After profiling and masking data, you want to monitor or audit the process (also known as certifying your data). This alerts you if unmasked data is introduced to a masked database.
For example, if you mask your master customer database once a week, and an input file of unmasked is introduced by mistake, you want to be able to detect that. The purpose of the Delphix certification module is to identify such a situation. To do so, you create a Certification job against that database (see Creating a New Certify Job).
The Certifying job goes through every row in the tables in a rule set and verifies that every value designated for masking in the inventory is masked. The Certification job output lists the fields designated for masking, along with the result of the certification: Clean, Polluted, or Not Applicable. Polluted data indicates that Delphix encountered a value that could potentially be an unmasked production value. Not Applicable indicates that Delphix was unable to determine whether the value is masked.
Certification and Delta Masking
As part of the certification process for databases, you can specify to mask rows that are not masked but are identified as part of the certification process as polluted. In other words, if the certification process finds "polluted rows," Delta Masking instructs Delphix to mask the polluted records to ensure that those polluted rows get masked.
A Practical Certification Example
When a certification job runs, it looks at the inventory defined for that database. If the inventory indicates to mask the Customer.First_Name column with the First Name Secure Lookup algorithm, the certification job ensures that there are only masked values for that column.
The First Name Secure Lookup algorithm uses a look-up file that contains all the first names used to mask a column. When the certification job runs, it compares the values in the Customer.First_Name column with the look-up file, which contains only the mask values.
If any names in the column do not match the names in the look-up file, Delphix indicates that it found polluted data in the Customer.First_Name column.
You can use the Delphix Certification module to certify all data masked with Secure Lookup Algorithms.
You can also certify data masked with Segmented Mapping Algorithms, keeping in mind that the segmented mapping algorithm must specify a range for each segment.
For example, if the SSN Segmented Mapping algorithm first segment has a range from 800-899, and there is SSN data in the Customer.SSN column with the first three digits of 435, the certification job will tag the Customer.SSN column as containing polluted rows.
With the Telephone algorithm, the middle segment is the exchange. Because the exchange is always masked to an exchange of 555, any other exchange will indicate polluted data.
We recommend that you run certification jobs at least once in between refreshes, when the refreshes for a database are scheduled 7 days or more apart.