Dynamic Data Masking (DDM)

 

Next Steps
Overview Auditing DPDPA CPRA DLP FERPA GDPR HIPAA PCI DSS DMaaS Static Dynamic Real-Time Test Data/TDM

Dynamic Data Masking Solutions


Dynamic data masking (DDM), or data masking in transit, masks data only at the display level in applications connected to a database or file (where it remains unchanged). A DDM solution will prevent  unauthorized users from seeing the original plaintext values in columns.

Compare this to real-time data masking which changes source data values in a single RDB via SQL trigger, or masks values moving from source to target when source values change. Dynamic data masking is also different from Static Data Masking (SDM) which protects data at rest -- either in sources typically used in high security production environments or in lower environments where data is anonymized for development, testing, or analytics. 

The best data masking tools enable all three modes of operation, and provide multiple options to satisfy multiple use cases.

The IRI FieldShield data masking package for relational databases and flat files, the IRI DarkShield package for semi- and unstructured text files, PDF / MS documents, images and NoSQL -- or the IRI Voracity platform which includes them both plus many related features -- can provide you with dynamic data masking and protection functionally in multiple ways:

Method Operation
API or Web Services Call
Embed IRI FieldShield functions via .NET or Java SDK library calls from applications to encrypt, decrypt, hash or redact. Or make a call to aDarkShield text, file, RDB or NoSQL DB RPC API from your application (in Python, PowerShell, Java, etc.) for RESTful search and mask services.
Proxy-based, In-Flight
In late 2025, IRI plans to launch new middleware exploiting RI DarkShield APIs to analyze logged-in users to relational and NoSQL database and mask classes of sensitive data based on RBAC settings.
Custom I/O
Flow your own data feeds and formats to / from FieldShield static data masking jobs in memory using input or output procedures writen in C. Your procedure would address the RBAC logic, and allow you to leverage the FieldShield data classification, discovery, masking, re-ID risk scoring, quasi-identifer anonymization, and audit reporting capabilities.
Message Queues
Redirect, mask and virtualize/federate PII from pipes, URLs, and MQTT or Kafka topics; i.e., mask data for recpients in flight, as it streams in from a dynamic source.

Whichever dynamic data masking tool or option you choose above, you can work with IRI Professional Services to obtain a customized implementation for your use case.

Frequently Asked Questions (FAQs)

1. What is dynamic data masking?
Dynamic data masking (DDM) is a method of protecting sensitive information by masking data only when it is accessed or displayed, without changing the underlying values in the source database or file.
2. How does dynamic data masking differ from static data masking?
Dynamic data masking protects data in transit or at the display layer, while static data masking permanently modifies sensitive data at rest for use in lower environments like development or testing.
3. Can dynamic data masking prevent unauthorized access to sensitive data?
Yes. DDM hides or redacts sensitive data values from unauthorized users based on their access rights, ensuring they only see masked values without altering the original data.
4. What types of data sources can support dynamic data masking?
IRI supports DDM for relational databases, flat files, NoSQL databases, and semi-structured and unstructured sources such as documents, PDFs, and images via its FieldShield and DarkShield tools.
5. How is dynamic data masking implemented in IRI solutions?
IRI provides multiple DDM methods, including API or web service calls, custom I/O streams, message queue processing (e.g., MQTT, Kafka), and soon, proxy-based middleware that applies role-based access controls.
6. What programming languages are supported for integrating IRI’s DDM features?
Developers can integrate IRI masking functions using Java, .NET, Python, PowerShell, and other supported languages via SDKs and remote API calls.
7. Can I use dynamic data masking with message queues like Kafka or MQTT?
Yes. IRI allows masking of streaming data from dynamic sources such as Kafka topics and MQTT feeds to protect personally identifiable information (PII) in-flight.
8. What is the difference between dynamic and real-time data masking?
Dynamic data masking displays masked values without modifying the data, while real-time data masking alters source data as it changes—such as through database triggers or transformation pipelines.
9. How does IRI support role-based access control in dynamic masking?
IRI plans to launch proxy-based middleware that uses DarkShield APIs to dynamically mask data based on role-based access control (RBAC) rules tied to user logins.
10. Can I create a custom dynamic masking pipeline using IRI tools?
Yes. You can design custom I/O procedures using C or other languages to manage your own data flows, applying IRI’s classification, masking, and risk scoring functions in memory.
11. What is the benefit of using IRI's dynamic data masking over homegrown scripts?
IRI’s DDM solutions offer integrated discovery, classification, masking, logging, and risk scoring—removing the complexity and risk of managing disjointed or manual masking processes.
12. Can dynamic data masking be combined with audit reporting?
Yes. When using IRI’s APIs or job procedures, dynamic masking actions can be logged and audited to demonstrate data access and protection compliance for regulators or stakeholders.
Share this page

Request More Information

Live Chat

* indicates a required field.
IRI does NOT share your information.