Before getting started with the Delphix Masking Engine, an overview of universal terms and concepts will build and unify how different masking components come together. The following provides a brief overview of eight key concepts for masking: provisioning, and working with applications, environments, connections, rule sets, profiling, inventory, and algorithms while masking data in place.
Delphix Masking Engine Types
There are two primary Delphix Masking Engine types.
- Standalone Delphix Masking Engine — This Engine is deployed as an OVA in a compatible hypervisor and contains the Delphix Masking Engine GUI. From here you can create masking jobs, mask data, and administer your Delphix Masking Engine. This Engine type is suitable for Delphix installations below Delphix 5.0.
- Combined Delphix Engine and Delphix Masking Engine — This Engine is built into your Delphix 5.0 and above installation. It contains both the Delphix Management application and Delphix Masking Engine GUI, and allows tighter integration between Delphix's Data as a Service and Masking features.
For more information about these types of Delphix Masking Engine deployments, read the Before You Begin section in the Delphix Masking Engine Quick Start Guide.
Masking Terminology
| Term | Role in Masking |
|---|---|
| Application | A tag that you can associate with a job. Enables you to mark which job is associated with an application. Allows you to sort masking jobs by application when looking at a jobs list. |
| Environment | A grouping mechanism that enables you to create a collection of jobs. This may be useful when developing a number of different masking jobs that should work together to complete the masking of all the data you want to protect. |
| Rule Set | The set of data on which you want to act and which will be masked when you run the job. |
| Inventory | The set of rules and algorithms which will be applied to the rule set when the masking process executes. |
Provision Data
The Delphix Engine allows you to provision data from a linked source to the target you choose. This flexibility empowers development and testing teams to procure fresh, secure data from a source environment and move it to a non-production environment whenever they need it.
Understanding Environments and Applications
Environments define the scope of work in the Delphix Masking Engine. The masking environment is a collection of masking constructs (connectors, rule sets / inventories, and jobs) that support masking for a given application environment. In order to mask databases and files within the Delphix Engine, you first need to create an environment in which the Delphix Engine will store the connection information and masking rules for those data stores. An environment can contain multiple database connections and multiple file connections. Environments are connected to applications for informational purposes. For example, an integrated test environment can have multiple applications.
An application refers to the IT assets (programs, data, processes) that support a business function. For example, if a bank offers payroll services to its clients, there would be an application in its IT division to support that business. If the bank develops code to support new functions for its payroll application, the IT division would have environments where code is developed and tested. These environments contain test data used to test the new code. The test data is masked to support data privacy requirements.
Understanding Connections
The Delphix Engine stores JDBC database connection information in an object called a "connector." You can discover a list of connectors within an environment by going to Environment Overview and then clicking the Connector tab. The connection includes fields such as database name, host, user id and password, and port. It is specific to the DBMS type you select. This builds a connector between the source database and the masking interface.
Understanding Rule Sets with Domains
A "rule set" points to a collection of tables or flat files that the Delphix Masking Engine uses for masking data. The rule set allows you to identify, select, and configure which tables you need to mask. For those tables that do not have a primary key defined, you can define a logical key with a combination of columns (or ROWID for Oracle database).
Understanding Profiling
Profiling is a major component of the Delphix Masking Engine. The objective of profiling is to identify the location of Non-Public Information (NPI) or sensitive data if you are unsure of what data needs to be masked in the first place. Profiling data is not necessary when you have already identified the sensitive data you need to mask.
The Delphix profiler uses two different methods to identify the location of sensitive data:
- Searching through the column names in the target database by querying the database catalog (metadata)
- Looking at the data itself, using a sampling algorithm, to see whether there is any sensitive data. This is especially useful for files and comment and notes fields in a database.
Understanding Inventory
The Delphix Engine automatically stores the masking rules for each sensitive column in the Delphix repository database in the environment's "inventory." When you select a table to mask, its columns will appear, and you can select them for masking. Afterwards, you can edit the columns with an appropriate algorithm required for masking.
Understanding Algorithms
Algorithms are how the Delphix Masking Engine masks sensitive data. From the Settings tab, click Algorithm on the left-hand side, and the list of algorithms appears for you to select. The following algorithms are the most commonly used methods for masking:
- Secure Lookup Algorithm – Uses a lookup file to assign masked values in a consistent manner
- Segment Mapping Algorithm – Replaces data values based on segment definitions. For example, an ACCOUNT NUMBER algorithm might keep the first segment of an account number but replace the remaining segments with a random number.
- Secure Shuffle algorithm – A user-defined algorithm assigned to a specific column. Secure shuffle automates the creation of a secure lookup algorithm by building a list of replacement values based on the existing unique values in the target column and creating a secure lookup using those values. In that respect, it is simply shuffling the values.
Understanding Masked Data
After you create a masking environment, connection, rule set, and inventory, you can mask data.
The Delphix Engine will maintain Referential Integrity (RI) by masking each field with the same algorithm. This repeatable masking automatically maintains RI (for verbatim matches), even if it is between applications or engines.
As a practical example, assume you have an Social Security Number (SSN) column in a Microsoft SQL Server database, an SSN column in a DB2 database, and an SSN field in a tab-delimited file. If the SSN value was 111111111 across the two databases and the file, and you use the same SSN algorithm for all three, the masked value (for example, 801-01-0838) will be the same for all three.
When defining a masking job, select mask data in place.
Mask Data in Place
"Mask data in place" refers to updating a database with masked data. This includes reading data from the table defined in the rule set, masking the data in the Delphix Masking Engine, and updating the tables with the masked data.
Using API Calls to Automate Masking
For detailed instructions on using API calls to automate your masking tasks, see the Masking API Cookbook.
Related Links
- Delphix Masking Engine Terms Overview
- Delphix Masking Engine Install, System Configuration, and Network Setup
- Prepare Data for Masking
- Delphix Masking Engine Activities
- Provisioning Masked VDBs
- Masking API Cookbook
- Advanced Integrated Delphix Masking Workflow