Thursday, 17 March 2016

The Business Case for Delphix Data Masking

 
Delphix Masking




Data Masking is necessary to secure non-production copies of production data.  Since data masking is irreversible a masked database copy can be safely used by users who require access to production like database copies without compromising personal or company confidential information.

However data masking is a non-trivial task, you need to modify or generate a full sized copy of a database replacing all sensitive data with plausible replacement values.  This takes a lot of processing effort as every row in every table containing sensitive data needs to be updated or replaced.

Many customers see data masking as an expensive process which reduces agility and consequently increases project costs with little project benefit.  Of course there are an increasing number of data protection regulations due to be enforced with greater vigour.  These regulations do not change the economics but just make it more pressing to implement a data masking solution and somehow absorb the cost, they are definitely a stick and not a carrot.



Many Delphix customers are finding a way to solve the masking problem both technically and commercially.   The commercial value of Delphix data masking is to help reduce costs by enabling customers to use cloud resources for non-production activities.  Whilst it may be acceptable to run with non-masked data on premise, most of us agree that data masking is essential when operating in the cloud.



Delphix Replication makes it easy to mask data on-premise and then replicate only masked data copies to a Delphix Engine sitting, in another Data Centre, on Amazon or, in future, Azure.   Delphix Replication is surprising easy to configure and use, you basically install a second Delphix Engine to replicate to, provide the details of the replica engine to the primary engine, and then specify which masked data copies to replicate.

Of course you still have to mask the data first. Delphix customers create a virtual database (VDB) and prepare that VDB for non-production use, e.g. removing production usernames and passwords, and then obfuscate the sensitive data by running one more masking jobs against the VDB.  Running masking jobs in parallel can reduce the end-to-end masking time substantially.  Use of a VDB eliminates the need for a full database copy as the VDB will only consume storage for the data blocks modified as part of the masking process, this is typically less than 20% of the source database size.

The masked VDB can then be replicated and all non-production VDB copies use this masked master.

Delphix Masking is designed to make the process of data masking easier and faster than most masking tools. Delphix Masking helps identify potentially sensitive columns, does not require a data model to ensure referential integrity and uses the same algorithm to mask a given column, attribute or field across all data sources.


The most commonly used Delphix Masking algorithm is called Secure Lookup which is a method to replace existing values with values from a generated list of realistic but artificial values.  For example if I have a database with UK National Insurance Numbers (NINOs), I can use a script which can generate artificial NINOs according to the algorithm published at NIM39110 - National Insurance Numbers (NINOs): Format and Security.  I would then create a Secure Lookup algorithm and attribute and load this set of generated values to my Secure Lookup algorithm.  My new algorithm will replace the original values with values chosen from this list.   Since NINOs are unique I would generate a list with at least the same number of unique NINOs in the source table.   The Secure Lookup algorithm is deterministic, meaning the same input value will map to the same replacement value chosen from the generated list.  Hence if the NINO appears in more than one table but I use this algorithm against both then referential integrity is preserved.

Finally, for customers who use database encryption on their production databases, if you want to encrypt copies on non-production you would typically need to decrypt and re-encrypt using new keys to segregate from production.  Aside from this complexity, encryption licenses for non-production are expensive and unnecessary when data is masked.


Using the speed and cost savings of Delphix Provisioning, Replication, Masking and optionally cloud hosting, allows Delphix customers to solve the problem of provisioning full sized, secure copies of production efficiently and cost effectively.


No comments:

Post a Comment