourceIp, DestIp, IngressCallSourceIp, EgressCallDestIp, EgressLocalRtpIp, EgressRemoteRtpIp, IngressLocalRtpIp, IngressRemoteRtpIp, RemoteRtpIp, LocalRtpIp, LatchedRtpIp, and LatchedT38Ip.
To mask PII in CDRs:
1. Open the SIP Definitions General Settings page (Setup menu > Signaling & Media tab > SIP Definitions folder > SIP Definitions General Settings).
2. From the 'Mask PII in CDRs' drop-down list, select one of the following:
Disable: No PII masking is done in management interfaces (Web and CLI), syslog, REST, Local Storage, and RADIUS.
Mark PII in Web or CLI: The device masks (by a single asterisk * symbol) private information (caller and callee) in the Web interface’s SBC CDR History table (see Viewing CDR History of SBC and Test Calls) and Gateway CDR History table (see Viewing Gateway CDR History), and CLI (e.g., show voip calls). For example, the device masks the URI "name@domain.com" as "*".
Mask PII in Detailed Records: The device masks (by multiple asterisks *) private information in CDRs. This applies to all destinations to where the device sends these records (i.e., syslog, REST, Local Storage, and RADIUS), except ARM and OVOC. This option also affects PII in the Web interface’s SBC CDR History table and Gateway CDR History table, and CLI (e.g., show voip calls). For URIs, only the user part is masked when this option is selected.

If you configure the 'Mask URI Host Part in CDRs' parameter to Enable (see below), the device also masks IP addresses, hostnames, and URI host parts.

3. If you configure the above parameter to Mask PII in Detailed Records, you can configure which characters in the masked element (e.g., phone number) to mask:
a. In the 'Number of Unmasked Characters in PII' field, enter the number of characters to show. The rest of the characters are masked. To mask all characters, configure the parameter to "0".
b. In the 'Location in PII of Unmasked Characters' field, define from where in the PII element to show (not mask):
Last Characters: The device shows the number of characters specified by the 'Number of Unmasked Characters in PII' parameter (above) starting from the end of the PII element. For example, if the original number is 97216789 and the 'Number of Unmasked Characters in PII' parameter is configured to "4", the device masks the number as "****6789".
First Characters: The device shows the number of characters specified by the 'Number of Unmasked Characters in PII' parameter (above) starting from the beginning of the PII element. For example, if the original number is 97216789 and the 'Number of Unmasked Characters in PII' parameter is configured to "4", the device masks the number as "9721****".

4. From the 'Mask PII in QoE CDRs for OVOC' drop-down list, select Enable to mask (with asterisks) phone numbers, URI user part, and display names that appear in CDRs that the device sends to OVOC:

If you configure the 'Mask URI Host Part in CDRs' parameter to Enable, the device also masks IP addresses and hostnames in CDRs sent to OVOC.

5. From the 'Mask URI Host Part in CDRs' drop-down list, select Enable to mask (with asterisks) the host part of URIs (including IP addresses) in CDRs that the device sends to Web, CLI, syslog, REST, RADIUS, and Local Storage (depending on the 'Mask PII in CDRs' parameter - see Step 2), or to OVOC if the 'Mask PII in QoE CDRs for OVOC' parameter is enabled (see Step 4):

The parameter is applicable only if you enable the 'Mask PII in CDRs' or 'Mask PII in QoE CDRs for OVOC' parameters for the targets (i.e., this is an additional modifier of PII masking for these targets).

6. Click Apply.