All posts
August 25, 20222 min read

BigQuery Data Masking with JWT-Based Authentication

Efficiently managing sensitive data is a requirement, not a choice. Whether it's personal user data or confidential business information, ensuring privacy while granting access to necessary insights can be tricky. With Google BigQuery, combined with JWT-based authentication, we can enforce advanced data masking strategies seamlessly. This post dives into these concepts, offering a straightforward guide to implement BigQuery data masking with JWT-based authentication. What is BigQuery Data Mask

Free White Paper

Push-Based Authentication + Data Masking (Static): The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Andrios Robert

Efficiently managing sensitive data is a requirement, not a choice. Whether it's personal user data or confidential business information, ensuring privacy while granting access to necessary insights can be tricky. With Google BigQuery, combined with JWT-based authentication, we can enforce advanced data masking strategies seamlessly. This post dives into these concepts, offering a straightforward guide to implement BigQuery data masking with JWT-based authentication.

What is BigQuery Data Masking?

BigQuery Data Masking is a feature that restricts access to sensitive data by hiding or replacing certain information. Instead of sharing full, unrestricted data with every user, you can limit what users see based on their roles or permissions. For example:

  • Credit card numbers can appear as XXXX-XXXX-XXXX-1234.
  • Emails can be shown as us*****@example.com.

This allows users to work with relevant data while ensuring confidential details are kept private.

Why JWT-Based Authentication?

JSON Web Tokens (JWT) are a compact, secure way to transfer information between two parties. By using JWTs, you can:

  • Verify the identity of a user.
  • Assign roles or permissions within the token payload.
  • Scale authentication efficiently using a stateless approach.

When integrated with BigQuery, JWTs act as a gatekeeper. They ensure that users are not only authenticated but also that their permissions dictate how much or what kind of data they can access.

Step-by-Step: Setting Up Data Masking in BigQuery

1. Define Access Policies

First, decide what data needs to be masked. For example, columns like social security numbers, salaries, or credit cards. Define roles such as:

  • Admin: Access to the raw data.
  • Analyst: Access to masked data only.
  • Viewer: Restricted access to specific columns.

2. Create BigQuery Authorized Views

Authorized views in BigQuery are SQL-based. These control what a user can query based on their access level. An admin might query a user_data table directly, while an analyst would query a masked view.

Continue reading? Get the full guide.

Push-Based Authentication + Data Masking (Static): Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

Example:

CREATE VIEW dataset.masked_user_data AS
SELECT 
 user_id,
 CONCAT(SUBSTR(email, 1, 2), '*****@example.com') as masked_email,
 'XXXX-XXXX-XXXX-' || RIGHT(credit_card, 4) as masked_credit_card
FROM dataset.user_data
WHERE role != 'Admin';

3. Use JWT to Authenticate API Requests

JWT tokens carry user claims like roles and permissions. Use a secure mechanism, like OpenID Connect (OIDC), to issue JWTs. Every token should include claims such as:

  • User identifier (uid).
  • Role-based permissions (role).

Example payload of a JWT:

{
 "sub": "1234567890",
 "email": "user@example.com",
 "role": "Analyst"
}

4. Configure IAM Roles in BigQuery

BigQuery lets you assign IAM roles for fine-grained access. Map JWT roles to these IAM roles:

  • Admin → Full access to the table.
  • Analyst → Access to the masked view.
  • Viewer → Access to aggregated or partial records.

Example command for assigning roles:

gcloud projects add-iam-policy-binding PROJECT_ID \
 --member=group:analysts@example.com \
 --role=roles/bigquery.dataViewer

5. Validate End-to-End Access

Ensure that:

  • An admin querying user_data accesses raw data.
  • Analysts querying masked_user_data see only masked values.
  • JWT token claims align with BigQuery IAM policies.

Test edge cases where invalid tokens, expired tokens, or incorrect claims are used to ensure system robustness.

Benefits of BigQuery Data Masking with JWTs

  1. Granular Control: Tailor access based on user roles.
  2. Enhanced Security: Protect sensitive data without duplicating tables.
  3. Scalable Authentication: Stateless JWT-based access adapts to distributed systems.
  4. Regulatory Compliance: Align with data privacy laws like GDPR and CCPA while ensuring data usability.

Implement BigQuery Data Masking Faster with hoop.dev

If you're looking to streamline your implementation, hoop.dev lets you see this in action in minutes. Its developer-focused tools simplify role-based access, making it easier to manage JWT authentication and enforce data masking policies in BigQuery.

Get started with hoop.dev to unlock secure, scalable, and efficient BigQuery solutions instantly.

Get started

See hoop.dev in action

One gateway for every database, container, and AI agent. Deploy in minutes.

Get a demoMore posts