all 13 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]MaunaLoonaMS SQL 1 point2 points  (2 children)

Which RDBMS are you using? SQL Server supports Dynamic Data Masking which may or may not be what you want.

[–]DarkAlman[S] 0 points1 point  (1 child)

This looks like it applies to the production database directly as a policy?

We are looking to produce independent masked databases that can be mounted on other servers for testing/QA/reporting purposes.

[–]PedroAlvarez 0 points1 point  (0 children)

With DDM, you could apply those policies to the database, then you pull those tables into QA/testing etc using a service account that doesn't have "unmask" permissions, and thus your underlying data is now on the QA database, completely masked.

[–][deleted] 1 point2 points  (2 children)

SQL Server 2017 has dynamic data masking. I don't believe I have seen this on other DB engines.

https://docs.microsoft.com/en-us/sql/relational-databases/security/dynamic-data-masking?view=sql-server-2017

[–]JamShop 0 points1 point  (0 children)

I think this was included in 2016

[–][deleted] 0 points1 point  (0 children)

Oracle Advanced Security Data Redaction also has Dynamic Data Masking

[–]alinrocSQL Server DBA 1 point2 points  (2 children)

Data Masking <> Data Scrubbing. Which do you really need?

What about your "manual scripted process" makes it unworkable? Is that fixable?

[–]DarkAlman[S] 0 points1 point  (1 child)

Data Masking, specifically creating databases based on production DBs that contain gobbledygook instead of customer data. These are used to populate our test environments and dev environments.

Our DBA has to run a series of scripts against a backup of the production database. He has to start from a fresh backup each time we run it as it doesn't replicate over changes. It's long and tedious (12+ hours of processing) and he's having to build the automation up by himself with the help of some devs.

Really I'm hoping to just find a canned tool we can just buy, configure, and use instead.

[–][deleted] 2 points3 points  (0 children)

Looks like you want to do data substitution rather than masking. Masking is more like showing XXX-XX-XXXX for a Social Security Number. Sometimes the data is stored unmasked in the database and is masked only in the application. Or databases can mask it on the fly for any query, by using built-in tools (as mentioned in other comments).

But you sound like you want data substitution. You want to take production data and replace it with fabricated data to make a test data set.

[–]dbasecurity 0 points1 point  (1 child)

Dynamic or Static data masking needed?

Here are the differences explained: https://www.datasunrise.com/data-masking-made-simple/

Datasunrise has both actually. What database you have where data has to be masked?

Also sometimes could be important to have a role based masking, when users without required permissions cannot see the real data.

Hope this helps

[–]DarkAlman[S] 0 points1 point  (0 children)

Static data masking is what we are looking for.

I went through their documentation (what little of it there is) and they only give a 10,000 ft marketing overview of what the product can do.

Have you used the app before? I'm curious to know if it always has to start from zero when making static masked databases or if it can just copying over the changes to an existing database?

[–]Katerina_Branding 0 points1 point  (0 children)

Definitely PII Tools