What is Static Data Masking?
Persistent data masking, or Static Data Masking (SDM), is the primary method of masking sensitive classes of data at rest in production or test environments. These data classes are typically database columns or atomic (fixed or floating) values in text files, documents or images.
Static data masking tools are designed to protect personally identifiable information (PII), protected health information (PHI), primary account numbers (PAN), trade secrets, and controlled unclassified information (CUI).
Static data masking can help you nullify data breaches, provide safe test data, and comply with data privacy laws. Compare Static Data Masking (SDM) to Dynamic Data Masking (DDM), which selectively redacts sensitive values for database query applications, or real-time data masking (RTDM) which immediately or incrementally masks data in databases or files when they change.
PII data masking tools from IRI -- FieldShield, DarkShield and CellShied EE -- as well as the IRI Voracity platform that includes them -- centrally classify sensitive data and provide more data discovery and SDM functions for more data sources than any other data masking tool vendor.
The off-the-shelf categories of sensitive data anonymization techniques in IRI data masking tools include:
- multiple, NSA Suite B and FIPS-compliant encryption (and decryption) algorithms, including format-preserving encryption
- SHA-1 and SHA-2 hashing
- bit twiddling
- binary encoding
- data blurring and generalization
- randomization (generation and selection)
- redaction (string masking)
- scrambling (format-preserving)
- reversible and non-reversible pseudonymization
- expression (calculation / shuffle) logic
- conditional / partial filtering (omission)
- custom value (literal) replacement
- byte shifting and sub-string functions
- tokenization (for PCI)
You can also "roll your own" external data masking function. This allows you to call a custom field protection at runtime instead of a built-in function.
IRI FieldShield and DarkShield also support several synthetic (test) data generation functions which also serve as data privacy compliance solutions in test data envirnoments. See this article for details.
Whether built-in or custom, you can apply static data masking functions conditionally to specific rows or columns, and across multiple sources through data masking rules that you can define, re-use and share. It is also possible to apply these functions in a dynamic data masking (DDM) context using a FieldShield or DarkShield API call.
Referential integrity (RI) -- critical in PII masking for databases -- is automatically preserved through the consistent application of deterministic data masking functions to classified data. Deterministic data masking functions are static data masking functions like encryption that uniquely associate masked values with original plaintext values, and may be reversible (unlike a random value). See this FAQ for more information on RI.
Article: Which Data Masking Function Should I Use?
Review some of the powerful data anonymization functions you can use with IRI data masking tools. Give your data the best security possible. Read Now
Did You Know?
IRI Voracity platform users can run static data masking functions in conjunction with data discovery, integration, migration, governance, and analytic operations. For example, they can simultaneously cleanse, encrypt, and sort data for bulk loads into test schema, data lakes, and AI models.
