Dynamic Data Masking (DDM)

Protecting DB and File PII In-Flight

Dynamic Data Masking


Dynamic data masking (DDM), or masking in transit, works in conjunction with applications in real time so that unauthorized users do not see plaintext columns or values, while the source data (usually in relational databases) remains unchanged. Compare this to persistent, or Static Data Masking (SDM) which protects data at rest in sources typically used for testing or analytics.


The IRI FieldShield data masking package for relational databases and flat files, the IRI DarkShield package for semi- and unstructured text files, PDF / MS documents, images and NoSQL -- or the IRI Voracity platform which includes them both plus many related features -- deliver DDM functionally in multiple ways:





Apply static field-level masking functions while mapping; e.g., in the same IRI Voracity ETL, migration, replication, cleansing, and/or reporting job, or incrementally in real-time when RDB source row data changes using IRI Ripcurrent.

SQL trigger

Encrypt, mask, etc. in-situ, in real-time, during inserts, updates, etc. to specified tables and columns using a stored procedure and an IRI library

API or Web Services Call

Embed IRI FieldShield functions via .NET or Java SDK library calls from applications to encrypt, decrypt, hash or redact. Or use the IRI DarkShield RPC API via web services / application calls written in Python, Java, etc. for RESTful search and mask operations.

Proxy-based, In-Flight

Configure proxy server and special 'JDBC SQL Trail' driver to intercept and mask app queries in transit for MS SQL Server, Oracle, PostgreSQL, or SAP HANA

Custom I/O

Flow your own data feeds and formats to / from FieldShield data masking scripts in memory

Stream masking

Spark and Storm processing of dynamic input in Voracity Hadoop edition

Message queue

Redirect, mask and virtualize/federate PII from pipes, URLs, and MQTT/Kafka topics


All IRI dynamic encryption and decryption functions, including format-preserving encryption, leverage the same routines used in FieldShield and DarkShield static data masking (SDM) jobs.


In all cases above, you can work with IRI Professional Services to obtain a customized implementation.