DataSunrise is sponsoring AWS re:Invent 2024 in Las Vegas, please visit us in DataSunrise's booth #2158

This website stores cookies to collect information about how you interact with our website. To find out more visit our Privacy Policy.

Activity Monitoring
Database Firewall
Data Masking
Performance Monitoring
Sensitive Data Discovery
Supported Databases

DataSunrise Masking for Oracle

DataSunrise Masking for Oracle is aimed to protect sensitive data in transit from inside and outside user threats. The feature obfuscates original data and provides users with random characters instead of real database records. This way unauthorized users can still work with the production database but never gain access to original sensitive information.

Oracle data masking tools by DataSunrise efficiently prevent sensitive information exposure when granting database access to third-party organizations. There are many occasions when organizations need to share data from their production databases with third-party employees. Here are some examples:

  • A certain organization hires outsourced IT specialists to customize its business system or perform database testing, upgrade etc.
  • Healthcare company provides medical researchers with information on clinical trials.
  • Retail company shares sales information with market researchers.

The point is that in most cases third-party specialists don’t need real data the database contains. An environment mimicking a real production database is enough. The best way to protect sensitive data while transferring it to a third party is to replace it with some neutral data. And the most efficient way to do this is masking.

The important point is that masked data should be consistent enough to support proper functioning of the third party’s application. In simple words, the main purpose of masking is to make sensitive data useless for bad guys while keeping it useful for the ones that should receive it.

Sometimes in such situations, static masking is used. It allows you to provide the third party with a stand-alone copy of a real database containing some neutral data instead of sensitive data. While this method is reliable, it could be pricey and time-consuming.

That’s why in most cases dynamic data masking is preferable. Unlike static data masking, dynamic data masking is about obfuscating sensitive data on-the-fly, while transferring it to outsource parties. In this case, actual database contents remain intact and only database output is obfuscated.

How Oracle data masking is performed

DataSunrise dynamic masking tool functions as a proxy between clients (those third-party specialists) and your Oracle database. Clients contact the production database through DataSunrise proxy only (any direct access to the database is disabled).

Oracle data masking tool intercepts client query, changes it according to existing security policies and redirects modified (“masked”) query to the database. Having received a “masked” query, the database outputs fake (obfuscated) data instead of real values originally requested by the client. Since no real data leaves the database, this method of data obfuscation is very reliable.

And this is how it looks like

Oracle data masking

For example, here we have an Oracle table which resembles a list of customers including addresses, emails and credit card numbers. Before exporting this list to a third-party system, we need to obfuscate customers’ personal data.

To do this, some masking rules were created. Along with general-purpose masking patterns, DataSunrise provides obfuscation algorithms for emails and credit card numbers. So, we’ve created some masking rules to obfuscate data in columns that contain customers’ credit card numbers and email addresses. Let’s assume that leaving other columns unmasked is acceptable.

Oracle data masking

And here how the table looks like after the masking is applied. As you can see, data in specified columns was obfuscated and thus, it became useless for potential wrong-doer.

Oracle data masking internals

Now let’s see how masking looks like in SQL.

Here’s the original client query:

/* + NO_PARALLEL */
SELECT ROWID "ROWID",
             ORA_ROWSCN "ORA_ROWSCN",
             ORDERNUMBER ORDERNUMBER,
             FIRSTNAME FIRSTNAME,
             LASTNAME LASTNAME,
             ADDRESS ADDRESS,
             ZIP ZIP,
             EMAIL EMAIL,
             CARD CARD
FROM "SALES"."CUSTOMERS"

And SQL query the database gets after masking is applied:

/* + NO_PARALLEL */
SELECT ROWID "ROWID",
             ORA_ROWSCN "ORA_ROWSCN",
             ORDERNUMBER ORDERNUMBER,
             FIRSTNAME FIRSTNAME,
             LASTNAME LASTNAME,
             ADDRESS ADDRESS,
             ZIP ZIP,
             CAST(regexp_replace(SUBSTR("EMAIL", 0, REGEXP_INSTR("EMAIL", 
                  '.[[:alnum:]]+($| )')), '[[:alnum:]]', '*') || 
                  SUBSTR("EMAIL", REGEXP_INSTR("EMAIL", 
                  '.[[:alnum:]]+($| )') + 1) AS VARCHAR2(50)) EMAIL,
                  CAST(TRANSLATE(SUBSTR("CARD", 0, LENGTH(TRIM("CARD")) - 4), 
                  '0123456789', 'XXXXXXXXXX') || 
                  SUBSTR("CARD", LENGTH(TRIM("CARD")) - 3) AS VARCHAR2(20)) 
CARD FROM "SALES"."CUSTOMERS"

1. Select Product Type

2. Select Supported Databases

View Tech Info

Read More on the Topic

Dynamic Data Masking Solution

Dynamic Data Masking Solution

Learn More
Reasons why Database Firewall is so Needed

Reasons why Database Firewall is so Needed

Learn More
Simple Data Masking with DataSunrise

Simple Data Masking with DataSunrise

Learn More
Read more articles

Want to Know More?

Our experts will be glad to answer your questions.

Contact Us