Axiomatics Featured in KuppingerCole Market Compass for Policy-Based Access Management (PBAM) Learn more  
access control

Dynamic Data Masking for data privacy and security

Dynamic Data Masking (DDM) enables sensitive data to be securely shared across the enterprise in real-time with many users without changing the actual data.

How is Dynamic Data Masking defined?

Dynamic data masking has become an established method to securely share data in its existing form by masking data when shared with users. In this way, dynamic data masking is a key component of fine-grained access control.

In its Information Technology Glossary, Gartner defines Dynamic data masking (DDM) as “an emerging technology that aims at real-time data masking of production data. DDM changes the data stream so that the data requester does not get access to the sensitive data, while no physical changes to the original production data take place.”

It is also referred to by a number of different names including dynamic data redaction, dynamic data obfuscation, dynamic data anonymization, on-the-fly data masking and real-time data masking. At its core, DDM is used to redact data for transit in a database. It is commonly used with SQL servers.

people working

Who requires dynamic masking of data and why?

Dynamic masking of data should be used by any organization sharing data that contains sensitive information with users or systems that are not authorized to see such information. This can be due to corporate policy or privacy regulations, such as GDPR or HIPAA. Typically this includes:

  • Financial institutions
  • Healthcare organizations
  • Large Enterprises
  • Governmental organizations

Don’t miss this blog on why you need Dynamic authorization and dynamic data masking.

Organizations that utilize a proven data masking tool from Axiomatics, can ensure data is effectively shared with users across an organization, without worrying about unauthorized personnel or systems being able to see or interpret masked data. A common example of this being credit card numbers that are often logged with a provider but masked from view.

Actual credit card data
Credit card number: 7253 4111 6345 8787
User name: Jenny Jones
Masked credit card data
Credit card number: 7253 XXXX XXXX XXXX
User name: Jenny XXXXX

In this example you can clearly see how the sensitive data – in the form of the last 12 digits of the person’s credit card number along wtih the surname – have been masked, making it impossible to decipher and therefore safe to share. Without the masking technolgy this would not be possible. With fine-grained access control, data across multiple databases at table, row and cell level can be masked.


Benefits of Dynamic Data Masking

Dynamically masking data offers a number of benefits to enterprises that want to keep data intact in databases, i.e. not use static masking, but still share it securely with users and systems.

Lean and scalable

Enterprises have sensitive data stored in multiple databases. With Axiomatics you can choose to mask data in one, two or dozens of databases. Dynamic data filtering is also possible.


Being able to mask data only becomes a benefit when you can do it at table, row and cell level. Axiomatics data masking solution comes with these fine-grained capabilities.


Data is constantly changing, as are regulations and users’ entitlements and requirements. Any changes in business policies are immediately implemented and relevant data is masked or unmasked accordingly.


Privacy regulations are becoming stricter. Different regulations apply to different regions, being able to apply different masking rules to data based on storage and sourced location is business critical. Our solution delivers this.

How is data masked dynamically?

Dynamic data masking enforces the business rules of an organization and in that sense,functions in the same way as policy based access control. But rather than granting access, it masks data. Complex business rules can be applied in real-time in one or multiple databases.

Data masking can be defined using a element in the configuration of the system. This mask value essentially offers three options:

  • Undefined - This will redact the actual cell value, so whatever value is found in the database will be left out in the result set and replaced by a NULL value./li>
  • Constant - A constant value can be added which will be used instead of a cell value in every record that is affected by the policy. The constant value must match the datatype of the table column.
  • Select - You can call any function that would be valid to use inside a SELECT statement of the SQL dialect applicable to your database.

this way, dynamic masking provides the flexibility to redact the whole value or just a portion of the data via a function call. For example, we could use a function call to apply data masking to a column that holds email addresses. With a simple SQL function, the data preceding the ‘@’ in the email address can be masked.

In the filter configuration we add a protected DB object (column).

masking SQL code

element masks the column ‘EMAIL’ when it is selected from the table ‘EMPLOYEE’. The masking tool ensures that only the part after the ‘@’ will be displayed to the end user. This SQL statement sent from a client application to the database is intercepted by the masking tool:

  • NAME,
  • EMAIL,
2 women working

Dynamic Data Masking vs. Static Data

Static data masking involves masking data in the actual database, i.e. when data is at rest. Dynamic data masking on the other hand applies a masked layer to sensitive data when data is in transit, ensuring data in the database remains unchanged at the source. But when should you go static and when should you go dynamic?

Use static data masking

  • In non-production environments for testing when data should not be enclosed but life-like operation scenarios are require.
  • When your organization handled sensitive data but does not use it – that way you avoid unnecessary compliance issues.

Use dynamic data masking

  • When you have complex business rules governing access to sensitive data
  • When access rights/regulations change on regular basis and you want to be able to implement these immediately
  • If shared data must remain intact at the source
  • When shared data is subject to strict privacy regulations

How to choose the right access control solution

No matter where your sensitive data is stored or how complex or distributed your architecture is, we can help you safeguard and securely share sensitive data. Our team are experts in defining requirements and tailoring the Attribute Based Access Control products from our dynamic authorization suite to meet customers’ needs.

people working

Have 30 minutes?
Let's show you a demo!

See how Axiomatics enables you to balance the demands of your security team and your business users with the authorization solution that our customers love.

In the meantime, check out this example demo...

Book a full demo