Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in Trend Vision One™ Cloud Risk Management. For details, please refer to Upgrade to Trend Vision One
Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Enable Column-Level Data Masking for BigQuery Tables with Sensitive Data

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that your Google Cloud Platform (GCP) BigQuery tables implement column-level data masking policies to protect sensitive data by selectively obscuring column values based on user roles and permissions. Data masking allows organizations to provide different levels of data visibility to different user groups while maintaining data utility for analytics and reporting purposes. This is accomplished by creating data policies with predefined or custom masking rules (such as SHA-256 hashing, nullification, default value substitution, email masking, or partial masking) and associating them with specific table columns through policy tags or by applying them directly on columns. Users with the BigQuery Masked Reader role receive masked data when querying tables, while users with the Data Catalog Fine-Grained Reader role can access unmasked data based on their permissions. Data masking is built upon column-level access control and automatically enforces data policies once associated with a taxonomy, eliminating the need to modify existing queries for unauthorized users.

Security

Implementing column-level data masking for BigQuery tables helps organizations comply with data privacy regulations such as GDPR, HIPAA, and PCI DSS by ensuring that sensitive data is not exposed to unauthorized users. Data masking minimizes data exposure risks by implementing the principle of least privilege, ensuring users only see the level of data detail appropriate for their role and business needs. By masking sensitive information such as personally identifiable information (PII), financial data, or confidential business information, organizations can safely share datasets with broader user groups for analytics, testing, and development purposes without compromising data security. Data masking streamlines the data sharing process and enables organizations to apply data access policies at scale across multiple tables and datasets. Additionally, data masking provides an audit trail through Cloud Audit Logs, allowing security teams to monitor access patterns and detect potential data breaches. Without proper data masking policies, organizations risk exposing sensitive data to unauthorized users, potentially leading to compliance violations, data breaches, reputational damage, and financial penalties.

Audit

To determine if your BigQuery tables have column-level data masking policies configured for sensitive data columns, perform the following operations:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.

03 Navigate to BigQuery console available at https://console.cloud.google.com/bigquery.

04 In the Explorer panel, expand your project and datasets to locate the tables that contain sensitive data.

05 Click on a table name to view its details.

06 Select the Schema tab to view the table schema and column definitions.

07 For each column that contains sensitive data (such as email addresses, credit card numbers, social security numbers, phone numbers, or other PII), check if a Policy tag is assigned to the column.

08 If sensitive data columns do not have policy tags assigned, the table does not have column-level data masking policies configured.

09 If policy tags are assigned, navigate to Policy tag taxonomies page available at https://console.cloud.google.com/bigquery/policy-tags/locations/us/taxonomies/<policy-tag-taxonomy-id> to verify that data masking policies exist for those policy tags.

10 On the Policy tag taxonomies page, click on the taxonomy that contains the policy tag assigned to your table columns.

11 In the taxonomy details, locate and click on the specific policy tag assigned to your sensitive columns.

12 Click Manage Data Policies to view the data policies associated with the selected policy tag.

13 Check if data masking policies are configured with appropriate masking rules (such as SHA-256 hash, Nullify, Default masking value, Email mask, etc.) and principals (users or groups who should receive masked data).

14 If no data masking policies are configured for the policy tag, or if sensitive columns do not have policy tags assigned, the BigQuery table does not properly implement column-level data masking for sensitive data.

15 Repeat steps no. 5 – 14 for each BigQuery table that contains sensitive data in the selected project.

16 Repeat steps no. 2 – 15 for each project available within your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) to list all the project IDs available in your Google Cloud account: 

gcloud projects list
	--format="table(projectId)"

02 The command output should return the requested GCP project identifiers: 

PROJECT_ID
cc-bigquery-project-112233
cc-analytics-project-445566

03 Run bq ls command (Windows/macOS/Linux) using the ID of the GCP project that you want to examine as the identifier parameter to list all BigQuery datasets in the selected project: 

bq ls
	--project_id cc-bigquery-project-112233

04 The command output should return the dataset IDs: 

datasetId
cc_customer_data
cc_financial_data
cc_analytics_data

05 Run bq show command (Windows/macOS/Linux) with the --schema flag to display the schema of a BigQuery table that contains sensitive data: 

bq show
	--schema
	--format=prettyjson
	cc-bigquery-project-112233:cc_customer_data.customers

06 The command output should return the table schema as JSON, including column definitions: 

[
	{
		"name": "customer_id",
		"type": "STRING",
		"mode": "REQUIRED"
	},
	{
		"name": "email",
		"type": "STRING",
		"mode": "NULLABLE"
	},
	{
		"name": "phone_number",
		"type": "STRING",
		"mode": "NULLABLE"
	},
	{
		"name": "credit_card",
		"type": "STRING",
		"mode": "NULLABLE"
	},
	{
		"name": "address",
		"type": "STRING",
		"mode": "NULLABLE"
	}
]

07 Check the schema output for sensitive data columns (such as email, phone_number, credit_card, ssn, etc.). For each sensitive column, verify if a policyTags field is present in the column definition. If the policyTags field is missing or empty for sensitive columns, the table does not have column-level data masking policies configured for those columns. A properly configured column with a policy tag would include a policyTags field like this: 

{
	"name": "email",
	"type": "STRING",
	"mode": "NULLABLE",
	"policyTags": {
		"names": [
			"projects/cc-bigquery-project-112233/locations/us/taxonomies/1234567890/policyTags/9876543210"
		]
	}
}

08 If policy tags are assigned, run gcloud data-catalog taxonomies policy-tags get-iam-policy command (Windows/macOS/Linux) to check if data masking policies exist for the policy tag (note: you need to extract the taxonomy and policy tag IDs from the policy tag resource name): 

gcloud data-catalog taxonomies policy-tags get-iam-policy 9876543210
	--taxonomy=1234567890
	--location=us
	--project=cc-bigquery-project-112233

09 The command output should return IAM policy bindings if data masking is configured. Additionally, use the BigQuery Data Policy API to list data policies associated with policy tags. This requires using the REST API or client libraries, as the gcloud CLI does not currently have direct commands for listing BigQuery data policies.

10 Repeat steps no. 5 – 9 to verify the data masking configuration for other BigQuery tables that contain sensitive data in the selected project.

11 Repeat steps no. 3 – 10 for each project available within your Google Cloud account.

Remediation / Resolution

To enable column-level data masking for your Google Cloud BigQuery tables with sensitive data, you must create policy tag taxonomies, define data masking policies with appropriate masking rules, and apply policy tags to sensitive columns. Perform the following operations:

Important: Column-level data masking requires proper planning to identify sensitive data columns and determine appropriate masking rules for each data type. Ensure that you grant the BigQuery Masked Reader role to users who should receive masked data, and grant the Data Catalog Fine-Grained Reader role to users who need access to unmasked data. Data masking is not compatible with legacy SQL and has specific limitations with materialized views, partitioned columns, and certain BigQuery features. Test your data masking policies in a non-production environment before applying them to production tables.

Using GCP Console

Step 1: Create a Policy Tag Taxonomy

01 Sign in to Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project where you want to create data masking policies from the console top navigation bar.

03 Navigate to Policy tag taxonomies page available at https://console.cloud.google.com/bigquery/policy-tags.

04 Click Create taxonomy to begin creating a new policy tag taxonomy.

05 On the Create taxonomy page, provide the following information:

  1. For Taxonomy display name, provide a descriptive name for the taxonomy (e.g., Sensitive Data Classification).
  2. For Taxonomy description, provide a description explaining the purpose of the taxonomy (e.g., Policy tags for classifying and masking sensitive customer and financial data).
  3. For Location, select the appropriate location for the taxonomy (e.g., us for United States multi-region).

06 In the Policy tags section, click Add policy tag and define policy tags for different types of sensitive data:

  1. For Policy tag display name, enter a name such as PII - Email.
  2. For Policy tag description, provide a description such as Personally Identifiable Information - Email addresses.
  3. Click Add to create the policy tag.
  4. Repeat to create additional policy tags for other sensitive data types (e.g., PII - Phone Number, PII - Credit Card, PII - SSN, Financial - Account Number).

07 Click Create to create the taxonomy with the defined policy tags.

Step 2: Create Data Masking Policies for Policy Tags

08 On the Policy tag taxonomies page, click on the taxonomy you created in Step 1.

09 In the taxonomy details view, click on a policy tag (e.g., PII - Email) for which you want to create a data masking policy.

10 Click Manage Data Policies to open the data policies management interface.

11 Click Add Rule to begin creating a new data masking policy.

12 On the Masking Rules page, provide the following information:

  1. For Data policy name, provide a descriptive name (e.g., Mask Email for Standard Users).
  2. For Masking Rule, select an appropriate masking rule from the dropdown:
  3. For this example, select Email mask to mask email addresses.
  4. For Principal, specify the users or groups who should receive masked data by entering their email addresses or group identifiers (e.g., user:analyst@example.com or group:analytics-team@example.com).

13 Click Submit to create the data masking policy.

14 Repeat steps no. 9 – 13 for each policy tag where you want to apply data masking, selecting appropriate masking rules for each data type.

Step 3: Apply Policy Tags to Table Columns

15 Navigate to BigQuery console available at https://console.cloud.google.com/bigquery.

16 In the Explorer panel, expand your project and datasets to locate the table that contains sensitive data columns.

17 Click on the table name to view its details.

18 Click Edit Schema to modify the table schema.

19 For each column that contains sensitive data, perform the following:

  1. Click on the column row to select it.
  2. Click Add policy tag in the column details panel.
  3. In the policy tag selection dialog, browse and select the appropriate policy tag you created earlier (e.g., PII - Email for email columns, PII - Phone Number for phone number columns).
  4. Click Select to assign the policy tag to the column.

20 After assigning policy tags to all sensitive columns, click Save to update the table schema with the policy tag assignments.

21 The data masking policies will now be automatically enforced when users with the BigQuery Masked Reader role query the table.

Step 4: Grant Appropriate IAM Roles

22 Navigate to IAM & Admin console available at https://console.cloud.google.com/iam-admin/iam.

23 Click Grant access to add principals with appropriate roles.

24 For users who should receive masked data, grant the Masked Reader role (roles/bigquerydatapolicy.maskedReader). This is typically done at the data policy level, but can also be granted at the project or dataset level.

25 For users who need access to unmasked data, grant the Fine-Grained Reader role on specific policy tags through the taxonomy interface.

26 Click Save to apply the IAM role bindings.

27 Repeat steps no. 15 – 26 for other BigQuery tables that contain sensitive data requiring column-level data masking.

28 Repeat steps no. 2 – 27 for each project available within your Google Cloud account.

Using GCP CLI

Step 1: Create a Policy Tag Taxonomy

01 Run curl command (Windows/macOS/Linux) to create a new policy tag taxonomy using the Data Catalog REST API: 

curl -X POST \
	-H "Authorization: Bearer $(gcloud auth print-access-token)" \
	-H "Content-Type: application/json" \
	-d '{
	"displayName": "Sensitive Data Classification",
	"description": "Policy tags for classifying and masking sensitive customer and financial data"
	}' \
	"https://datacatalog.googleapis.com/v1/projects/cc-bigquery-project-112233/locations/us/taxonomies"

02 The command output should return the created taxonomy resource with its ID: 

{
	"name": "projects/cc-bigquery-project-112233/locations/us/taxonomies/1234567890123456789",
	"displayName": "Sensitive Data Classification",
	"description": "Policy tags for classifying and masking sensitive customer and financial data"
}

Note the taxonomy ID (e.g., `1234567890123456789`) from the `name` field for use in subsequent steps.

03 Run curl command (Windows/macOS/Linux) to create policy tags within the taxonomy using the Data Catalog REST API. Replace 1234567890123456789 with the taxonomy ID from step 2: 

# Create PII - Email policy tag
curl -X POST \
	-H "Authorization: Bearer $(gcloud auth print-access-token)" \
	-H "Content-Type: application/json" \
	-d '{
	"displayName": "PII - Email",
	"description": "Personally Identifiable Information - Email addresses"
	}' \
	"https://datacatalog.googleapis.com/v1/projects/cc-bigquery-project-112233/locations/us/taxonomies/1234567890123456789/policyTags"

04 The command output should return the created policy tag resource: 

{
	"name": "projects/cc-bigquery-project-112233/locations/us/taxonomies/1234567890123456789/policyTags/9876543210987654321",
	"displayName": "PII - Email",
	"description": "Personally Identifiable Information - Email addresses"
}

Note the policy tag ID (e.g., `9876543210987654321`) from the `name` field for use in data masking policy creation.

05 Repeat step no. 3 to create additional policy tags for other sensitive data types: 

# Create PII - Phone Number policy tag
curl -X POST \
	-H "Authorization: Bearer $(gcloud auth print-access-token)" \
	-H "Content-Type: application/json" \
	-d '{
	"displayName": "PII - Phone Number",
	"description": "Personally Identifiable Information - Phone numbers"
	}' \
	"https://datacatalog.googleapis.com/v1/projects/cc-bigquery-project-112233/locations/us/taxonomies/1234567890123456789/policyTags"

# Create PII - Credit Card policy tag
curl -X POST \
	-H "Authorization: Bearer $(gcloud auth print-access-token)" \
	-H "Content-Type: application/json" \
	-d '{
	"displayName": "PII - Credit Card",
	"description": "Personally Identifiable Information - Credit card numbers"
	}' \
	"https://datacatalog.googleapis.com/v1/projects/cc-bigquery-project-112233/locations/us/taxonomies/1234567890123456789/policyTags"

Step 2: Create Data Masking Policies Using BigQuery Data Policy API

06 Data masking policies are created using the BigQuery Data Policy REST API. Create a JSON file named masking-policy.json with the following content: 

{
	"dataPolicyId": "email_masking_policy",
	"dataPolicyType": "DATA_MASKING_POLICY",
	"policyTag": "projects/cc-bigquery-project-112233/locations/us/taxonomies/1234567890123456789/policyTags/9876543210987654321",
	"dataMaskingPolicy": {
		"predefinedExpression": "EMAIL_MASK"
	}
}

07 Run curl command (Windows/macOS/Linux) to create the data masking policy using the BigQuery Data Policy REST API: 

curl -X POST \
	-H "Authorization: Bearer $(gcloud auth print-access-token)" \
	-H "Content-Type: application/json" \
	-d @masking-policy.json \
	"https://bigquerydatapolicy.googleapis.com/v1/projects/cc-bigquery-project-112233/locations/us/dataPolicies"

08 The command output should return the created data policy resource information: 

{
	"name": "projects/cc-bigquery-project-112233/locations/us/dataPolicies/email_masking_policy",
	"dataPolicyId": "email_masking_policy",
	"dataPolicyType": "DATA_MASKING_POLICY",
	"policyTag": "projects/cc-bigquery-project-112233/locations/us/taxonomies/1234567890123456789/policyTags/9876543210987654321",
	"dataMaskingPolicy": {
		"predefinedExpression": "EMAIL_MASK"
	}
}

09 Repeat steps no. 6 – 8 to create additional data masking policies for other policy tags, using appropriate masking expressions such as SHA256, ALWAYS_NULL, DEFAULT_MASKING_VALUE, FIRST_FOUR_CHARACTERS, LAST_FOUR_CHARACTERS, or DATE_YEAR_MASK.

Step 3: Apply Policy Tags to Table Columns

10 Run bq show command (Windows/macOS/Linux) with the --schema flag to export the current table schema to a JSON file: 

bq show
	--schema
	--format=prettyjson
	cc-bigquery-project-112233:cc_customer_data.customers > schema.json

11 Edit the schema.json file to add policyTags fields to sensitive columns. For example, modify the email column definition: 

{
	"name": "email",
	"type": "STRING",
	"mode": "NULLABLE",
	"policyTags": {
	"names": [
		"projects/cc-bigquery-project-112233/locations/us/taxonomies/1234567890123456789/policyTags/9876543210987654321"
	]
}
}

12 Run bq update command (Windows/macOS/Linux) to update the table schema with the policy tag assignments: 

bq update
cc-bigquery-project-112233:cc_customer_data.customers
schema.json

13 The command output should confirm the schema update: 

Table 'cc-bigquery-project-112233:cc_customer_data.customers' successfully updated.

Step 4: Grant IAM Roles for Data Masking

14 Run projects add-iam-policy-binding command (Windows/macOS/Linux) or data-catalog taxonomies policy-tags add-iam-policy-binding command to grant the BigQuery Masked Reader role to users who should receive masked data: 

gcloud projects add-iam-policy-binding cc-bigquery-project-112233
	--member="user:analyst@example.com"
	--role="roles/bigquerydatapolicy.maskedReader"

15 The command output should confirm the IAM policy binding: 

Updated IAM policy for project [cc-bigquery-project-112233].
	bindings:
	- members:
		- user:analyst@example.com
		role: roles/bigquerydatapolicy.maskedReader

16 For users who need access to unmasked data, grant the Fine-Grained Reader role at the policy tag level: 

gcloud data-catalog taxonomies policy-tags set-iam-policy 9876543210987654321
	--taxonomy=1234567890123456789
	--location=us
	--project=cc-bigquery-project-112233
	policy.yaml
Where policy.yaml contains: 
bindings:
- members:
	- user:admin@example.com
	role: roles/datacatalog.categoryFineGrainedReader

17 The command output should confirm the IAM policy binding: 

Updated IAM policy for policy tag [projects/cc-bigquery-project-112233/locations/us/taxonomies/1234567890123456789/policyTags/9876543210987654321].
bindings:
- members:
	- user:user@example.com
	role: roles/datacatalog.categoryFineGrainedReader

18 Repeat steps no. 10 – 16 to apply policy tags and configure data masking for other BigQuery tables that contain sensitive data.

19 Repeat steps no. 1 – 17 for each project available within your Google Cloud account.

References

Publication date Jan 14, 2026

Related BigQuery rules