How dynamic masking works

First, before dwelling on Dynamic masking, let’s take a look at masking in general.

Data masking enables you to obfuscate or replace actual database contents with some neutral data. Data Masking serves two purposes:

– It decreases a possibility of accidental data leak to unauthorized persons.

– It enables you to create a “dummy” database for testing or development purposes that you can give to some persons (testers or developers for example) that are not authorized to view actual sensitive data but should have a database that works and looks like the production one to do their job.

Servers. Image credit: ColossusCloud via Pixabay, CC0 Public DomainServers. Image credit: ColossusCloud via Pixabay, CC0 Public Domain

Servers. Image credit: ColossusCloud via Pixabay, CC0 Public Domain

To complete these tasks, two masking technologies are used: static data masking and dynamic data masking.

Static data masking is about permanently replacing sensitive data with neutral data. Static data masking solution takes a database table with sensitive data and creates a copy of this table in this database or in another database but with neutral values replacing the sensitive data.

In dynamic masking the solution obfuscates the sensitive data in the database output not changing the underlying database contents.

Now it’s time to get a closer look at dynamic masking.

As it was being said, dynamic masking obfuscates not the actual data in the database but changes database response.

A masking solution intercepts a query directed to the database, applies security rules to it and modifies the query in such a way that the database fetches fake contents instead of the real data. Thus the sensitive data doesn’t leave the database and you can work with the production database without exposing the sensitive contents.

Despite it looks like very advanced, dynamic masking technology has some drawbacks.

First, database response time is somewhat decreased because the masking solution (it acts as a proxy) should intercept the incoming query and modify it before redirecting to the database. The decrease could be notable if a big number of queries are processed simultaneously.

Moreover, dynamic masking is a bad choice for creating a testing or development environment because developers deal with a production database and a possibility of accidental data leak still exists.

Now let’s take a look at DataSunrise. DataSunrise features both dynamic and static data masking. Let’s dwell on dynamic, since this article is dedicated to this type of masking.

For dynamic masking, DataSunrise is deployed as a proxy between the database server and the client application. DataSunrise’s Dynamic masking is controlled with masking policies (“rules”) that you should configure before obfuscating something. Then DataSunrise intercepts a client query which matches rules’ conditions, modifies it according to existing masking policies and redirects to the database. Having received the modified query, the database modifies its response and fetches fake data instead of the actual one.

Thus users not authorized for viewing the actual contents (sensitive data) get obfuscated data. DataSunrise includes a number of masking algorithms including dedicated masking methods for emails and credit card numbers. DataSunrise also supports user-defined custom functions for masking, so you can create your own custom algorithms if needed.


Comment this news or article