Dynamic Data Masking (DDM) enables sensitive data to be securely shared across the enterprise in real-time with many users without changing the actual data.
Dynamic data masking has become an established method to securely share data in its existing form by masking data when shared with users. In this way, dynamic data masking is a key component of fine-grained access control.
In its Information Technology Glossary, Gartner defines Dynamic data masking (DDM) as “an emerging technology that aims at real-time data masking of production data. DDM changes the data stream so that the data requester does not get access to the sensitive data, while no physical changes to the original production data take place.”
It is also referred to by a number of different names including dynamic data redaction, dynamic data obfuscation, dynamic data anonymization, on-the-fly data masking and real-time data masking. At its core, DDM is used to redact data for transit in a database. It is commonly used with SQL servers.
Dynamic masking of data should be used by any organization sharing data that contains sensitive information with users or systems that are not authorized to see such information. This can be due to corporate policy or privacy regulations, such as GDPR or HIPAA. Typically this includes:
Don’t miss this blog on why you need Dynamic authorization and dynamic data masking.
Organizations that utilize a proven data masking tool from Axiomatics, can ensure data is effectively shared with users across an organization, without worrying about unauthorized personnel or systems being able to see or interpret masked data. A common example of this being credit card numbers that are often logged with a provider but masked from view.
Actual credit card data
Credit card number: 7253 4111 6345 8787
User name: Jenny Jones
Masked credit card data
Credit card number: 7253 XXXX XXXX XXXX
User name: Jenny XXXXX
In this example you can clearly see how the sensitive data – in the form of the last 12 digits of the person’s credit card number along wtih the surname – have been masked, making it impossible to decipher and therefore safe to share. Without the masking technolgy this would not be possible. With fine-grained access control, data across multiple databases at table, row and cell level can be masked.
Dynamically masking data offers a number of benefits to enterprises that want to keep data intact in databases, i.e. not use static masking, but still share it securely with users and systems.
Enterprises have sensitive data stored in multiple databases. With Axiomatics you can choose to mask data in one, two or dozens of databases. Dynamic data filtering is also possible.
Being able to mask data only becomes a benefit when you can do it at table, row and cell level. Axiomatics data masking solution comes with these fine-grained capabilities.
Data is constantly changing, as are regulations and users’ entitlements and requirements. Any changes in business policies are immediately implemented and relevant data is masked or unmasked accordingly.
Privacy regulations are becoming stricter. Different regulations apply to different regions, being able to apply different masking rules to data based on storage and sourced location is business critical. Our solution delivers this.
Dynamic data masking enforces the business rules of an organization and in that sense,functions in the same way as policy based access control. But rather than granting access, it masks data. Complex business rules can be applied in real-time in one or multiple databases.
Data masking can be defined using a element in the configuration of the system. This mask value essentially offers three options:
this way, dynamic masking provides the flexibility to redact the whole value or just a portion of the data via a function call. For example, we could use a function call to apply data masking to a column that holds email addresses. With a simple SQL function, the data preceding the ‘@’ in the email address can be masked.
In the filter configuration we add a protected DB object (column).
element masks the column ‘EMAIL’ when it is selected from the table ‘EMPLOYEE’. The masking tool ensures that only the part after the ‘@’ will be displayed to the end user. This SQL statement sent from a client application to the database is intercepted by the masking tool:
Static data masking involves masking data in the actual database, i.e. when data is at rest. Dynamic data masking on the other hand applies a masked layer to sensitive data when data is in transit, ensuring data in the database remains unchanged at the source. But when should you go static and when should you go dynamic?
No matter where your sensitive data is stored or how complex or distributed your architecture is, we can help you safeguard and securely share sensitive data. Our team are experts in defining requirements and tailoring the Attribute Based Access Control products from our dynamic authorization suite to meet customers’ needs.
See how Axiomatics enables you to balance the demands of your security team and your business users with the authorization solution that our customers love.
In the meantime, check out this example demo...
Book a full demo