Dynamic Data Masking for data privacy and security

Who requires dynamic masking of data and why?

Dynamic masking of data should be used by any organization sharing data that contains sensitive information with users or systems that are not authorized to see such information. This can be due to corporate policy or privacy regulations, such as GDPR or HIPAA. Typically this includes:

• Financial institutions
• Healthcare organizations
• Large Enterprises
• Governmental organizations

Don’t miss this blog on why you need Dynamic authorization and dynamic data masking.

Organizations that utilize a proven data masking tool from Axiomatics, can ensure data is effectively shared with users across an organization, without worrying about unauthorized personnel or systems being able to see or interpret masked data. A common example of this being credit card numbers that are often logged with a provider but masked from view.

Actual credit card data
Credit card number: 7253 4111 6345 8787
User name: Jenny Jones
Masked credit card data
Credit card number: 7253 XXXX XXXX XXXX
User name: Jenny XXXXX

In this example you can clearly see how the sensitive data – in the form of the last 12 digits of the person’s credit card number along wtih the surname – have been masked, making it impossible to decipher and therefore safe to share. Without the masking technolgy this would not be possible. With fine-grained access control, data across multiple databases at table, row and cell level can be masked.

How is data masked dynamically?

Dynamic data masking enforces the business rules of an organization and in that sense,functions in the same way as policy based access control. But rather than granting access, it masks data. Complex business rules can be applied in real-time in one or multiple databases.

Data masking can be defined using a element in the configuration of the system. This mask value essentially offers three options:

• Undefined - This will redact the actual cell value, so whatever value is found in the database will be left out in the result set and replaced by a NULL value./li>
• Constant - A constant value can be added which will be used instead of a cell value in every record that is affected by the policy. The constant value must match the datatype of the table column.
• Select - You can call any function that would be valid to use inside a SELECT statement of the SQL dialect applicable to your database.

this way, dynamic masking provides the flexibility to redact the whole value or just a portion of the data via a function call. For example, we could use a function call to apply data masking to a column that holds email addresses. With a simple SQL function, the data preceding the ‘@’ in the email address can be masked.

In the filter configuration we add a protected DB object (column).

element masks the column ‘EMAIL’ when it is selected from the table ‘EMPLOYEE’. The masking tool ensures that only the part after the ‘@’ will be displayed to the end user. This SQL statement sent from a client application to the database is intercepted by the masking tool:

• SELECT
• NAME,
• EMAIL,
• DEPARTMENT
• FROM SCOTT.EMPLOYEE