Updated July 30, 2023

Dynamic Data Masking refers to masking of data where the decision on whether to mask the data in question is determined at the time of the data access request and is based on attribute values of the user requesting access, the data itself, and the environment or context in which the request is being made. Other terms that are often used to refer to data masking include anonymization, obfuscation, and tokenization, although these terms are sometimes defined slightly differently depending on context.  See Gartner’s definition of Dynamic Data Masking, or DDM.

Talk to expert

How Does Dynamic Data Masking (DDM) Work?

Dynamic Data Masking works by defining policies based on attributes of the user requesting access to the data, the data itself, and the context or environment of the request. Those policies are then evaluated at the time of the data request and a decision is made whether to allow access. Once the policy has been evaluated the decision is enforced where the data is being accessed so that any data that should be masked is masked.

What are the Techniques for DDM?

There are several different ways that data can be masked.

  • Nulling Out – Replacing the original data with placeholders, such as zeros or asterisks. This process is not reversible.
  • Encryption – Encrypting the data so that the original can only be recovered with a key, such as a password or other token. The key must be protected to make sure it is not compromised.
  • Substitution – Substituting the original value(s) with a replacement value. This can be reversed if a lookup table is maintained, however then the lookup table must be protected.

Related Links:

Why Should You Use Dynamic Data Masking?

Data Masking should be used whenever users need to access part of a data record to do their job, but are not authorized to view some of the data. In this case, any data that is restricted or sensitive can be masked. An example of this may be employee or customer data records, which can include Personally Identifiable Information, or PII. Access to PII may be covered by privacy regulations, or may just need to be restricted to limit the liability of the organization holding that PII. In any case, masking that PII within the employee or customer records allows users to perform the actions they need to take on those records without the risk of the PII being compromised.

When do you Need Dynamic Data Masking with FPE?

Format-Preserving Encryption (FPE) is a form of data masking that replaces controlled or sensitive data with data that conforms to the same format as the original data. Maintaining the same format as the original data is important when the masked data will be used by an application that depends on the data being in a particular format. If the masking is being done at a lower layer, such as the data access layer, the application using the data may not even be aware it is being modified. Keeping the masked data in the same format as the original data prevents the masking from breaking the application’s dependencies.

How Can Organizations Implement DDM?

Dynamic Data Masking is best implemented at the data access level, which allows masking to be applied with minimal disruption to the applications or other resources that are accessing the data. When deployed at the data access level, Dynamic Data Masking solutions can implement the same interface as the underlying database, so that no applications or integrations using the database have to be modified. For the quickest deployment of a solution, products that have an out of the box integration with many database products, such as NextLabs’ Data Access Enforcer (DAE) can be deployed much faster than those that require custom code. Products that have support for Format Preserving Encryption (FPE) as well also reduce the amount of customization that needs to be done to deploy a Dynamic Data Masking solution.

For more information on how NextLabs’ dynamic data masking functionality, see our Data Access Security product line, DAE.