Dynamic Data Masking (DDM)


Next Steps
Overview Auditing DPDPA CCPA DLP FERPA GDPR HIPAA PCI DSS DMaaS Static Dynamic Real-Time Test Data/TDM

Dynamic Data Masking

Dynamic data masking (DDM), or data masking in transit, masks data only at the display level in applications connected to a database or file (where it remains unchanged). A DDM solution will prevent  unauthorized users from seeing the original plaintext values in columns.

Compare this to real-time data masking which changes source data values in a single RDB via SQL trigger, or masks values moving from source to target when source values change. Dynamic data masking is also different from Static Data Masking (SDM) which protects data at rest -- either in sources typically used in high security production environments or in lower environments where data is anonymized for development, testing, or analytics. 

The best data masking tools enable all three modes of operation, and provide multiple options to satisfy multiple use cases.

The IRI FieldShield data masking package for relational databases and flat files, the IRI DarkShield package for semi- and unstructured text files, PDF / MS documents, images and NoSQL -- or the IRI Voracity platform which includes them both plus many related features -- can provide you with dynamic data masking and protection functionally in multiple ways:

Method Operation
API or Web Services Call
Embed IRI FieldShield functions via .NET or Java SDK library calls from applications to encrypt, decrypt, hash or redact. Or make a call to aDarkShield text, file, RDB or NoSQL DB RPC API from your application (in Python, PowerShell, Java, etc.) for RESTful search and mask services.
Proxy-based, In-Flight
Configure a proxy server and use the IRI 'JDBC SQL Trail' driver to intercept and mask DB application queries in transit for MS SQL Server, Oracle, PostgreSQL, or SAP HANA. This approach requires no change to any application code because it acts as a middleware itself. This method also provides protection through database log auditing.
Custom I/O
Flow your own data feeds and formats to / from FieldShield data masking scripts in memory using input or output procedures writen in C. You can specify your own access and authorization logic into the procedure while levearging all the other capabilitiers FieldShield offers, including data classification, discovery, multiple masking functions, re-ID risk scoring, quasi-identifying data aonymization, and audit reports.
Message Queues
Redirect, mask and virtualize/federate PII from pipes, URLs, and MQTT or Kafka topics; i.e., mask data for recpients in  flight, as it streams in from a dynamic source.

Whichever dynamic data masking tool or option you choose above, you can work with IRI Professional Services to obtain a customized implementation for your use case.

Share this page

Request More Information

Live Chat

* indicates a required field.
IRI does NOT share your information.