Static versus Dynamic Data Masking

Data protection

Let’s start with a brief introduction why many of us are looking for masked data. The most obvious reason is data security. Many databases contain personal data types; privacy sensitive data. To prevent sensitive data exposure or data breaches, this data needs security. One of the most efficient and effective ways is to mask the data before it is used for purposes like test and development. But how do you mask this actual data? Let’s find out which way is suitable for your organization.

What is Static Data Masking (SDM)?

Realistic, representative data is data that represents production which often is needed for software tests like functional testing and regression testing. In these cases generating synthetic data from scratch is a risk since it will not be truly representative of the production environment. What we need is static data masking to facilitate compliance with privacy rules and regulations like GDPR, PCI and HIPAA. Static masking is replacing sensitive data by altering data at rest. It is used to provide high quality (realistic) data for the development of applications. Static data masking can be done using ETL-like solutions or tools that are capable of directly doing it inside the database.

A typical static masking architecture looks like the following. You have only one full-size copy of each production database. It’s often called the “Golden copy”. We call it the “Test Data Master”. This is the one and only layer of the lower environment which will be subject to data privacy legislation such as GDPR and therefore requires data masking applied.

This “Test Data Master” is typically made available as the source for all other lower environment deployments. As full size copies they can also be used by performance testers and BI developers who need the production volume level experience in read-only or select mode. Static masking changes sensitive data in a realistic manner with the help of masking rules and synthetic data generation. The data is permanently replaced, which is an advantage in terms of privacy and protection.

What is Dynamic Data Masking (DDM)?

Dynamic data masking, also known as on-the-fly data masking, is masking sensitive data in transit, leaving the original at-rest data intact and unaltered. It is used to hide certain data from a certain user. The data is not masked physically in the database; it is masked in the query result. The unmasked data will remain visible in the actual database. The downside of dynamic data masking is that stored procedures can’t be dynamically masked. Masking of stored procedures requires rewriting the query results, not the query itself.

Dynamic masking is often used for production systems. Using dynamic data masking tools to build a masking layer on top of the existing data to prevent that certain roles/people see certain data, but the data inside is still the same.

Data masking with DATPROF

The DATPROF Suite contains a static data masking solution that is capable of directly masking/transforming/altering the data inside the database without extracting the data to an ETL platform. Firing queries onto the database, carrying out the masking template, the data doesn’t travel through the tooling which is very safe.