Dynamic Data Masking refers to masking of data where the decision on whether to mask the data in question is determined at the time of the data access request and is based on attribute values of the user requesting access, the data itself, and the environment or context in which the request is being made.  Other terms that are often used to refer to data masking include anonymization, obfuscation, and tokenization, although these terms are sometimes defined slightly differently depending on context.

How Does Dynamic Data Masking Work?

Dynamic data masking works by defining policies based on attributes of the user requesting access to the data, the data itself, and the context or environment of the request.  Those policies are then evaluated at the time of the data request and a decision is made whether to allow access.  Once the policy has been evaluated the decision is enforced where the data is being accessed so that any data that should be masked is masked.

What are the Techniques for Data Masking?

There are several different ways that data can be masked.

  • Nulling Out – Replacing the original data with placeholders, such as zeros or asterisks. This process is not reversible.
  • Encryption – Encrypting the data so that the original can only be recovered with a key, such as a password or other token. The key must be protected to make sure it is not compromised.
  • Substitution – Substituting the original value(s) with a replacement value.  This can be reversed if a lookup table is maintained, however then the lookup table must be protected.

When Should You Use Data Masking?

Data masking should be used whenever users need to access part of a data record to do their job, but are not authorized to view some of the data.  In this case, any data that is restricted or sensitive can be masked.  An example of this may be employee or customer data records, which can include Personally Identifiable Information, or PII.  Access to PII may be covered by privacy regulations, or may just need to be restricted to limit the liability of the organization holding that PII.  In any case, masking that PII within the employee or customer records allows users to perform the actions they need to take on those records without the risk of the PII being compromised.

When do you Need Dynamic Data Masking with FPE?

Format-Preserving Encryption (FPE) is a form of data masking that replaces controlled or sensitive data with data that conforms to the same format as the original data.  Maintaining the same format as the original data is important when the masked data will be used by an application that depends on the data being in a particular format.  If the masking is being done at a lower layer, such as the data access layer, the application using the data may not even be aware it is being modified.  Keeping the masked data in the same format as the original data prevents the masking from breaking the application’s dependencies.

For more information on how NextLabs’ dynamic data masking functionality, see our Data Access Security product line, DAE.