Mage Data strengthens its data security posture with the ISO 27001 certification. READ MORE >

February 16, 2023

Going Beyond Oracle’s Included Data Masking Tools

Data privacy is a critical part of nearly every business’ operations today. It’s almost inevitable that your company will hold users’ personally identifiable information, and with the growing number of data privacy laws, protecting that data is a vital part of compliance operations. At the same time, businesses still need access to data to perform all kinds of daily tasks. Data masking provides an effective way to keep information safe without compromising business performance. Oracle does provide companies with data masking options, but are they included with most databases, and do they work well enough for modern business needs?

What Should Data Masking Do?

Before we can evaluate the merits of Oracle’s approach to data masking, we first have to set the benchmark for what a good data masking regimen should look like. According to research by Securosis, effective data masking has the following five requirements:

1. Masking Should be Irreversible

One of the goals of data masking is to protect data if an unauthorized party accesses it. If the masking is reversible, it doesn’t protect user data.

2. Masked Data Should be Representative

Instead of masking data, a company could just replace it with random information—but that would ruin attempts at statistical analysis. Good masking preserves statistical relationships while still providing privacy and security.

3. Referential Integrity Must be Maintained

In cases where data references other data, such as in key-value pairs, improper masking can cause issues. For example, if a key has multiple values associated with it, then it must be masked identically in reference to each of its values, otherwise, the data may end up distorted. Likewise, analysts often look for trends related to locations. Masking zip codes, for example, haphazardly can protect user data, but make it so that analysis run on the data can’t use this key data point.

4. Masking Should be Selective

Masking all data can be a slow process and lead to performance issues. A “smarter” approach to masking is to mask all PII and only the non-PII that would result in the reversing of PII. For example, masking names and addresses helps protect users, while masking the names of the drinks they ordered at the local juice shop would neither protect them nor be an efficient use of resources. Successful selective masking requires a data masking solution capable of nuance and understanding the underlying information.

5. Masking Must be Repeatable

Finally, masking must be repeatable. Data is always changing, and typically, databases are growing. Data masking solutions must be able to continue functioning even as these changes occur in as close to real-time as possible to avoid production slowdowns.

How Oracle Approaches Data Masking

Oracle has several database solutions that support a variety of needs. If you’re looking to operate globally with localized instances, Oracle has a solution. If you need to scale up an enterprise-level database, Oracle has a solution. If you want to mask data to protect your users, Oracle wants you to get out your wallet.

Despite the growing need for data masking solutions, Oracle doesn’t include any with most of its database offerings. Instead, if you want them, Oracle will offer you the “Oracle Data Masking and Subsetting Pack,” which is a paid add-on that can be used on its proprietary servers or on those powered by third-party solutions.

Consequently, while it’s tempting to compare it to other databases with built-in tools, it is more accurate to compare it to other stand-alone masking and privacy tools, given that companies pay for these and Oracle’s Data Masking and Subsetting Pack in the same way. For Oracle’s tool to stack up well against this competition, it must be a complete tool, capable of doing everything an organization requires of a data masking solution.

To be fair, Oracle Data Masking and Subsetting does some tasks well. It lists the following as its main components for masking:

Application Data Modeling

Application Data Modeling is Oracle’s term for sensitive data discovery. This feature allows companies to detect sensitive columns and parent-child relationships automatically. It also generates an application data model that can be applied to other databases, which is a nifty feature for companies with multiple localized, but identically structured databases.

Masking Format Library

Its Masking Format Library provides predefined masking options for common data types like credit card and phone numbers. It also allows for organizations to create custom masking formats as needed.

Data Masking Definitions

The Data Masking Definitions allows organizations to reuse data masking formats on pre-assigned columns, ensuring that new data added to the database is regularly masked.

What Oracle Can’t Do

Overall, that’s a pretty basic list compared to the variety of other data masking solutions. There are multiple features that one might expect of a data masking solution. For example, where are the dynamic data masking options? In a modern organization, static masking can greatly reduce productivity if many different roles have differing data access requirements. Dynamic masking allows users with different roles to access the data they need in real-time, negating that performance penalty.

Likewise, Oracle Data Masking and Subsetting has only minimal data detection. Finding personally identifying data in columns is nice, but what about the situations where it’s hiding in metadata, or has a non-typical appearance in a column? These edge cases can lead to significant compliance problems if not properly handled, and Oracle’s approach doesn’t have a solid solution for them.

Finally, while it does include Subsetting as a feature, a common complaint from those who use the tool is that the solution is very pricey. A high price alone doesn’t mean that a solution is bad. However, when it’s positioned as a stand-alone tool that can not only secure Oracle but also third-party databases, it’s fair to expect the solution to be more comprehensive for the price.

How to Better Approach Data Masking?

With Oracle’s serious shortcomings in the data masking arena, many organizations will need a better solution. The good news for those organizations is that help is on the way. Mage’s Dynamic Data Masking is an award-winning solution that keeps employee performance high while protecting user data in a nuanced and effective manner. Likewise, Mage’s Sensitive Data Discovery platform is a patented approach to sensitive data discovery that can find sensitive data, even when it’s hiding in unstructured data that other systems would struggle to parse. Even better, it can run on just about any database platform, allowing you to use it with Oracle or the database vendor of your choice. If you’re ready to learn what Mage can do for your business, schedule a demo today.