Static Data Masking (SDM)
Proven, Persistent Protections for Data at Rest
What is Static Data Masking?
Persistent data masking, or Static Data Masking, is the primary method of masking sensitive classes of data at rest in production or test environments. These data classes are typically database columns or atomic (fixed or floating) values in text files, documents or images.
Static data masking tools are designed to protect personally identifiable information (PII), protected health information (PHI), primary account numbers (PAN), trade secrets, and controlled unclassified information (CUI). Static data masking can help you nullify data breaches, provide safe test data, and comply with data privacy laws. Compare Static Data Masking (SDM) to Dynamic Data Masking (DDM), which selectively redacts sensitive values for database query applications, or real-time data masking which immediately or incrementally masks data in databases or files when they change.
The IRI FieldShield, IRI DarkShield and IRI CellShied data anonymization tools -- as well as the IRI Voracity platform that includes them -- centrally classify sensitive data and provide more data discovery and SDM functions for more data sources than any other data masking tool vendor. FieldShield also provides state-of-the-art re-ID risk scoring.
The off-the-shelf categories of sensitive data masking functions in IRI data masking tools include:
- multiple, NSA Suite B and FIPS-compliant encryption (and decryption) algorithms, including format-preserving encryption
- SHA-1 and SHA-2 hashing
- bit twiddling
- binary encoding
- data blurring and generalization
- randomization (generation and selection)
- redaction (string masking)
- scrambling (format-preserving)
- reversible and non-reversible pseudonymization
- expression (calculation / shuffle) logic
- conditional / partial filtering (omission)
- custom value replacement
- byte shifting and sub-string functions
- tokenization (for PCI)
You can also "roll your own" external data masking function. This allows you to call a custom field protection at runtime instead of a built-in function.
IRI FieldShield and DarkShield also support several synthetic (test) data generation functions as well. See this article for details.
Whether built-in or custom, you can apply these functions conditionally to specific rows or columns, and across multiple sources through data masking rules that you can define, re-use and share. It is also possible to apply these functions in a dynamic data masking (DDM) context using a FieldShield or DarkShield API call.
Referential integrity (RI) -- crticial in PII masking for databases -- is automatically preserved through the consistent application of deterministic data masking functions to classified data. Deterministic data masking functions are static data masking functions like encryption that uniquely associate masked values with original plaintext values, and can be reversible (unlike a random value). See this FAQ for more information on RI.
Article: Which Data Masking Function Should I Use?
Review some of the powerful data protection functions you can use with IRI data masking tools. Give your data the best security possible. Read Now.
Did You Know?
IRI Voracity platform users can run these static data masking functions with discovery, integration, migration, governance, and analytic operations. For example, they can simultaneously cleanse, encrypt, and sort data for bulk loads into test schema, data lakes, and AI models.
