Data masking feature is dedicated to protecting sensitive data of any kind by replacing it with special characters or fictive useless data. It is a commonly occurring measure when working with credit card numbers. Most receipts provide only the last four numbers of the card, replacing other numbers with asterisks (*) or Xs.
As you may guess from its name, DataSunrise Data Masking tool is used to mask data a database contains. In this article we will highlight some data masking related points.
Why do we need data masking?
The main reason to apply data masking is to protect personally identifiable data or commercially sensitive data. Companies storing critical data bare responsibility for the privacy and confidentiality of their clients’ data. Federal laws and regulations such as SOX, HIPAA, GLBA and PCI DSS place exacting demands on organizations to keep the data secure. Data masking is one of the ways to comply with those requirements. Especially, when you work with third-party employees who need to access your database for reporting, testing or developing purposes.
In most cases, software developers don’t need the actual data from the database, a “dummy” database with consistent fictive data is enough. It is also a helpful tool when you need to mask only certain columns of the database. Sophisticated masking algorithms make it impossible for a user to retrieve the original data by means of reverse-engineering.
Compared to encryption, masked data remains partially readable. With the help of masking patterns, you choose which part of the content has to be masked.
Static and Dynamic data masking
There are two most popular types of data masking: static and dynamic masking. Let’s analyze the differences between them.
|Static Masking||Dynamic Masking|
|The full copy of the database with masked information.||The data is masked on-the-fly at the moment of request. The data masking software intercepts the client query and changes the database response.|
|Requires additional space for the copy of the database.||Doesn’t require any additional server resources.|
|Database can be out-of-date if the original data is edited. May be required to be updated periodically.||The database is always up-to-date.|
|It is completely impossible to retrieve the original data, as the database content is changed, not just masked. But before masking the real data must be extracted from the database, which poses an exposure threat.||No need to extract the whole database. The original content is changed before leaving the database.|
Not so shiny
Dynamic data masking has its shortcomings. Stored procedures can’t be dynamically masked because their execution algorithms are stored within the database and client applications just request the execution according to an already existing plan. Thus, masking of stored procedures requires rewriting the query results, not the query itself as DataSunrise currently does.
Dynamic Data Masking with DataSunrise
As you can see, the dynamic data masking method is much more versatile and that's why we use it in our product.DataSunrise suite works as a proxy — it intercepts SQL-queries to the protected database and modifies these queries in such a way, that the database outputs not actual, but random or predefined data.
Before you use DataSunrise Data Masking you need to determine which database entries need protection and where they are located. Note that DataSunrise can mask a complete database as well as data in separate columns only. DataSunrise logs all the actions, so you can check what is happening anytime.
Using DataSunrise data masking tool is very easy. All you need to do is to enter DataSunrise dashboard and create some masking policies.
Here you need to enter information required to create a data masking rule. You can define application which requests will be processed by the firewall. Then you need to define SQL-statements to be filtered and select masking type to be implemented. It means that you can select a method of generation of fake entries.
Then you should select the database elements (schemas, tables or columns) to be protected. It can be performed manually via handy database elements explorer or by using regular expressions.And that's all. Quite simple.
DataSunrise static data maskingDataSunrise also has static data masking capability.As it was previously mentioned, static data masking enables you to create a fully functional copy of a production database but with masked data inside. You can use such a copy for testing or development purposes. First, to employ static data masking you need to create an empty copy of the target database. Then open DataSunrise web UI, Static masking subsection.Here you need to specify which database should be used as a source of data and which one is the target one (the “dummy”). Selecting columns to be masked and masking typesHaving it done, specify a table which should be transferred to a new database, and masking algorithms to apply (“Card” and “Email” columns here). Then you can start the masking process.And here’s the result. To the left is the source, unmasked, table, and to the right is the static table with obfuscation applied.
Note: of course, in reality you'd want to use more obfuscation, but it is a simple example just to get the idea.
ConclusionDataSunrise data masking provides you with another reliable tool for info protection. Along with DataSunrise Database firewall and SQL injection prevention capability, it can become an additional line of defense against digital threats.
DataSunrise supports all major databases and data warehouses such as Oracle, Exadata, IBM DB2, IBM Netezza, MySQL, MariaDB, Greenplum, Amazon Aurora, Amazon Redshift, Microsoft SQL Server, Azure SQL, Teradata and more. You are welcome to download a free trial if would like to install on your premises. In case you are a cloud user and run your database on Amazon AWS or Microsoft Azure you can get it from AWS market place or Azure market place.For more information about DataSunrise Database Security capabilities please refer to DataSunrise user guide or email us at firstname.lastname@example.org