What is Dynamic Data Masking and How Effective Is It?

Many companies are turning to dynamic data masking (DDM) as a way to protect their sensitive data while it is being used for activities such as software testing, sales demos, or user training. In short, DDM prevents non-authorized access to sensitive data by rendering it unreadable. Those with authorization, or proper privileges, are able to access the data. Data protection remains a priority for companies as cybersecurity threats continue to arise, and DDM stands to offer many benefits and a wide range of applications for data security. 

What is Dynamic Data Masking?

Dynamic data masking is a type of data masking similar to on-the-fly masking. With DDM, data is streamed straight from the production system. This allows the data to be used by another system in, for example, the dev/testing environment. Data is never stored on another system with DDM and is protected in real-time. With DDM, the data stream is changed so that whoever requests the data isn’t able to access sensitive data, and there are no changes taking place to the original production data. 

How Does Data Masking Work?

Like most data protection methods, the goal of DDM is to prevent unauthorized access to protected data. It does this by allowing customers to designate how much sensitive data is revealed with a negligible impact on the application layer. Unlike other methods of protecting data, DDM does not alter any of the information in a database. Instead, it uses masking to limit who is able to access sensitive information. DDM can be configured using dedicated database fields that will mask data in query result sets. DDM is easily used with existing applications by applying masking rules in query results; often, applications will not require modifications to existing queries to support data masking. Here is a basic outline of how DDM works:

1. A central data masking policy acts upon sensitive fields in a database.
   
   
2. Privileged users and roles are designated as having access to the sensitive data.
   
   
3. Three types of masking are used: full masking and partial masking functions, and random masking for numerical data.
   
   
4. Masks are managed and defined by simple Transact-SQL commands.

Advantages of Dynamic Data Masking

1. Keeps data secure while in use and helps to mitigate the risks of a data breach.
   
   
2. The exposure of sensitive data is minimized by non-privileged users only receiving access to masked data, which includes developers and database administrators.
   
   
3. Companies can easily state which data is revealed or restricted.
   
   
4. Database configurations are supported in concealing query results with sensitive data—without needing to change any data in the database.
   
   
5. It is a simple thing to adjust scalability with DDM. There is no need to copy or move data if the number of dataset users increases. 

Limitations of Dynamic Data Masking

DDM, while it has many benefits, has some limitations.

1. Read/write environments are not suitable for DDM. It’s possible the original database could be corrupted by masked data being written back in.
   
   
2. Because all traffic going to the database needs to be inspected, there is an increase in performance load.
   
   
3. DDM requires legwork to set up and maintain. Configuring DDM rules requires thoroughly mapping users, applications, and database objects. And access rights need to be managed in order to maintain security. 

Data Masking vs Dynamic Data Masking

Static data masking (SDM) is a security technique that creates sanitized copies of an existing database. Those copies can then be securely shared without risking a privacy breach because the data has been altered. These entirely new databases are moved to a different location where they can be shared with specific parties. 

There are some disadvantages to this method, one of which is that it is more difficult to retain a sole source of truth for the data. When one copy is altered or multiple copies are altered, which one is the source of truth? This method can lead to data silos and uncertainty for the involved parties. 

Dynamic data masking differs from traditional data masking in one significant way; the data is streamed straight from the original location to a different system, such as a testing environment. As such, there’s no need to store the data as with SDM. This makes it far easier to maintain control over sensitive data, and there is no confusion over which set of data is the clear source of truth. 

Leverage Dynamic Data Masking with Encora

Encora’s skilled and highly trained software engineers are practiced in using DDM to protect their client’s data. Companies who partner with Encora are confident that their sensitive data is secure while retaining usability. To ask questions about how Encora uses DDM and other security techniques, please reach out to them today.