 |
| Delphix Masking |
Data
Masking is necessary to secure non-production copies of production data. Since data masking is irreversible a masked
database copy can be safely used by users who require access to production like
database copies without compromising personal or company confidential
information.
However
data masking is a non-trivial task, you need to modify or generate a full sized
copy of a database replacing all sensitive data with plausible replacement
values. This takes a lot of processing
effort as every row in every table containing sensitive data needs to be
updated or replaced.
Many
customers see data masking as an expensive process which reduces agility and
consequently increases project costs with little project benefit. Of course there are an increasing number of
data protection regulations due to be enforced with greater vigour. These regulations do not change the economics
but just make it more pressing to implement a data masking solution and somehow
absorb the cost, they are definitely a stick and not a carrot.
Many
Delphix customers are finding a way to solve the masking problem both
technically and commercially. The
commercial value of Delphix data masking is to help reduce costs by enabling
customers to use cloud resources for non-production activities. Whilst it may be acceptable to run with
non-masked data on premise, most of us agree that data masking is essential
when operating in the cloud.
Delphix
Replication makes it easy to mask data on-premise and then replicate only
masked data copies to a Delphix Engine sitting, in another Data Centre, on
Amazon or, in future, Azure. Delphix
Replication is surprising easy to configure and use, you basically install a
second Delphix Engine to replicate to, provide the details of the replica
engine to the primary engine, and then specify which masked data copies to
replicate.
Of
course you still have to mask the data first. Delphix customers create a
virtual database (VDB) and prepare that VDB for non-production use, e.g.
removing production usernames and passwords, and then obfuscate the sensitive
data by running one more masking jobs against the VDB. Running masking jobs in parallel can reduce
the end-to-end masking time substantially.
Use of a VDB eliminates the need for a full database copy as the VDB
will only consume storage for the data blocks modified as part of the masking
process, this is typically less than 20% of the source database size.
The
masked VDB can then be replicated and all non-production VDB copies use this
masked master.
Delphix
Masking is designed to make the process of data masking easier and faster than
most masking tools. Delphix Masking helps identify potentially sensitive
columns, does not require a data model to ensure referential integrity and uses
the same algorithm to mask a given column, attribute or field across all data
sources.
The
most commonly used Delphix Masking algorithm is called Secure Lookup which is a
method to replace existing values with values from a generated list of
realistic but artificial values. For
example if I have a database with UK National Insurance Numbers (NINOs), I can
use a script which can generate artificial NINOs according to the algorithm
published at NIM39110 - National Insurance Numbers
(NINOs): Format and Security. I
would then create a Secure Lookup algorithm and attribute and load this set of
generated values to my Secure Lookup algorithm.
My new algorithm will replace the original values with values chosen from
this list. Since NINOs are unique I
would generate a list with at least the same number of unique NINOs in the
source table. The Secure Lookup
algorithm is deterministic, meaning the same input value will map to the same replacement
value chosen from the generated list.
Hence if the NINO appears in more than one table but I use this
algorithm against both then referential integrity is preserved.
Finally, for customers who use database encryption on their production databases, if you want to encrypt copies on non-production you would typically need to decrypt and re-encrypt using new keys to segregate from production. Aside from this complexity, encryption licenses for non-production are expensive and unnecessary when data is masked.
Using
the speed and cost savings of Delphix Provisioning, Replication, Masking and optionally
cloud hosting, allows Delphix customers to solve the problem of provisioning
full sized, secure copies of production efficiently and cost effectively.
