To prevent sensitive data leakage, you can configure data masking algorithms for sensitive fields in Database Management (DMS). After you configure data masking algorithms for sensitive fields, DMS masks field values based on the data masking algorithms when you query or export the field values in DMS. This topic describes how to create, view, and change data masking algorithms for sensitive fields.
Prerequisites
Your system role is an administrator, a database administrator (DBA), or a security administrator. For more information about how to view your system role, see View system roles.
The sensitive data protection feature is enabled for the instance and a sensitive data scan task is created. For more information, see Enable the sensitive data protection feature.
Usage notes
DMS algorithms take effect when you query data in the SQL Console, submit a database export ticket, or access the database instance by using the proxy endpoint generated by the secure access proxy feature of DMS.
NoteIf you use other tools to query data, data masking algorithms do not take effect.
In an instance for which the security hosting feature is enabled, after you configure a partial masking rule on a field, you must apply for the partial masking permissions to view the data that is masked based on the data masking rule that you configure. Otherwise, you can view only the data that is fully masked. For more information about how to apply for the partial masking permissions, see Manage permissions.
After you create a data masking algorithm, you must change the data masking algorithm for the sensitive fields to the new data masking algorithm. This way, the data masking algorithm takes effect.
Create a data masking algorithm
Log on to the DMS console V5.0.
Move the pointer over the
icon in the upper-left corner and choose . NoteIf you use the DMS console in normal mode, choose in the top navigation bar.
On the Rule Configurations page, click the Data Masking Algorithm tab. On this tab, click Add Data Masking Algorithm.
In the New Algorithm panel, configure a data masking algorithm.
Algorithm type
Algorithm name
Description
Hash
MD5
Generates a 128-bit (16-byte) hash value. MD5 is a widely used cryptographic hash function.
SHA1
Generates a 160-bit (20-byte) hash value called a message digest. SHA1 is a cryptographic hash function.
SHA256
Generates a 256-bit hash value.
HMAC
Authenticates messages by using a hash function and a key.
Cover up
Full cover
Masks the entire value of a field.
For example, if you want to fully mask the phone number 1381111****, set the Cover string parameter to ***********. Then, the data masking result is ***********.
Fixed position cover
Masks the string at the fixed position of a field.
For example, if you want to mask the second segment of the IP address 192.168.255.254, set the Cover string parameter to *** and the Mask position configuration parameter to
(5,7). Then, the data masking result is 192.***.255.254.Fixed character mask
Masks the specified characters of a field.
For example, if you want to mask example in the email address username@example.com, set the Cover string parameter to ******* and the String to be obscured parameter to example. Then, the data masking result is username@*******.com.
Replacement
Map replacement
Replaces the specified string with another string.
NoteSeparate multiple strings with commas (,).
The number of strings to be replaced must be the same as that of the strings to be used for replacement.
For example, if you want to replace ab in the string abcd with mn, set the Match String parameter to ab and the Replace By parameter to mn. Then, the data masking result is mncd.
Random replacement
Replaces the specified part of a field with the random characters that you specify.
For example, if you want to replace username in the email address username@example.com with random characters, set the Replacement position parameter to
(1,8)and the Random character parameter to abc. Then, the data masking result may be acbbbbac@example.com.NoteIf you specify two or more random characters, the data masking result is random.
Transformation
Number rounding
Rounds down a number to the specified digits before the decimal point.
For example, if the raw data is 1234.12, and you set the Keep the first decimal place parameter to 2, the data masking result is 1230.
Data rounded
Rounds a date and time.
For example, if the raw data is 2021-10-14 15:15:30, and you set the Date rounding level parameter to hour, the data masking result is 2021-10-14 15:00:00.
Character displacement
Moves characters of a field leftward in a loop manner.
For example, if the raw data is 345678, and you set the String left shift number parameter to 2, the data masking result is 567834.
Encryption
DES
Uses the Data Encryption Standard (DES) algorithm to encrypt data. The key is eight characters in length, and the data masking result is 16 characters in length.
AES
Uses the Advanced Encryption Standard (AES) algorithm to encrypt data. It is a more advanced encryption algorithm than the DES algorithm. The key is 16 characters in length, and the data masking result is 32 characters in length.
AES encryption-enhanced
Uses the AES algorithm that does not limit the key length. The data masking result is 32 characters in length.
Decryption
AES decryption
Decrypts the data that is encrypted by using the AES algorithm.
AES decryption-enhanced
Decrypts the data that is encrypted by using the AES encryption-enhanced algorithm.
Plaintext
N/A
N/A
Test the data masking result.
Enter the raw data to be masked.
Click Test.
Check whether the data is masked as expected.
For example, if the raw data is 345678, and you set the Algorithm Type parameter to Transformation, the Level 2 parameter to Character displacement, and the String left shift number parameter to 2, the masking result should be 567834. Check whether the data is masked as expected.
Click Submit.
NoteBy default, the DEFAULT built-in rule is applied to sensitive data. For more information about how to apply a custom data masking rule to sensitive data, see Manage sensitive data.
View and change the data masking algorithm for one or more fields.
After you create a data masking algorithm, you must change the data masking algorithm for the sensitive fields to the new data masking algorithm on the Sensitive Data Assets page. This way, the data masking algorithm takes effect.
View and change the data masking algorithm for one or more fields
Log on to the DMS console V5.0.
Move the pointer over the
icon in the upper-left corner and choose . NoteIf you use the DMS console in normal mode, choose in the top navigation bar.
In the Instance List section, find the instance that you want to manage and click Sensitive Data List in the Operation column.
On the Field Control tab, select the fields for which you want to change the data masking algorithm.
Click Adjust Data Masking Algorithm in the upper-left corner.
In the Data Masking Algorithm must be selected dialog box, select Default desensitization algorithm or semi-desensitization algorithm, specify an algorithm, and then click Save.
NoteIf you want to reset the custom data masking algorithm associated with a field to DEFAULT, click Reset Data Masking Algorithm in the Operation column.
FAQ
Q: Which algorithm does DMS use to process data if both the default masking algorithm and the partial masking algorithm are configured for a sensitive field?
A: DMS uses the partial masking algorithm to process data. However, if the user who views the data does not have permissions to access partially masked or plaintext sensitive fields, DMS processes data by using the default masking algorithm.
Q: How do I select a data masking algorithm based on the security level of sensitive fields?
A: You can select a data masking algorithm based on the security level of sensitive fields:
Low sensitivity (S1): Fields can be displayed in plaintext and you do not need to configure a data masking algorithm.
Moderate sensitivity (S2): You can select a partial masking algorithm.
High sensitivity (S3): Fields are confidential and you can select a full masking algorithm.