Skip to content
Glossary Term

Dynamic Data Masking

What is a Dynamic Data Masking?

Dynamic data masking (DDM) is the masking of data where the decision on whether to mask the data in question is determined at the time of the data access request. It is based on attribute values of the user requesting access, the data itself, and the environment or context in which the request is being made. Put more simply, it hides certain parts of data when someone asks to see it. Whether the data is hidden or not depends on:

  • Who is asking for it.
  • What the data is.
  • The situation in which the request is made.

Anonymization, obfuscation, and tokenization are often used interchangeably with dynamic data masking. However, these terms are generally defined slightly differently, depending on context.

Types of data requiring dynamic data masking typically include:

  • Personally identifiable information (PII) such as names, social security numbers, driver’s license numbers, and passport numbers.
  • Protected health information (PHI), including medical histories, lab and test results, insurance details, and demographic information.
  • Payment card information (PCI-DSS) that protects credit cardholder data from theft and ensures secure credit card transactions.
  • Intellectual property (IP) such as designs, literary and artistic works, inventions, symbols, and names and images used in commerce.

Types of Data Masking: Dynamic vs. Static Data Masking

The two most common data masking types are static and dynamic.

  • Static data masking (SDM) creates sanitized copies of existing databases, removing any identifying information. The copies contain altered data that can be safely shared without risking a privacy breach. It’s typically used for data that doesn’t frequently change or remains static over time. A potential downside to SDM is that having multiple copies of original data can lead to confusion and data silos.
  • Dynamic data masking allows data to stream directly from the original location to different systems without having to store a copy in a secondary environment. It applies masking techniques in real time, altering existing sensitive data as users query or access it. It’s most often used in role-based data security scenarios such as customer support and medical record handling.

Other types of data masking include deterministic, which ensures input values are consistently masked to the same output value. For instance, if the name “Mark” is masked as “John” in one instance, it will be masked as “John” throughout the system. On-the-fly data masking is often used in complex integration cases where data frequently moves frequently between production and non-production environments. Lastly, statistical obfuscation alters sensitive data’s value in a way that preserves the statistical properties and relationships within the data.

Advantages of Implementing Dynamic Data Masking

DDM helps mitigate data breach risks, providing benefits that include:

  • Minimizing sensitive data exposure by masking it to unauthorized users.
  • Enabling companies to specify how much data they want to reveal or restrict access to. 
  • Concealing sensitive data in query results without changing the data in the database. 
  • Applying masking rules that simplify DDM integration into existing applications.
  • Using random masking functions to provide partial and full masking options to protect numeric data.
  • Enforcing data privacy standards to maintain compliance.
  • Providing application transparency, with masking applied based on user privilege.
  • Ensuring agility by masking data on the fly while keeping underlying data intact in the database.

Dynamic data masking is not without its limitations, which include:

  • It is not a complete security solution. Instead, it’s a data obfuscation technique that helps protect PII from unauthorized access.
  • It only masks data when it’s being accessed or displayed, not at rest.
  • It typically offers a limited set of masking techniques.
  • If not configured properly, it can lead to either excessive or insufficient masking.

Dynamic Data Masking in Action: Use Cases

When employing dynamic data masking, all users communicate with a database via a proxy server. When a user makes a request to read data, the proxy applies masking rules based on predefined criteria. While authorized users receive the original data, unauthorized users receive masked data.

By tailoring DDM to their specific industry, needs, and regulatory requirements, organizations can enhance their data security and privacy practices effectively.

  • Information technology companies can use DDM in SQL server environments to enhance database security by masking sensitive information in real time. For instance, a masking rule can be created to partially hide social security or credit card numbers in query results, ensuring only authorized users view the full data.
  • Healthcare providers can employ DDM to mask patient records, ensuring sensitive health information is only accessible to authorized personnel, such as doctors and nurses, while administrative staff may see limited details.
  • The finance sector can use DDM to protect customer data such as account numbers and transaction details, allowing customer service representatives to assist clients without accessing their full financial information.
  • Manufacturers can employ DDM to securely share production data and intellectual property with suppliers and partners without exposing sensitive information.