Help Center> Data Security Center> User Guide> Data Privacy Protection> Data Masking> Overview
Updated on 2023-12-25 GMT+08:00
View PDF

Overview

DSC supports static data masking and dynamic data masking. You can configure masking rules for specified data assets to implement static masking or use the API for dynamic data masking to implement dynamic data masking, ensuring that sensitive information is not disclosed. Data Masking Algorithms lists the data masking algorithms supported by DSC.

Static data masking: DSC can help mask a large amount of data at one time based on the configured data masking rules. Static data masking is used when sensitive data in the production environment is delivered to the development, testing, or external environment for development and testing and data sharing and research. You can create an data masking task on the DSC console to quickly mask sensitive data in databases and big data assets.

Dynamic data masking: DSC provides dynamic data masking APIs to mask the data accessed from the external systems. Dynamic data masking applies to scenarios where data is queried from the external system, such as production applications, data exchange, O&M applications, and precision marketing.

Data Masking Process

Figure 1 Static data masking flowchart

Figure 2 Dynamic data masking flowchart

Data Masking Algorithms

Table 1 Masking algorithms

Data Masking Algorithms

Description

Application Scenarios

Hash

Use Hash functions to mask sensitive data. DSC supports SHA-256 and SHA-512.

  • SHA256

    SHA-256, a message-digest algorithm, is used by DSC to compute a digest from a string in the database table.

    It takes a block of data and returns a fixed-size bit string (hash value). As the value length may exceed the maximum column width allowed in the original table, you can adjust the column width to adapt to the returned SHA-256 hash values.

  • SHA512

    SHA-512, a message-digest algorithm, is used by DSC to compute a digest from a string in the database table.

    It takes a block of data and returns a fixed-size bit string (hash value). As the value length may exceed the maximum column width allowed in the original table, you can adjust the column width to adapt to the returned SHA-512 hash values.
  • Sensitive data: Key information
  • Application scenario: data storage

Encryption

Use the encryption algorithms and master key to implement data masking.

DSC supports two encryption algorithms: AES256 and SM4.
  • Sensitive data:
    • Personal data
    • Enterprise data
  • Application scenario: data storage

Character Masking

Use the specified character * or random characters (including numbers, letters, and both number and letters) to cover part of the original content. The following six data masking approaches are supported:

  • Retain first N and last M
  • Retain from X to Y
  • Mask first N and last M
  • Mask from X to Y
  • Mask data ahead of special characters
  • Mask data followed by special characters
NOTE:

DSC has multiple character masking templates.
  • Sensitive data: Personal data
  • Application scenarios:
    • Data usage
    • Data sharing

Keyword Replacement

Search for keywords in a specified column and replace them.

For example, the specified characters are "Zhang San eats at home". After replacement, the characters become "Mr. Zhang eats at home". In the example, "Zhang San" is replaced with "Mr. Zhang".

After this algorithm is executed, the value length may exceed the maximum length allowed by the database. In this case, the excess part will be truncated and inserted into the database.
  • Sensitive data:
    • Personal data
    • Enterprise data
    • Device data
  • Application scenarios:
    • Data storage
    • Data sharing

Value Change

Set a specified field to Null or left it blank for data masking.

  • Masking Using the Null Value

    Set a field of any type to NULL.

    If a field is set to NOT NULL, this algorithm changes the attribute of the file to NULL when copying the column.

  • Masking Using a Custom Value

    Set the target field to a default value.

    Specifically, a character field is left blank, a numeric field is set to 0, a date field is set to 1970, and time field is set to 00:00.
  • Sensitive data:
    • Personal data
    • Enterprise data
    • Device data
  • Application scenarios:
    • Data storage
    • Data sharing

Roundup

Round a date or number.

  • Date Roundup

    Roundup of fields after the year field For example, 2019-05-12 will be converted to 2019-01-01, and 2019-05-12 08:08:08 will be converted to 2019-01-01 00:00:00.

    Roundup of fields after the month field For example, 2019-05-12 will be converted to 2019-05-01, and 2019-05-12 08:08:08 will be converted to 2019-05-01 00:00:00.

    Roundup of fields after the day field For example, 2019-05-12 will be converted to 2019-05-12, and 2019-05-12 08:08:08 will be converted to 2019-05-12 00:00:00.

    Roundup of fields after the hour field For example, 08:08:08 will be converted to 08:00:00, and 2019-05-12 08:08:08 will be converted to 2019-05-12 08:00:00.

    Roundup of fields after the minute field For example, 08:08:08 will be converted to 08:08:00, and 2019-05-12 08:08:08 will be converted to 2019-05-12 08:08:00.

    Roundup of fields after the second field For example, 08:08:08.123 will be converted to 08:08:08.000, and 1575612731312 will be converted to 1575612731000.

  • Number roundup

    Rounds a specified number.
  • Sensitive data: General data
  • Application scenarios:
    • Data storage
    • Data usage
Parent topic: Data Masking