• Dynamic Data Masking for data privacy and security

    Dynamic Data Masking (DDM) enables sensitive data to be securely shared across the enterprise in real-time with many users without changing the actual data.

How is Dynamic Data Masking defined?

Dynamic data masking has become an established method to securely share data in its existing form by masking data when shared with users. In this way, dynamic data masking is a key component of fine-grained access control.

In its Information Technology Glossary, Gartner defines Dynamic data masking (DDM) as “an emerging technology that aims at real-time data masking of production data. DDM changes the data stream so that the data requester does not get access to the sensitive data, while no physical changes to the original production data take place.”

It is also referred to by a number of different names including dynamic data redaction, dynamic data obfuscation, dynamic data anonymization, on-the-fly data masking and real-time data masking. At its core, DDM is used to redact data for transit in a database. It is commonly used with SQL servers.

Office worker explaining something to a client | Axiomatics

Who requires dynamic masking of data and why?

Dynamic masking of data should be used by any organization sharing data that contains sensitive information with users or systems that are not authorized to see such information. This can be due to corporate policy or privacy regulations, such as GDPR or HIPAA. Typically this includes:

Read More

Don’t miss this blog on why you need Dynamic authorization and dynamic data masking.

Organizations that utilize a proven data masking tool  from Axiomatics, can ensure data is effectively shared with users across an organization, without worrying about unauthorized personnel or systems being able to see or interpret masked data. A common example of this being credit card numbers that are often logged with a provider but masked from view.

Actual credit card data

Credit card number: 7253 4111 6345 8787

User name:  Jenny Jones

Masked credit card data

Credit card number: 7253 XXXX XXXX XXXX

User name: Jenny XXXXX

In this example you can clearly see how the sensitive data – in the form of the last 12 digits of the person’s credit card number along wtih the surname – have been masked, making it impossible to decipher and therefore safe to share. Without the masking technolgy this would not be possible. With fine-grained access control, data across multiple databases at table, row and cell level can be masked.


Still have questions?

Benefits of Dynamic Data Masking

Dynamically masking data offers a number of benefits to enterprises that want to keep data intact in databases, i.e. not use static masking, but still share it securely with users and systems.

Lean and scalable

Enterprises have sensitive data stored in multiple databases. With Axiomatics you can choose to mask data in one, two or dozens of databases. Dynamic data filtering is also possible.


Being able to mask data only becomes a benefit when you can do it at table, row and cell level. Axiomatics data masking solution comes with these fine-grained capabilities.


Data is constantly changing, as are regulations and users’ entitlements and requirements. Any changes in business policies are immediately implemented and relevant data is masked or unmasked accordingly.


Privacy regulations are becoming stricter. Different regulations apply to different regions, being able to apply different masking rules to data based on storage and sourced location is business critical. Our solution delivers this.

Get in touch with us for more help.

How is data masked dynamically?

Dynamic data masking enforces the business rules of an organization and in that sense,functions in the same way as policy based access control. But rather than granting access, it masks data. Complex business rules can be applied in real-time in one or multiple databases.

Data masking can be defined using a element in the configuration of the system. This mask value essentially offers three options:

  • Undefined:
    This will redact the actual cell value, so whatever value is found in the database will be left out in the result set and replaced by a NULL value.
  • Constant:
    A constant value can be added which will be used instead of a cell value in every record that is affected by the policy. The constant value must match the datatype of the table column.
  • Select:
    You can call any function that would be valid to use inside a SELECT statement of the SQL dialect applicable to your database.

Read More

In this way, dynamic masking provides the flexibility to redact the whole value or just a portion of the data via a function call. For example, we could use a function call to apply data masking to a column that holds email addresses. With a simple SQL function, the data preceding the ‘@’ in the email address can be masked.

In the filter configuration we add a protected DB object (column).

element masks the column ‘EMAIL’ when it is selected from the table ‘EMPLOYEE’. The masking tool ensures that only the part after the ‘@’ will be displayed to the end user. This SQL statement sent from a client application to the database is intercepted by the masking tool:

  • NAME,
  • EMAIL,

If you execute the SQL statement without masking the result obtained is:





[email protected]



[email protected]


Altering the SQL statement on the fly ensures only email addresses are masked based on an applicable policy. When dynamic data masking is applied, the returned data set is secure:











Two people chatting above a counter | Axiomatics

Dynamic Data Masking vs. Static Data

Static data masking involves masking data in the actual database, i.e. when data is at rest. Dynamic data masking on the other hand applies a masked layer to sensitive data when data is in transit, ensuring data in the database remains unchanged at the source. But when should you go static and when should you go dynamic?

Use static data masking

  • In non-production environments for testing when data should not be enclosed but life-like operation scenarios are require.
  • When your organization handled sensitive data but does not use it – that way you avoid unnecessary compliance issues.

Use dynamic data masking

  • When you have complex business rules governing access to sensitive data
  • When access rights/regulations change on regular basis and you want to be able to implement these immediately
  • If shared data must remain intact at the source
  • When shared data is subject to strict privacy regulations

Still have questions?

How to choose the right access control solution

No matter where your sensitive data is stored or how complex or distributed your architecture is, we can help you safeguard and securely share sensitive data. Our team are experts in defining requirements and tailoring the Attribute Based Access Control products from our dynamic authorization suite to meet customers’ needs.

Get in touch

Regulations are getting stricter and competitors are getting more aggressive. Don’t spend time on authorization, focus on your core activities and we will ensure data is secured and regulations are met.

Customer support

Do you have a question for an Axiomatics engineer? Our support team are ready to help you.