Dynamic Data Masking (DDM)

Protecting DB and File PII In-Flight

Dynamic Data Masking


Dynamic data masking (DDM) works in conjunction with applications in real time so that unauthorized users do not see plaintext columns or values, while the source data remains unchanged.


The IRI FieldShield data masking package for relational databases and flat files, the IRI DarkShield package for semi- and unstructured text files, PDF / MS documents, images and NoSQL -- or the IRI Voracity platform which includes them both plus many related features -- deliver DDM functionally in multiple ways:





Apply field-level masking functions while mapping; i.e., in the same job script/s with IRI Voracity ETL, migration, replication, cleansing, reporting, etc.

SQL trigger

Encrypt, mask, etc. in-situ, in real-time, during inserts, update, etc. to specified tables and columns

App calls

Embed .NET or Java SDK library functions in applications to encrypt, decrypt, hash or redact


Configure proxy server and special 'JDBC SQL Trail' driver to intercept and mask app queries in transit

Custom I/O

Flow your own data feeds and formats to / from FieldShield data masking scripts in memory

Stream masking

Spark and Storm processing of dynamic input in Voracity Hadoop edition

Message queue

Redirect, mask and virtualize/federate PII from pipes, URLs, and MQTT/Kafka topics

Web service

REST API call to a FieldShield or DarkShield agent to mask data in flight


All IRI dynamic encryption and decryption functions, including format-preserving encryption, leverage the same routines used in FieldShield and DarkShield static data masking (SDM) jobs.


In all cases above, you can work with IRI Professional Services to obtain a customized implementation.