Database masking

Database masking is the technology that discovers sensitive data fields, creates a mask, and applies the mask to obfuscate sensitive data. It is useful to ensure data security and comply with security regulations like GDPR, HIPAA, etc.


Masking functionality

Typically, masking includes the following:

  • Accurate sensitive data classification - Properly classifying sensitive data helps to replace the data with obfuscated data of the same type
  • Simplified user experience for mask definition - Mask creation for multiple schema in parallel, better data visibility during mask definition, simpler credit card obfuscation rules definitions and a single UI to discover sensitive data, classify the data, and build the mask
  • Field format flexibility and preservation, deterministic masking - Retains field formats, preserves parts of fields for masking. This is useful for example to retain parts of domain names. Deterministic masking across databases.
  • Flexibile roles based masking - Based on membership of users in authorization groups, different masking rules may be applied to deliver differently masked data to users for the same databases

Windocks offers built-in data masking that is orchestrated with Windocks orchestration. The Windocks database orchestrator builds images, uses Windocks masking to mask the data, then clones that data with Windocks cloning and delivers into Windocks SQL Server containers, docker Oracle, MySQL, PostGre containers. Windocks database orchestration also works with other masking solutions from leaders such as Mentis, Curisority Software and IRI - it orchestrates these masking solutions to build database images with obfuscated data and uses Windocks or other cloning to deliver masked databases to Windocks SQL Server containers, docker Oracle, MySQL, PostGre containers.


Steps to get started with database masking

1. Install Windocks Download the Windocks Community Edition or email support@windocks.com for a full featured evaluation edition. Provision a Windows Server VM (Server 2016, 2019, or 2022), install SQL Server (for SQL database delivery) and then install Windocks as described here. For Oracle database delivery, also install the Windocks service for Linux as described here
2. Install the built-in masking software Email support@windocks.com for the masking add-on
3. Create the database mask Open the database in a SQL Server or Oracle and use the masking application UI to create the mask
4. Provide the spec to the Windocks orchestrator to build the image Start with the sample windocks\samples\MaskingBuiltIn. This will result in an image that has masked data.

Specify the path to one or more SQL backup or database files, Azure SQL BACPAC files, or Oracle RMAN backup, or Oracle oradata files. Specify which database cloning to use (Windocks database cloning or volume cloning from other companies), where to deliver the database clones (Windocks SQL Server Windows containers or SQL Server instances or docker Oracle containers), how often to refresh from production, customizations such as database scripts to be applied, which masking software to use (Windocks masking, other masking solutions or scripts), and authorization controls.Provide the spec in the form of a dockerfile and build the image via a web application, command line or REST API.

Tutorial for SQL Server    Tutorial for Oracle   Tutorial for PostGre, MySQL.

5. Deliver customized database clones on demand from the image From the image, deliver database clones to containers or instances. The image you built defines where the databases are delivered to. You may define an image that delivers containers with clones as well as clones to instances. To deliver containers and clones, use the web application or use the docker command line or the REST API. The database clones all have sensitive data obfuscated based on the mask you created in step 3
6. Use the writeable clones Database clones are delivered either to containers or instances based on the image you built. If you delivered to an instance, then connect to that instance for the database clone. Clones are writeable. Containers are delivered on the machine running Windocks on specified ports. Access these containers with regular database tools or command lines or connection strings.

SQL Server containers are accessed with SQL Management Studio or Azure Data Studio or SQLCMD. Connect with the instance name (such as INSTANCE10002 when the container port is 10002). Or you can use the form IPAddressOfWindocksServer,10002 to connect to the SQL container running on port 10002.

Oracle containers are accessed with SQLPlus, RMAN or UI tools for Oracle. You may put in entries in tnsnames.ora for the containers as you would for Oracle instances. With SQLPlus or RMAN, use the form SQLPLUS sys/password@IPAddressOfWindocksLinuxServer:HostPort/orclcdb as sysdba

Explore topics