All posts
August 25, 20222 min read

BigQuery Data Masking with Microsoft Presidio: A Practical Guide

Sensitive data management is a cornerstone of modern software systems. With strict compliance regulations and increasing awareness of data privacy, anonymizing or masking sensitive information has become critical. This post outlines how to integrate Microsoft Presidio, a powerful data anonymization library, into BigQuery workflows. Google's BigQuery is an essential tool for managing large-scale datasets, while Microsoft's Presidio provides ready-to-use mechanisms to detect and mask sensitive da

Free White Paper

Data Masking (Static) + Microsoft Entra ID (Azure AD): The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Andrios Robert

Sensitive data management is a cornerstone of modern software systems. With strict compliance regulations and increasing awareness of data privacy, anonymizing or masking sensitive information has become critical. This post outlines how to integrate Microsoft Presidio, a powerful data anonymization library, into BigQuery workflows.

Google's BigQuery is an essential tool for managing large-scale datasets, while Microsoft's Presidio provides ready-to-use mechanisms to detect and mask sensitive data such as Personally Identifiable Information (PII). By combining the strengths of both, it's possible to streamline sensitive data management without adding significant overhead.

Let’s break down how to achieve end-to-end data masking in BigQuery using Microsoft Presidio.

Why Data Masking Matters

Data masking not only ensures compliance with regulations like GDPR, CCPA, and HIPAA but also safeguards customer trust and prevents breaches. BigQuery often stores and processes massive datasets with sensitive information such as social security numbers, credit card details, or email addresses. Exposing this data even internally can lead to significant security risks.

Microsoft Presidio provides:

  • PII Detection: Identify sensitive data types like emails, IP addresses, or phone numbers.
  • Data Redaction or Replacement: Replace sensitive data while preserving the structure.
  • Customization: Define specific patterns unique to your datasets.

Pairing Presidio with BigQuery enables seamless, automated masking directly within analytical workflows.

Set Up Microsoft Presidio for BigQuery

1. Install Presidio Components

Microsoft Presidio requires the following pieces to run:

  • Presidio Analyzer for identifying sensitive data.
  • Presidio Anonymizer for masking or tokenizing data.

Use Docker to quickly set up the components:

Continue reading? Get the full guide.

Data Masking (Static) + Microsoft Entra ID (Azure AD): Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.
docker pull mcr.microsoft.com/presidio-analyzer
docker pull mcr.microsoft.com/presidio-anonymizer

Deploy them locally or in a cloud environment like Kubernetes to ensure they are accessible for integration with BigQuery.

2. Extract Data from BigQuery

Use the BigQuery client library to fetch sensitive data from tables. Here’s a basic Python example:

from google.cloud import bigquery

client = bigquery.Client()
query = "SELECT id, email, phone FROM `project.dataset.table`"
query_job = client.query(query)

rows = list(query_job.result())

Here, the query retrieves email and phone, both of which could be classified as PII.

3. Detect and Mask Sensitive Data with Presidio

Process the extracted data using Presidio's Analyzer and Anonymizer.

Example: Analyze and Mask Email Addresses

from presidio_analyzer import AnalyzerEngine
from presidio_anonymizer import AnonymizerEngine

analyzer = AnalyzerEngine()
anonymizer = AnonymizerEngine()

text = "Email: john.doe@example.com Phone: 123-456-7890"

# Detect PII
results = analyzer.analyze(text=text, entities=["EMAIL_ADDRESS", "PHONE_NUMBER"], language="en")

# Mask detected entities
anonymized_text = anonymizer.anonymize(text=text, analyzer_results=results, anonymize_config={
 "EMAIL_ADDRESS": {"type": "replace", "new_value": "[MASKED_EMAIL]"},
 "PHONE_NUMBER": {"type": "replace", "new_value": "[MASKED_PHONE]"}
})

print(anonymized_text)

This script replaces the email and phone number with predefined masked values like [MASKED_EMAIL] and [MASKED_PHONE].

4. Load Masked Data Back to BigQuery

Send the updated records back to BigQuery for analytical use:

table_id = "project.dataset.masked_table"

rows_to_insert = [
 {"id": "1", "email": "[MASKED_EMAIL]", "phone": "[MASKED_PHONE]"}
]

errors = client.insert_rows_json(table_id, rows_to_insert)

if errors:
 print(f"Failed to load data: {errors}")
else:
 print("Data loaded successfully.")

Creating a separate table for masked results ensures that original data remains untouched while anonymized versions are used for specific applications.

Automate the Workflow

To handle larger datasets efficiently, automate this pipeline:

  1. Trigger workflows using Cloud Functions when new records are added to BigQuery.
  2. Integrate Pub/Sub for asynchronous processing and scalability.
  3. Use Cloud Scheduler to batch-process records at regular intervals.

Here’s a sample high-level diagram of the architecture:

  • BigQuery → Extract PII → Presidio (PII Detection) → Masked Data → BigQuery (Reloaded).

Final Thoughts

BigQuery simplifies working with vast datasets, but handling PII effectively requires tools like Microsoft Presidio. By combining these technologies, your team can transform raw data into analyzable forms without exposing personal details.

Want to see how a complete masking workflow like this can work in minutes? Check out Hoop.dev. Our platform simplifies data pipeline management, letting you focus on building better systems faster.

Get started

See hoop.dev in action

One gateway for every database, container, and AI agent. Deploy in minutes.

Get a demoMore posts