Dynamic Data Masking Guide
The main goal of Dynamic Data Masking from DataSunrise is to prevent accidental and deliberate data exposure. This goal is achieved by converting original real data into fake one.
This database protection tool is very convenient when a company needs to provide access to its database(s) with sensitive information to third-party developers for tests and further development. As a result third-party developers can work with real production data without having full access to it. Also, very often a company needs to restrict access to some data for its own employees. DataSunrise can mask sensitive data both dynamically and statically. Dynamic data masking has the following advantages:
Pros and Cons
- Provides an extra layer of database security for protection of sensitive data.
- Data can be protected in read-only scenarios.
- Dynamic data masking works in near real-time.
- Dynamic data masking, unlike static data masking, does not require preliminary masking of data and is operational immediately after set-up.
and disadvantages:
- Dynamic data masking is not suitable for use in read/write environments because masked data could be written back to the database, thus corrupting the data.
- Increased performance load due to the fact that all traffic going to the database should be inspected.
- When configuring dynamic data masking rules it is necessary to do a detailed mapping of applications, users, database objects. It is also important to manage access rights. Setting up and keeping such a configuration may be time- and resource consuming.
Configuring of Dynamic Data Masking Rule
With DataSunrise dynamic data masking is a matter of a few clicks. Here is how you can mask your sensitive data dynamically using a set of highly customizable rules:
- Click Masking → Dynamic Masking Rules → Add Rule.
- In the Main Section subsection you need to give a name to your dynamic masking rule. This name can be anything. After that you need to specify the database type and the instance. In the Comment field you can add any comment.
- By default, the Audit action is selected. It means that DataSunrise will be auditing all user queries when the rule is triggered. Otherwise check the Skip checkbox. To log database responses (the output), the Log Data checkbox is checked. Also, database administrators can set up a schedule to active and deactivate the rule. If no schedule is set up, the dynamic masking rule will be active all the time.
If you leave Filter Sessions subsection as by default it means that any query to the database regardless of its source IP address will trigger the rule. Or you can add condition and specify for which user (or a group of users) and in what database data will be masked dynamically.
In Masking Settings select the columns to mask by clicking the Select button. Navigate to the columns, check the required ones and click Done.
After that select a masking method or call a specialized function by clicking Select and navigating to it. The columns added for masking are displayed in the left part of the Masking Settings subsection. Click Save Rule to activate the newly created dynamic masking rule.
If the data in the selected columns is not structured you can select the unstructured masking method from the drop-down list. After that click Save Rule to activate the rule.
Unstructured masking means, as the name suggests, that DataSunrise can mask any unstructured data that it encounters in the specified columns. This unstructured data may come in any forms and formats, for example, a Word document. In any case, this unstructured data will be masked by the DataSunrise Data Masking tool.
That’s it. From now on all your sensitive data, including unstructured one, is masked dynamically for viewing or retrieving either for a specific user or group of users!
With DataSunrise Dynamic Data Masking is just a matter of a few clicks!