Dynamic Data Masking
Introduction
Dynamic Data Masking, or DDM, is a technique used primarily for protecting data from unauthorized access, but also for software testing and training. The main goal of data masking in general is to generate data functionally and structurally similar to the real one, while not revealing the latter. Since the majority of organizations have strict regulations regarding the exposure of sensitive information, dynamic data masking implementation is essential for safeguarding business.
In this article we will delve into the ins and outs of DDM, how it differs from SDM and what DataSunrise has to offer regarding the subject.
Differences between Dynamic and Static Data Masking
Both techniques serve for the same purpose of masking sensitive data but are different in the approach. Static data masking is used to create a separate, masked copy of the source with sensitive data replaced with realistic but fictitious information. This approach is safer, because no trace of the original data is being left in the masked copy. It is extremely useful for situations when an access to a database needs to be granted to external parties for research and analyzing purposes.
Dynamic masking, on the other hand, masks the data in real-time as it gets queried from a database and doesn’t store the masked data anywhere. It is a more light-weight approach to data masking as it doesn’t require making a copy of a whole database, but only single query results. It also can be integrated with RBAC, securing production databases even further within organization.
Built-in Dynamic Data Masking Methods
The majority of DMBS offers means for masking data, some simpler than others, some more complicated. For example, PostgreSQL is rich on plugins due to its open source nature. One such plugin is pg_maskdata. Similarly, a commercial DBMS, such as OracleDB, has an integrated Data Redaction feature specifically for masking.
Even if a DBMS doesn’t have a specific masking tool, SQL itself possesses triggers, by using which a user is able to write their own masking tools, even though this may be tedious and often times even environment dependent.
DataSunrise, a database security solution, on the other hand, works as a proxy for every database at the same time, therefore every masking rule is universal for all supported DBMS. It greatly simplifies the process of dynamic masking for the end user.
How DataSunrise Implements Dynamic Data Masking
DataSunrise, a database security solution, provides users with many tools for securing their data for a very wide variety of DBSM, including SQL Server, Oracle, PostgreSQL, NoSQL’s MongoDB, and even cloud based DBs such as Amazon Redshift . Using the intuitive interface of DataSunrise, one can easily implement DDM into their projects without a single modification to the source database. DataSunrise operates exclusively as a proxy, therefore no changes needed, only access to the DB and proper configuration of DS server. A user is able to configure DDM by specifying masking rules.
Every masking rule consists of three major sections: Action Settings, Filter Sessions and Masking Settings.
Action Settings
This section contains all adjacent settings, such as whether to log the masking event, whether to notify about it and who to notify, to block updates of rows containing masked data and so on.
Filter Settings
This section truly lets users configure a powerful RBAC for their databases. It allows to configure access based off of:
- Application used to access the DB
- Applicaiton user or user group
- DB user or user group
- OS user or user group
- Host
- Network interface
- Which proxy was attempted for querying
The filter may include multiple of these conditions to be met. This allows for a very versatile access management.
Masking Settings
This is where actual masking is configured. This section allows to choose which schemas, tables, rows or columns to mask and the method of masking. There is a variety of default masking methods for every data type, but user also can write their own methods using different means, for example, Lua scripts.
Dynamic Masking Events
Whenever a rule with the “Log event in storage” option on is triggered, the result can be reviewed in the “Dynamic Masking Events section”. It is easy to track users’ actions in a database, giving administrators more security options.
Real Experience of Using DataSunrise for Masking
Let’s say we have a PostgreSQL database with “users” table containing users’ name, credit card number and email address. Credit card number would be considered sensitive information, therefore a masking must be performed. Right now when querying the data it looks like this:
For integrating DataSunrise with the database all we need to do is connect it as a proxy to DS. After that we create a masking rule for card number column specifically:
After applying the rule and making select request to the now proxy we get this:
The credit card number is masked properly. Since the logging option on the rule is on, we can review the logs in the DS interface.
Benefits of DDM with DataSunrise
By leveraging dynamic data masking with DataSunrise, organizations can:
- Protect Sensitive Data: Safeguard PII, financial information, and other sensitive data from unauthorized access, reducing the risk of data breaches.
- Comply with Regulations: Meet data privacy regulations, such as GDPR, HIPAA, CCPA and PCI DSS, by masking sensitive data and controlling access to it. Thanks to Data Compliance feature, AI tools help DataSunrise discover sensitive data with accordance to these regulations automatically.
- Maintain Data Utility with RBAC: Allow authorized users to work with original, unmasked data while protecting sensitive information from unauthorized access, preserving data utility for legitimate purposes.
- Simplify Implementation: Implement dynamic data masking quickly and easily with DataSunrise’s intuitive interface and pre-built masking functions, without the need for extensive coding or database modifications.
Conclusion
Dynamic data masking is a crucial tool for organizations seeking to protect sensitive data from unauthorized access. DataSunrise helps companies protect sensitive information and comply with data protection regulations by using dynamic data masking for security and privacy. DataSunrise is a great option for organizations wanting to improve their database security. Conact our team of experts to schedule a demo and discover the possibilities it provides now.
