Before getting started with the Masking Engine, an overview of universal terms and concepts will build and unify how different masking components come together. The following provides a brief overview of eight key concepts for masking: provisioning, and working with applications, environments, connections, rule sets, profiling, inventory, and algorithms while masking data in place.

Masking Engine Types

There are two primary Masking Engine types.

  • Standalone Masking Engine - This Engine is deployed as an OVA in a compatible hypervisor and contains the Masking Engine GUI. From here you can create masking jobs, mask data, and administer your Masking Engine. This Engine type is suitable for Delphix installations below Delphix 5.0.
  • Combined Delphix Engine and Masking Engine - This Engine is built into your Delphix 5.0 and above installation. It contains both the Delphix Engine GUI and Masking Engine GUI, and allows tighter integration between Delphix's Data as a Service and Masking features. 

For more information about these types of Masking Engine deployments, read the Before You Begin section in Delphix Masking Quick Start Guide.

Provision Data

Delphix allows you to provision data from a linked source to the target you choose. This flexibility empowers development and testing teams to procure fresh, secure data from a source environment and move it to a non-production environment whenever they need it.

Understanding Environments and Applications

Environments define the scope of work in the Masking Engine. The masking environment is a collection of masking constructs (connectors, rule sets / inventories, and jobs) that support masking for a given application environment. In order to mask databases and files within the Delphix Engine, you first need to create an environment in which the Delphix Engine will store the connection information and masking rules for those data stores. An environment can contain multiple database connections and multiple file connections. Environments are connected to applications for informational purposes. For example, an integrated test environment can have multiple applications.

An application refers to the IT assets (programs, data, processes) that support a business function. For example, if a bank offers payroll services to its clients, there would be an application in its IT division to support that business. If the bank develops code to support new functions for its payroll application, the IT division would have environments where code is developed and tested. These environments contain test data used to test the new code. The test data is masked to support data privacy requirements.

Understanding Connections

The Delphix Engine stores JDBC database connection information in an object called a "connector." You can discover a list of connectors within an environment by going to Environment Overview and then clicking the Connector tab. The connection includes fields such as database name, host, user id and password, and port. It is specific to the DBMS type you select. This builds a connector between the source database and the masking interface.

Understanding Rule Sets with Domains

A "rule set" points to a collection of tables or flat files that the Masking Engine uses for masking data. The rule set allows you to identify, select, and configure which tables you need to mask. For those tables that do not have a primary key defined, you can define a logical key with a combination of columns (or ROWID for Oracle database).

Understanding Profiling

Profiling is a major component of the Masking Engine. The objective of profiling is to identify the location of Non-Public Information (NPI) or sensitive data if you are unsure of what data needs to be masked in the first place. Profiling data is not necessary when you have already identified the sensitive data you need to mask.

The Delphix profiler uses two different methods to identify the location of sensitive data:

  • Searching through the column names in the target database by querying the database catalog (metadata)
  • Looking at the data itself, using a sampling algorithm, to see whether there is any sensitive data. This is especially useful for files and comment and notes fields in a database.

Understanding Inventory

The Delphix Engine automatically stores the masking rules for each sensitive column in the Delphix repository database in the environment's "inventory." When you select a table to mask, its columns will appear, and you can select them for masking. Afterwards, you can edit the columns with an appropriate algorithm required for masking.  

Understanding Algorithms

Algorithms are how the Masking Engine masks sensitive data. From the Settings tab, click Algorithm on the left-hand side, and the list of algorithms appears for you to select. The following algorithms are the most commonly used methods for masking:

  • Secure Lookup Algorithm Uses a lookup file to assign masked values in a consistent manner
  • Segmented Mapping Algorithm Replaces data values based on segment definitions. For example, an ACCOUNT NUMBER algorithm might keep the first segment of an account number but replace the remaining segments with a random number. 
  • Secure Shuffle algorithm – A user-defined algorithm assigned to a specific column. Secure shuffle automates the creation of a secure lookup algorithm by building a list of replacement values based on the existing unique values in the target column and creating a secure lookup using those values. In that respect, it is simply shuffling the values. 

Understanding Masked Data

After you create a masking environment, connection, rule set, and inventory, you can mask data.

The Delphix Engine will maintain Referential Integrity (RI) by masking each field with the same algorithm. This repeatable masking automatically maintains RI (for verbatim matches), even if it is between applications or platforms.

As a practical example, assume you have an Social Security Number (SSN) column in a Microsoft SQL Server database, an SSN column in a DB2 database, and an SSN field in a tab-delimited file. If the SSN value was 111111111 across the two databases and the file, and you use the same SSN algorithm for all three, the masked value (for example, 801-01-0838) will be the same for all three. 

Note: When defining a masking job, select mask data in place.

Mask Data in Place

"Mask data in place" refers to updating a database with masked data. This includes reading data from the table defined in the rule set, masking the data in the Masking Engine, and updating the tables with the masked data.

Related Links