Secure Your Data Effectively Using OCI Data Safe's Data Masking

Oracle Data Safe offers a robust solution for securing sensitive information through its data masking feature. This blog will show the capabilities and benefits of Oracle Data Safe's data masking, highlighting how it helps to maintain data security and compliance.

What’s data masking?

Data masking is the process of permanently replacing sensitive data with fake but realistic-looking data to protect confidential information. This is used to protect sensitive data to comply with privacy laws and standards. This process should be irreversible and realistic enough for non-production use while maintaining the app functionality.

Key Features of Data Masking

1. Predefined Masking Formats: Oracle Data Safe offers a comprehensive set of predefined masking formats for common sensitive data types such as names, Social Security numbers, credit card numbers, and email addresses. These formats ensure that masked data is realistic and passes specific validation checks, such as Luhn validation for credit card numbers.

2. Custom Masking Formats: Users can create custom masking formats tailored to their specific needs. This flexibility allows organizations to mask data in ways that are unique to their business requirements.

3. Conditional Masking: Data can be masked based on predefined conditions, allowing for more nuanced control over how data is protected.

4. Reversible Masking: While most masking formats are irreversible to ensure security, Oracle Data Safe supports reversible masking through encryption, allowing authorized users to restore the original data when necessary.

5. Multi-Database Support: Data masking can be applied across various Oracle database versions and environments, including on-premises and cloud databases

It’s possible to use this feature on-premises or in OCI. The example in this blog is on how to use it in OCI.

Masking Policies: To begin, we need to create policies to protect the data.

On Oracle Cloud, go to Oracle Database and under Data Safe, select Data Masking. On Related Resources, select Masking Policies.

We can either upload a previously saved masking policy or create a new one. We are going to create one.

In this step, we can use a sensitive data model or manually select the sensitive data associated with our target database. In this blog, we are using the second option; however, in my next blog, I will show how to use OCI to generate a sensitive data model.

With the masking policy created, we can start adding the columns we want to mask. After clicking on "Add Column," we can select the schema, table, and columns we want to mask. We will mask ENAME, SAL, and HIREDATE, selecting the sensitive type according to the type of data.

After clicking on "Add Columns," we will be able to confirm the mask used for each column.

With the police done we can go back to the main Data Masking page and do the “Pre-Masking Check“, this will insure the database is ready for the masking. One of the checks looks for the database permissions for the users that is running the masking. By default, an Autonomous Database comes with a database account specifically created for Oracle Data Safe named DS$ADMIN. The roles that you grant to this account determine the Oracle Data Safe features that you can use with your Autonomous Database.

For an Autonomous Database, all roles are already granted by default, except for DS$DATA_MASKING_ROLE and DS$SQL_FIREWALL_ROLE. To grant the role we can run the command below.

EXECUTE DS_TARGET_UTIL.GRANT_ROLE('role_name');

After the “Pre-Masking Check“, we can now execute the Data Masking, but before that, let's look at the data to compare it with after the masking is done.

We can now go to the main page and click on “Mask Sensitive Data.” Below, we can see the results.

Returning to the application, we can now see that the data has been changed, and the columns ENAME, SAL, and HIREDATE have different data.