To prevent sensitive data leakage, you can configure a data masking algorithm for specific fields in Data Management Service (DMS). When you query or export data from these fields, DMS automatically masks the values based on the data masking rule you set. This topic describes how to add, view, and modify data masking algorithms for your sensitive data.
Prerequisites
-
You have one of the following system roles: Administrator, DBA, or Security Administrator. For more information, see View my system roles.
-
The sensitive data protection feature is enabled for the instance, and a sensitive data scan task is configured. For more information, see Enable sensitive data protection.
Usage notes
-
DMS data masking algorithms take effect when you query data in the SQL window, submit a database export ticket, or access the database instance by using a proxy endpoint generated by the secure access proxy feature.
NoteData masking algorithms do not take effect if you use other tools to query data.
-
For an instance under security hosting, if you configure a partial masking algorithm for a field, you must obtain partial masking permissions to view the partially masked data. Without these permissions, the data is fully masked. For more information about how to request permissions, see Manage access control permissions.
-
After you add a new data masking algorithm, you must apply it to the target sensitive fields for it to take effect.
Add a data masking algorithm
-
Log on to the Data Management Service (DMS) 5.0.
-
Move the pointer over the
icon in the upper-left corner and choose . NoteIf you use the DMS console in normal mode, choose in the top navigation bar.
-
Click the Data Masking Algorithm tab, and then click Add Data Masking Algorithm.
-
In the New Algorithm panel, select and configure a data masking algorithm.
Type
Name
Description
Hash
MD5
A widely adopted cryptographic hash function that generates a 128-bit (16-byte) hash value.
SHA1
A cryptographic hash function that generates a 160-bit (20-byte) hash value, known as a message digest.
SHA256
Generates a 256-bit hash value.
HMAC
Authenticates a message by using a hash function and a secret key.
Masking
full masking
Masks the entire data value.
For example, to fully mask the phone number 13811112222, set the masking string to ***********. The masked result is ***********.
fixed-position masking
Masks a specific part of a data value based on its position.
For example, to mask the second segment of the IP address 192.168.255.254, set the masking string to * and specify the position range as
(5,7). The masked result is 192.*.255.254.fixed-character masking
Masks a specific character or string within a data value.
For example, to mask
examplein the email addressusername@example.com, set the masking string to ******* and specifyexampleas the string to be masked. The result isusername@*******.com.Replacement
map replacement
Replaces a target string with a replacement string.
Note-
Use commas (,) to separate multiple strings.
-
The number of target strings must match the number of replacement strings.
For example, to replace
abwithmnin the stringabcd, set the target string toaband the replacement string tomn. The masked result ismncd.random replacement
Replaces characters at a specified position with random characters.
For example, to randomly replace
usernameinusername@example.com, set the replacement position to(1,8)and the random characters toabc. A possible result isacbbbbac@example.com.NoteIf you specify two or more random characters, the masking result is non-deterministic.
Transformation
number rounding
Rounds down a number to a specified digit before the decimal point.
For example, for the original value 1234.12, if you round to the second digit before the decimal point, the result is 1230.
date rounding
Rounds a date and time to a specified level of precision.
For example, for the original value 2021-10-14 15:15:30, if you round to the nearest hour, the result is 2021-10-14 15:00:00.
character displacement
Performs a circular left shift on the characters of a string.
For example, for the original value 345678, if you specify a left shift of 2 positions, the result is 567834.
Encryption
DES
Encrypts data by using the Data Encryption Standard (DES) algorithm. The key length is 8 characters, and the result is 16 characters.
AES
Encrypts data by using the Advanced Encryption Standard (AES) algorithm, which is more secure than DES. The key length is 16 characters, and the result is 32 characters.
AES encryption-enhanced
Encrypts data by using the AES algorithm with no key length limitation. The result is 32 characters.
Decryption
AES decryption
Decrypts data encrypted with the AES algorithm.
AES decryption-enhanced
Decrypts data encrypted with the AES encryption-enhanced algorithm.
Plaintext
N/A
N/A
-
-
Test the algorithm.
-
Enter the original data.
-
Click Test.
-
Verify the result.
For example, for the character displacement transformation, if you set the left shift to 2 and the original data to 345678, the result is 567834.
-
-
Click Submit.
NoteBy default, sensitive data is masked using the built-in 'DEFAULT' data masking rule. To apply your new data masking algorithm, see Manage sensitive data.
-
View and modify the data masking algorithm for a field.
After you add a data masking algorithm, you must navigate to the Sensitive Data Assets page and apply the new algorithm to the target fields for it to take effect.
View and modify field algorithms
-
Log on to the Data Management Service (DMS) 5.0.
-
Move the pointer over the
icon in the upper-left corner and choose . NoteIf you use the DMS console in normal mode, choose in the top navigation bar.
-
In the Instance List section, find the target instance and click Sensitive Data List in the Operation column.
-
On the Field Control tab, select the checkbox for each field whose algorithm you want to modify.
-
In the upper-left corner, click Adjust Data Masking Algorithm.
-
In the Select Data Masking Algorithm dialog box, choose a default masking algorithm or partial masking algorithm, specify an algorithm, and then click Save.
NoteTo reset a field's custom data masking algorithm to the system default ('DEFAULT'), find the field in the list and click Reset Data Masking Algorithm in the Operation column.
FAQ
-
Q: If both a default masking algorithm and a partial masking algorithm are set for a sensitive field, which one does DMS use?
A: DMS uses the partial masking algorithm. However, if the user viewing the data lacks the required permissions for partially masked or plaintext data, DMS falls back to the default data masking algorithm.
-
Q: How do I choose a data masking algorithm based on a field's security level?
A: You can select an algorithm that aligns with your business requirements:
-
S1 (Low Sensitivity): Data can be displayed in plaintext. No data masking algorithm is needed.
-
S2 (Moderate Sensitivity): A partial masking algorithm is a suitable choice.
-
S3 (High Sensitivity): Data is confidential. A full masking algorithm is recommended.
-