What is Data Masking?

Those who know what data masking is are clear that it is a  protection-oriented data transformation process, in which it is essential to try to maintain their realism. It is, in turn, a process that does not allow you to go back and recover the initial data later.

Any masking action could remain defined as replacing all the information that can be considered sensitive in any database that one may have. It means that you could never get the data back to its original state. As a result of an initiative of this type, the new information produced will be accurate for all our systems. It will work as expected, but it would be entirely useless for the person who wants to do the reverse process.


The basic concept of data masking, as it theoretically known, based on “ obscuring the data ” of the database. However, in practice, the meaning of the action of this type has evolved. It is considered a  replacement for information with the same quality and purpose. Without hiding, encrypting, or restricting the intake to unauthorized persons. Not so many persons know that, although the encryption or visibility restriction is part of the algorithms that data masking can have, they are just that, a part of the total and not the masking itself.

All this must be very clear, both for the project team and for clients and interested parties, since otherwise, the acceptance criteria can stay linked to processes that, in reality, do not perform data masking.

A good understanding of the concept of what is data masking or data masking allows us to offer an understandable solution for the user and manage the same expectation regarding what he will achieve with the process.

Dynamic and Static Data Masking

However, it comes in two basic versions: static and dynamic data masking.

Static Data Masking (SDM) forever replaces sensitive data by altering data at rest. Dynamic Data Masking (DDM) aims to replace sensitive data in transit while leaving the original data at rest intact and unchanged.

Those who understand what data masking is or data masking know that both have advantages and disadvantages:

Benefits of Static

  • The confidential data permanently delete because data transformations apply to the data store. If an attacker settlements a statically masked database, the delicate information is not there.
  • Transaction performance is not penalized. All data transformations applied in advance so that there is no performance impact once the masked database is available for various purposes.
  • Protects copies of production data in an extensive range of scenarios, including access through native back-end applications and queries.
  • It greatly simplifies the security of copying data. There is no need to implement granular security at the object level because all sensitive data has up to date.

Disadvantages of Static

Masking applied to a data store using a batch process (not real-time) that can take minutes or hours to complete, dependent on the extent of the data.

It cannot remain used to protect the making database because it permanently alters the underlying data. As described above, it functions against copies of production databases.

Advantages of Dynamic

  • Add a sheet of security and privacy control to protect sensitive data.
  • Protect data in read-only scenarios (reports).
  • It works almost in real-time.
  • It does not require batch processing in advance to mask all the data in advance.

Disadvantages of Dynamic Data Masking

  • It is unsuitable for use in a dynamic (read/write) environment, such as an enterprise application, because the masked data could remain written back to the database, corrupting the data.
  • There is a performance overhead associated with inspecting all traffic destined for the database.
  • Detailed mapping of applications, users, database objects, and access rights require to configure masking rules. Maintaining this matrix of configuration data requires significant effort.
  • The proxy is a single point of failure, and users connecting directly to the database can bypass it, potentially exposing the original data stored in the database.
  • Organizations may hesitate to adopt DDM if there is a risk of corruption or an adverse impact on production performance. Also, relative to SDM, DDM is a less mature technology. For which customer success stories not as well known and use cases still defined.