Dynamic Data Masking (DDM)


Protecting DB and File PII In-Flight

Dynamic Data Masking

 

Dynamic data masking (DDM), or data masking in transit, masks data only at the display level in applications connected to a database or file (where it remains unchanged). A DDM solution will prevent unauthorized users from seeing the original plaintext values in columns.

 

Compare this to real-time data masking which changes source data values in a single RDB via SQL trigger, or masks values moving from source to target when source values change. Dynamic data masking is also different from Static Data Masking (SDM) which protects data at rest -- either in sources typically used in high security production environments or in lower environments where data is anonymized for development, testing, or analytics.

 

The best data masking tools enable all three modes of operation, and provide multiple options to satisfy multiple use cases.

 

The IRI FieldShield data masking package for relational databases and flat files, the IRI DarkShield package for semi- and unstructured text files, PDF / MS documents, images and NoSQL -- or the IRI Voracity platform which includes them both plus many related features -- deliver DDM functionally in multiple ways:

Embed IRI FieldShield functions via .NET or Java SDK library calls from applications to encrypt, decrypt, hash or redact. Or make a call to aDarkShield text, file, RDB or NoSQL DB RPC API from your application (in Python, PowerShell, Java, etc.) for RESTful search and mask services.

In 2025, IRI will launch new middleware exploiting RI DarkShield APIs to analyze logged-in users to relational and NoSQL database and mask classes of sensitive data based on RBAC settings.

Flow your own data feeds and formats to / from FieldShield static data masking jobs in memory using input or output procedures writen in C. Your procedure would address the RBAC logic, and allow you to leverage the FieldShield data classification, discovery, masking , re-ID risk scoring, quasi-identifer anonymization, and audit reporting capabilities.

Redirect, mask and virtualize/federate PII from pipes, URLs, and MQTT or Kafka topics; i.e., mask data for recpients in  flight, as it streams in from a dynamic source.

Whichever dynamic data masking tool or option you choose above, you can work with IRI Professional Services to obtain a customized implementation for your use case.