Static data masking obscures data permanently, while dynamic masking hides data on the fly, A data product platform runs either, depending on the use case.
Static Data Masking for Data at Rest
Static data masking (SDM) is a permanent data protection method that makes a copy of any sensitive data and then alters it irrevocably before it's shared or stored. When this type of data masking is performed properly, Personally Identifiable Information (PII) won’t ever be exposed to unauthorized users or systems, even if they manage to access the masked data.
Static data masking is:
-
Irreversible
PII and other sensitive data are permanently replaced with masked data, rendering recovery of the original information impossible.
-
Applied to data at rest
SDM is typically executed in non-production environments – like testing, training, or development – the data is actively used.
-
Controlled by user-defined rules
You can define rules to determine what data to mask and how to mask it – and apply them consistently across all copies of the data.
Dynamic Data Masking for Operational Data
Dynamic data masking (DDM) is a real-time data protection technique that masks sensitive data on the fly based on user access rights. With DDM, PII is preserved in the source systems and can be viewed by anyone with authorization. Everyone else sees masked data instead of real data.
Dynamic data masking is:
-
Performed in real time
Sensitive data is masked in-flight as it’s being accessed, while all original data remains intact in the database.
-
Ideal for data on the move
DDM is used in production environments to protect PII, comply with data privacy laws, prevent data breaches, and limit access to unauthorized users only.
-
Easily integrated with database systems
DDM is embedded in many database systems, with out-of-the-box implementation and management capabilities.
Get Gartner’s market guide for data masking free of charge.
Dynamic Data Masking Example
Imagine a bank teller accessing a client’s account information to perform a transaction. The teller sees the client’s full name, address, phone number, email, social security number, credit card number, and balance.
Now imagine the teller seeing the customer's first name, last initial, city, state, masked phone number, masked email, masked social security number, masked credit card number, and masked balance.
That’s dynamic data masking in action.
DDM hides the sensitive data in the query results, while the data in the database remains unchanged. It’s easy to use with existing applications since masking rules are applied at the database layer. A central data masking policy defines which fields to mask, how to hide them, and who can see the unmasked data.
SDM vs DDM
SDM permanently alters the data in the database, while DDM merely masks the data on the fly.
SDM is typically used for software testing or development purposes, or data analytics, where the data must be anonymized before being copied to a non-production environment.
DDM is more suitable for production environments where the data needs to be protected from unauthorized access but still made available for legitimate users. It supports:
-
Full masking – replacing a string with XXXX, for example
-
Partial masking – showing only the first or last few characters of a string, for instance
-
Random masking – generating a random number within a range of numbers
-
Custom masking – applying user-defined logic, such as replacing a particular name from an extensive list of names
Combining Real-Time Data Products with SDM and DDM
A data product is a reusable data asset that bundles data with everything needed to make it independently usable by authorized consumers. Real-time data products can integrate, process, and translate real-time data from various sources – such as databases, applications, APIs, streams, and documents – and deliver it to data consumers in the format and structure they need. Apps powered by real-time data products provide timely and relevant insights and actions.
By implementing SDM or DDM via real-time data products, enterprises can:
-
Improve data quality and consistency
Real-time data products ensure the delivered masked data is complete and contextual while maintaining referential integrity and consistency across systems – regardless of the source, destination, or underlying technology.
-
Increase data availability and accessibility
Real-time data products allow data consumers to access the data they need, when and how they need it – without requiring an understanding of the underlying data sources or technologies.
-
Enhance data security and privacy
Real-time data products apply data masking rules to data at rest, or in transit, based on the data consumer's role and permissions – for enhanced data security and privacy and full compliance with data protection regulations, such as GDPR, CPRA, and HIPAA.
Powering SDM and DDM with a Data Product Platform
A Data Product Platform organizes and delivers enterprise data by business entities, making a trusted 360-degree view of every business entity instantly accessible to operational and analytical workloads. It supports static and dynamic data masking via data product…
-
Development
The platform enables data engineers to create data products that integrate and transform data from any source and deliver it to any target, in any format, in milliseconds. It also provides a graphical interface for data product design, testing, and deployment, as well as a rich set of APIs for data product consumption.
-
Management
The platform allows data teams to manage data products throughout their lifecycle, from creation to retirement. It supports data product monitoring, governance, security, and a distributed architecture for data product scalability, performance, and resilience. It also provides a data catalog for data product discovery, documentation, and lineage.
-
Security
Data products are secured at multiple levels, from the data source to the data consumer. The platform supports dynamic data masking, which can be configured on any data field, using any masking function, and based on any role or permission. It also supports data encryption, tokenization, anonymization, and pseudonymization, as well as data access control, auditing, and logging.
Data masking tools are an integral part of the platform. In the future, they’re expected to leverage Machine Learning (ML) models, like Natural Language Processing (NLP), to identify and mask unstructured data. They’ll also support more data types (streaming, IoT, geospatial, and biometric) and use cases (encryption and tokenization to mask data in motion).
Learn more about K2view entity-based data masking tools.