What is Static Data Masking?
Persistent data masking, or Static Data Masking, is the primary method of masking sensitive classes of data at rest in production or test environments. These data classes are typically database columns or atomic (fixed or floating) values in files that are considered sensitive.
Static data masking examples include personally identifiable information (PII), protected health information (PHI), primary account numbers (PAN), trade secrets, and controlled unclassified information (CUI).
Static data masking can help you nullify data breaches, provide safe test data, and comply with data privacy laws. Compare Static Data Masking (SDM) to Dynamic Data Masking (DDM), which selectively redacts sensitive values for database query applications, or real-time data masking which immediately or incrementally masks data in databases or files when they change.
The IRI static data masking tools FieldShield, DarkShield and CellShield EE -- as well as the IRI Voracity platform that includes them -- centrally classify sensitive data and provide more data discovery and SDM functions for more data sources than any other data masking vendor. FieldShield also provides state-of-the-art re-ID risk scoring.
The off-the-shelf categories of sensitive data masking functions in IRI data masking tools include:
- multiple, NSA Suite B and FIPS-compliant encryption (and decryption) algorithms, including format-preserving encryption
- SHA-1 and SHA-2 hashing
- bit twiddling
- binary encoding
- data blurring and generalization
- randomization (generation and selection)
- redaction (string masking)
- scrambling (format-preserving)
- reversible and non-reversible pseudonymization
- expression (calculation / shuffle) logic
- conditional / partial filtering (omission)
- custom value (literal) replacement
- byte shifting and sub-string functions
- tokenization (for PCI)
You can also "roll your own" external data masking function. This allows you to call a custom field protection at runtime instead of a built-in function.
IRI FieldShieldand DarkShieldalso support several synthetic (test) data generation functions as well. See this article for details.
Whether built-in or custom, you can apply these functions conditionally to specific rows or columns, and across multiple sources through data masking rules that you can define, re-use and share. It is also possible to apply these functions in a dynamic data masking (DDM) context using a FieldShieldor DarkShield API call.
Referential integrity (RI) is preserved through the automatic application of deterministic data masking functions. Deterministic data masking functions are static data masking functions like encryption that uniquely and consistently associate masked values with their original plaintext values, and are usually reversible (unlike a random value). See this FAQ for more information on RI.
Article: Which Data Masking Function Should I Use?
Review some of the powerful data protection functions you can use with IRI data masking tools. Give your data the best security possible. Read Now
Did You Know?
IRI Voracity platform users can run these static data masking functions with discovery, integration, migration, governance, and analytic operations. For example, they can simultaneously cleanse, encrypt, and sort data for bulk loads into test schema, data lakes, and AI models.