September 26, 2023
Static Data Masking vs. Dynamic Data Masking: What does your organization need?
Although both static data masking (SDM) and dynamic data masking (DDM) have been around for half a decade, there is still some general confusion as to how these tools differ. The problem is not that the technical differences are not well understood—they are. The deeper issue is that it is not always clear what kinds of situations call for a static data masking solution, and which call for a dynamic masking solution. It does not help that the companies selling these solutions tend to re-use the same tired examples every time they write about the topic.
Although both approaches do more or less the same thing—they replace sensitive data with comparable but “fake” information—the details of where and how they do this differ, and that has some pretty big ramifications for how they should be used.
Any organization that needs to protect sensitive data would do well to recognize when one or the other is needed. In larger organizations, both kinds of data masking may be in play.
What is Static Data Masking?
Static data masking (SDM) involves changing information in the source database—that is, changing information while “at rest.” Once the information is changed, the database is then used, or copied and used, in the various applications in which it is needed.
SDM is often used to create realistic test data in application development. Instead of creating data out of whole cloth, the development team can create datasets that are realistic because they are literally generated from real production data—while still preserving the privacy of their users.
SDM is also used when sensitive data needs to be shared with third parties, especially if that third party is located in a different country. By masking the data, relationships can be preserved while still protecting any sensitive or personal information.
The beauty of SDM is that it is straightforward and complete. All of the data in question is replaced, so there is no way a person or application could somehow access the true data accidentally—nor could a malicious actor compromise the database. The data is protected “across the board,” without the need to configure access on a user-by-user or role-by-role basis.
Example of a Use Case for Static Data Masking: A financial institution wants a third party to run an analysis on some of their data. The financial institution wants to protect sensitive information and financial information of its clients, and must also comply with laws about data crossing national boundaries. They mask the data in their database before giving the analytics firm access, ensuring that no sensitive data can possibly be accessed or copied.
What is Dynamic Data Masking?
Dynamic data masking (DDM) involves masking data on-demand at the point of use. The original data remains unchanged, but sensitive information is altered and masked on-the-fly. This allows for more fine-grained access control.
Whereas SDM creates a copy of a database with masked data which teams then can access, DDM preserves access to the original database but modifies what a particular person can see. This means that the masked data a person sees with DDM is as close to real-time data as one could hope for, making it ideal for situations where someone needs to access fresh data but in a limited way.
Example of a Use Case for Dynamic Data Masking: A large company might keep a large employee database that includes not only names and addresses, but Social Security numbers, direct deposit information, and more. An HR professional running payroll might need to access addresses and direct deposit information, but other HR professionals probably do not. What any given HR employee could see in the system would depend on a specific set of rules that masked data according to user or role.
Because DDM allows organizations to enforce role-based access control, it is sometimes used for older applications that don’t have these kinds of controls built in. Again, think of older legacy HR databases, or customer service systems that might store credit card information.
Static vs. Dynamic Masking: Main Differences
Here is a summary, then, of some of the main differences between static data masking and dynamic data masking:
|Static Data Masking (SDM)||Dynamic Data Masking (DDM)|
|Deployed on Non-Production||Deployed in Production|
|Original data is overwritten||Original data is preserved|
|All users have access to the same masked data||Authorized users have access to original data|
Key Questions to Ask When Deciding on a Data Masking Solution
Many vendors tip their hand when discussing data masking solutions; it becomes obvious that they favor one or the other. Unsurprisingly, the one they favor is the particular kind that they sell.
Here at Mage, we have data masking solutions of both types, static and dynamic. Our goal is to find the solution that best fits your use cases. Many times, it turns out that a large organization needs both—they simply need them for different purposes. It pays to engage a vendor that understands the small differences and is adept at implementing both kinds of solution.
For example, here are some of the questions we might have a new client consider when trying to decide between SDM and DDM for a particular use case:
- Do you require the data being masked to reflect up-to-the-minute changes? Or can you work with batched data?
- Are you looking to implement role-based access? Or do you feel more comfortable with a more complete masking of the data in question?
- How much of a concern is the protection of your production environment?
- What privacy laws or regulations are in play? For example, do you need to consider HIPAA laws for protected health information (PHI)? Or regulations like the Gramm-Leach-Bliley Act (GLBA) and Sarbanes-Oxley Act (SOX) because you handle personal financial information (PFI)?
- How are you currently identifying the data that needs to be masked? Is sensitive data discovery needed in addition to any masking tools?
There are other considerations that go into selecting a data masking tool as well, but these questions will help guide further research into which particular type of masking your organization might need.