Static versus Dynamic Data Masking

Characteristics, pros and cons

Personally identifiable information needs to be protected. We all know that by now. It is laid down in various privacy rules and regulations like GDPR, PCI and HIPAA. But how do you make sure that the right data is protected the right way? Which data masking method fits your needs best? A difference is being made between static data masking and dynamic data masking. What do these methods look like, what are the characteristics, pros and cons of static masking vs dynamic masking?

dynamic vs static data masking

Data protection

Let’s start with a brief introduction why many of us are looking for masked data. The most obvious reason is data security. Many databases contain personal data types; privacy sensitive data. To prevent sensitive data exposure or data breaches, this data needs security. One of the most efficient and effective ways is to mask the data before it is used for purposes like test and development. But how do you mask this actual data? Let’s find out which way is suitable for your organization.

What is Static Data Masking (SDM)?

Realistic, representative data is data that represents production which often is needed for software tests like functional testing and regression testing. In these cases generating synthetic data from scratch is a risk since it will not be truly representative of the production environment. What we need is static data masking to facilitate compliance with privacy rules and regulations like GDPR, PCI and HIPAA. Static masking is replacing sensitive data by altering data at rest. It is used to provide high quality (realistic) data for the development of applications. Static data masking can be done using ETL-like solutions or tools that are capable of directly doing it inside the database.

A typical static masking architecture looks like the following. You have only one full-size copy of each production database. It’s often called the “Golden copy”. We call it the “Test Data Master”. This is the one and only layer of the lower environment which will be subject to data privacy legislation such as GDPR and therefore requires data masking applied.

Test data architecture

This “Test Data Master” is typically made available as the source for all other lower environment deployments. As full size copies they can also be used by performance testers and BI developers who need the production volume level experience in read-only or select mode. Static masking changes sensitive data in a realistic manner with the help of masking rules and synthetic data generation. The data is permanently replaced, which is an advantage in terms of privacy and protection.

What is Dynamic Data Masking (DDM)?

Dynamic data masking, also known as on-the-fly data masking, is masking sensitive data in transit, leaving the original at-rest data intact and unaltered. It is used to hide certain data from a certain user. The data is not masked physically in the database; it is masked in the query result. The unmasked data will remain visible in the actual database. The downside of dynamic data masking is that stored procedures can’t be dynamically masked. Masking of stored procedures requires rewriting the query results, not the query itself.

Dynamic masking is often used for production systems. Using dynamic data masking tools to build a masking layer on top of the existing data to prevent that certain roles/people see certain data, but the data inside is still the same.

dynamic data masking

Data masking with DATPROF

The DATPROF Suite contains a static data masking solution that is capable of directly masking/transforming/altering the data inside the database without extracting the data to an ETL platform. Firing queries onto the database, carrying out the masking template, the data doesn’t travel through the tooling which is very safe.

Try 14 days for free

datprof privacy

Mask privacy sensitive data and generate synthetic test data with DATPROF Privacy. Try 14 days for free. No credit card required.

FAQ

What is static data masking?

Static masking is replacing sensitive data by altering data at rest. It is used to provide high quality (realistic) data for the development of applications.

What is dynamic data masking?

Dynamic data masking is also known as on-the-fly data masking. This method masks sensitive data in transit, leaving the original at-rest data intact and unaltered.

How does static data masking work?

DATPROF Privacy is a static data masking solution that is capable of directly masking/transforming/altering the data inside the database without extracting the data to an ETL platform. Firing queries onto the database, carrying out the masking template, the data doesn’t travel through the tooling which is very safe.

Data Masking

DATPROF Privacy

Data Automation

DATPROF Runtime

Data Discovery

DATPROF Analyze