Incremental Data Masking

 

Next Steps
Overview Auditing DPDPA CPRA DLP FERPA GDPR HIPAA PCI DSS DMaaS Static Dynamic Real-Time Test Data/TDM

Real-Time Data Masking


Real-time data masking (RTDM) typically involves the automatic, incremental refresh and obfuscation of PII in database or file targets given new data, or changes to data in supported sources. It may also refer to data masking for streaming data; i.e., data inbound from pipes, programs or message queues like Kafka and MQTT.

In the case of databases, the IRI Ripcurrent incremental data masking facility in IRI Voracity (which includes the IRI FieldShield and DarkShield data masking tools) can apply consistent (rule-based) static data masking functions to classified data when rows are inserted or updated in MS SQL, MySQL, Oracle or PostgreSQL source tables.

 

Ripcurrent provides incremental data masking in Oracle, but for Oracle, there is also a real-time trigger option for encrypting or decrypting data during queries. See this example of in-situ data masking for real-time data protection in Oracle databases.

In the case of data streaming through pipes, programs or message queues, both IRI FieldShield and IRI DarkShield can support the masking of payloads in various ways, including:

  • standard input (stdin) file designations and /STREAM processing in FieldShield job scripts
  • custom /INPROCEDURE code for FieldShield jop scritps (written in C)
  • built-in MQTT support in FieldShield
  • API calls in DarkShield for any of the above

In the case of structured (flat) file sources that have a similar real-time data protection requirement, you can set up a file watcher program through Powershell, for example, to trigger a FieldShield operation when there are new or modified files detected in the operating system.

 

It is also possible to define triggers through database procedures or external programs that can then activate IRI data masking functionality through FieldShield (structured) or DarkShield (semi-structured and unstructured) data masking operations.

Other real time data masking tools from IRI are the 1) standalone FieldShield database masking product, 2) CoSort data transformation utility and 3) IRI Voracity data management platform -- all of which use the same underlying data definition and manipulation program, called SortCL. SortCL scripts can specify static data masking functions to run on particular columns or rows based on changes to the data values (like timestamps) in source tables or files. See this example.

In any of these scenarios, you can work with IRI Professional Services to build an incremental data masking solution custom-fit for your use case(s).

Provide real-time privacy protection through incremental data masking! To learn how to use one or more of these real-time data-centric security tools in your environment, please request information using the form below. See also:


Frequently Asked Questions (FAQs)

1. What is real-time data masking?
Real-time data masking (RTDM) refers to the automatic, rule-based obfuscation of sensitive data as new records are added or modified in databases, files, or streaming sources.
2. How does real-time data masking differ from static and dynamic data masking?
Static data masking changes data at rest, while dynamic data masking modifies data only at the display level. Real-time data masking applies masking automatically when data is inserted, updated, or streamed—without delay.
3. Can real-time data masking work with database triggers?
Yes. In environments like Oracle, you can implement database-level triggers that call IRI masking functions to encrypt or decrypt data during real-time queries or updates.
4. How does IRI Ripcurrent support real-time data masking?
IRI Ripcurrent provides incremental masking for MS SQL, MySQL, Oracle, and PostgreSQL databases by detecting changes to rows and applying consistent, rule-based masking on insert or update operations.
5. What types of data sources are supported for real-time masking?
IRI supports real-time masking for databases, flat files, streaming data (e.g., Kafka, MQTT), and system-monitored file changes using Powershell or similar automation.
6. Can I mask streaming data in real time?
Yes. Streaming data from Kafka, MQTT, or custom pipelines can be masked in real time using IRI FieldShield (for structured formats) or DarkShield (for semi-structured and unstructured payloads).
7. What are the ways to trigger masking actions on flat files?
You can use a file watcher script (e.g., in Powershell) to detect changes in flat files and automatically trigger FieldShield masking operations on the updated content.
8. How do IRI FieldShield and DarkShield handle real-time input?
FieldShield supports stdin/STREAM processing and user-defined input procedures in C. DarkShield offers API-based masking calls for real-time or near-real-time execution.
9. Can I use IRI Voracity for real-time data masking?
Yes. IRI Voracity combines FieldShield, DarkShield, and Ripcurrent with a unified metadata framework, enabling real-time or incremental masking across multiple data types and systems.
10. What masking functions can be used in real-time operations?
All static masking functions supported by FieldShield and DarkShield—such as encryption, redaction, hashing, and pseudonymization—can be applied in real-time use cases using the same SortCL job framework.
11. How does IRI ensure consistency in incremental masking?
IRI applies deterministic masking functions, like format-preserving encryption or tokenization, to maintain consistency and referential integrity across repeated or updated values.
12. Can IRI Professional Services help set up real-time masking?
Yes. IRI offers custom solution development through its Professional Services team to design and implement real-time masking workflows tailored to your infrastructure and data sources.
Share this page

Request More Information

Live Chat

* indicates a required field.
IRI does NOT share your information.