All Products
Search
Document Center

Data Management:Manage data masking algorithms

Last Updated:Dec 18, 2024

The sensitive data protection feature of Data Management (DMS) provides the following data masking algorithms: hashing, cover, replacement, transformation, and encryption. You can customize different data masking rules based on a built-in data masking algorithm to define flexible data masking policies. The sensitive data protection feature provides a built-in full cover rule for data masking. If you want to use other data masking methods, you can create or change data masking rules by referring to the steps described in this topic.

Prerequisites

Your system role is an administrator, a database administrator (DBA), or a security administrator. For more information about how to view your system role, see View system roles.

Usage notes

  • In an instance for which the security hosting feature is enabled, after you configure a custom data masking rule on a field, you must apply for the partial masking permissions to view the data that is masked based on the data masking rule that you configure. Otherwise, you can view only the data that is fully masked. For more information about how to apply for the partial masking permissions, see Manage permissions.

  • After you create a data masking algorithm, you must change the data masking algorithm for the sensitive fields to the new data masking algorithm. This way, the data masking algorithm takes effect.

Create a data masking algorithm

  1. Log on to the DMS console V5.0.

  2. Move the pointer over the 2023-01-28_15-57-17.png icon in the upper-left corner and choose All Features > Security and Specifications (DBS) > Sensitive Data > Rule Configurations.

    Note

    If you use the DMS console in normal mode, choose Security and Specifications (DBS) > Sensitive Data > Rule Configurations in the top navigation bar.

  3. On the Rule Configurations page, click the Data Masking Algorithm tab. On this tab, click Add Data Masking Algorithm.

  4. In the New Algorithm panel, configure a data masking algorithm.

    DMS provides the following built-in data masking algorithms.

    Algorithm type

    Algorithm name

    Description

    Hash

    MD5

    Generates a 128-bit (16-byte) hash value. MD5 is a widely used cryptographic hash function.

    SHA1

    Generates a 160-bit (20-byte) hash value called a message digest. SHA1 is a cryptographic hash function.

    SHA256

    Generates a 256-bit hash value.

    HMAC

    Authenticates messages by using a hash function and a key.

    Cover up

    Full cover

    Masks the entire value of a field.

    For example, if you want to fully mask the phone number 1381111****, set the Cover string parameter to ***********. Then, the data masking result is ***********.

    Fixed position cover

    Masks the string at the fixed position of a field.

    For example, if you want to mask the second segment of the IP address 192.168.255.254, set the Cover string parameter to *** and the Mask position configuration parameter to (5,7). Then, the data masking result is 192.***.255.254.

    Fixed character mask

    Masks the specified characters of a field.

    For example, if you want to mask example in the email address username@example.com, set the Cover string parameter to ******* and the String to be obscured parameter to example. Then, the data masking result is username@*******.com.

    Replacement

    Map replacement

    Replaces the specified string with another string.

    Note
    • Separate multiple strings with commas (,).

    • The number of strings to be replaced must be the same as that of the strings to be used for replacement.

    For example, if you want to replace ab in the string abcd with mn, set the Match String parameter to ab and the Replace By parameter to mn. Then, the data masking result is mncd.

    Random replacement

    Replaces the specified part of a field with the random characters that you specify.

    For example, if you want to replace username in the email address username@example.com with random characters, set the Replacement position parameter to (1,8) and the Random character parameter to abc. Then, the data masking result may be acbbbbac@example.com.

    Note

    If you specify two or more random characters, the data masking result is random.

    Transformation

    Number rounding

    Rounds down a number to the specified digits before the decimal point.

    For example, if the raw data is 1234.12, and you set the Keep the first decimal place parameter to 2, the data masking result is 1230.

    Data rounded

    Rounds a date and time.

    For example, if the raw data is 2021-10-14 15:15:30, and you set the Date rounding level parameter to hour, the data masking result is 2021-10-14 15:00:00.

    Character displacement

    Moves characters of a field leftward in a loop manner.

    For example, if the raw data is 345678, and you set the String left shift number parameter to 2, the data masking result is 567834.

    Encryption

    DES

    Uses the Data Encryption Standard (DES) algorithm to encrypt data. The key is eight characters in length, and the data masking result is 16 characters in length.

    AES

    Uses the Advanced Encryption Standard (AES) algorithm to encrypt data. It is a more advanced encryption algorithm than the DES algorithm. The key is 16 characters in length, and the data masking result is 32 characters in length.

    AES encryption-enhanced

    Uses the AES algorithm that does not limit the key length. The data masking result is 32 characters in length.

    Decryption

    AES decryption

    Decrypts the data that is encrypted by using the AES algorithm.

    AES decryption-enhanced

    Decrypts the data that is encrypted by using the AES encryption-enhanced algorithm.

  5. Test the data masking result.

    1. Enter the raw data to be masked.

    2. Click Test.

    3. Check whether the data is masked as expected.

    For example, if the raw data is 345678, and you set the Algorithm Type parameter to Transformation, the Level 2 parameter to Character displacement, and the String left shift number parameter to 2, the masking result should be 567834. Check whether the data is masked as expected.

  6. Click Submit.

    Note

    By default, the DEFAULT built-in rule is applied to sensitive data. For more information about how to apply a custom data masking rule to sensitive data, see Manage sensitive data.

  7. Change the data masking algorithm for one or more fields.

    After you create a data masking algorithm, you must change the data masking algorithm for the sensitive fields to the new data masking algorithm on the Sensitive Data Assets page. This way, the data masking algorithm takes effect.

Change the data masking algorithm for one or more fields

  1. Log on to the DMS console V5.0.

  2. Move the pointer over the 2023-01-28_15-57-17.png icon in the upper-left corner and choose All Features > Security and Specifications (DBS) > Sensitive Data > Sensitive Data Assets.

    Note

    If you use the DMS console in normal mode, choose Security and Specifications (DBS) > Sensitive Data > Sensitive Data Assets in the top navigation bar.

  3. In the Instance List section, find the instance that you want to manage and click Sensitive Data List in the Operation column.

  4. On the Field Control tab, select the fields for which you want to change the data masking algorithm.

  5. Click Adjust Data Masking Algorithm in the upper-left corner.

  6. In the Select a data masking algorithm dialog box, select a custom data masking algorithm and click Save. For more information about how to create a data masking algorithm, see the Create a data masking algorithm section of this topic.

    Note

    The default data masking algorithm is DEFAULT. To reset a new data masking algorithm as DEFAULT for a field, click Reset Data Masking Algorithm in the Operation column of the field.