In-place Data Masking
One of the ways to protect sensitive data inside databases is data masking. In this article we are going to learn more about in-place data masking and steps to mask your data in place using DataSunrise Database Security.
Static Masking and In-place Masking
In-place Masking bears a resemblance to static masking as masked data is masked persistently, and this process cannot be reversed.
The difference between in-place masking and static masking is that in static masking we have 2 databases:
- source database containing original data
- target database with masked data
In the case of in-place masking, we have just one database which is source and target at the same time.
Masking in place is best used as part of a hybrid database protection approach where different databases are protected using different types of masking:
- static masking
- in-place masking
- dynamic masking
All these masking types are available in DataSunrise Database Protection Suite to ensure that your databases are protected at all times.
In-place Masking in Practice
Sometimes static masking is not a good option:
- it gives additional load on the production database.
- it requires aссess to the production environment from the test environment. In some system architectures it’s physically impossible.
In this case data can be replicated to test enviroment using backups of production database. Backups of any production database are made regularly. So, we only need:
- to restore the database in the test environment
- to mask data in our test environment, where original sensitive data is lost as it is replaced with masked data
This method of masking is called “in-place masking” because data is masked where it resides. Use this method in nonproduction databases only.
DataSunrise tries to preserve (rebuilt after masking) all unique constraints, foreign keys, indexes, check constraints and default constraints in a database. However, it’s not always possible. Auto Increment counters are also preserved (except for Redshift databases).
In-place table filtering works the same as in static masking, that is data not meeting the filtering conditions is permanently deleted.
Steps of In-place Masking From DataSunrise
1) If you want to mask data in place choose Masking → Static masking in the left pane of the DataSunrise UI. Then click Add Task. All previous in-place masking tasks will be saved here for your reference.
2) After that choose the source instance. In the target instance field choose Mask in Place. Please don’t forget to backup your data, because as a result of in-place masking original data is permanently replaced with masked data. After that choose a database you want masked in place and a schema. In the picture below this database is called “sales_summer” and the schema is “public”. In the Transferred Tables section below some checkboxes are checked automatically to ensure better masking.
Here is what these checkboxes do:
- Create Unique Constraints, Create Foreign Keys, Create Indexes, Create Check Constraints, Create Default Constraints mean that these elements are to be rebuilt in the masked schema, if it is possible.
- Use Parallel Load – increases masking speed for big tables.
- Apply Related Tables Filters – the filter will be applied not only to a specified table, but also to the tables related to this table via foreign keys.
- Automatically resolve relationship types between related tables if there are Undefined ones – it means that related tables will not be discovered only by the Table Relations tool (Configuration → Table relations in the DataSunrise UI) but also based on an algorithm using indirect table relations.
3) Scroll down and click Select under the Transferred Tables section.
4) Now let us select the whole schema where we want several tables selected (for us it’s the “public” schema) and click Done.
5) Now we can expand the selected “public” schema and select columns for masking.
6) For each of the columns you can set a masking method by clicking the Set Masking Method button. Let’s mask columns FirstName and LastName using a fixed string.
In the picture below you can see how our data looks now in our PostgreSQL table. As you can see, columns FirstName and LastName are masked in place now.
In-place masking from DataSunrise a very convenient tool to keep your sensitive data masked and under control at all times.