This article explains how to mask sensitive SQL server data with redaction mask
With this database masking tool, sensitive data can be masked by using two types of rules:
- Substitution – this type of mask uses specified generators to replace (masks) entire sensitive data in the specified database
- Redaction – the type of mask which offers to the user custom value which will replace confidential data
When the users want to mask sensitive SQL Server data without using the different generators, but to use custom values, redaction type of the mask is the best solution.
Click on the Manage button in the Home tab of this data masking tool is the first step in creating the Redaction mask:
The Manage masks window will be opened, where the Substitution type is checked by default. To create the Redaction mask, first, check the Redaction type and then click on the New button in the Manage masks window:
That action will open the Create redaction mask window:
In the Create redaction mask window beside the Name and the Description text box, there are the following options which by selection will create the method of finding and mask sensitive SQL Server data:
- Match case – match specific case when searching for a specific data value
- Use wildcard – use wildcards to find data
- Partial masking – redact a part of the value using a specific string
- Include nulls – redact null values using replacement string
Creating the redaction mask using the Match case option
To mask sensitive SQL Server data with selected the Match case option in the Create redaction mask window do the following:
- In the Find what text box, type the characters or group of the symbols that will be masked
- Then in the Replace with text box, type the desired characters which will be used for masking chosen symbols from the Find what textbox:
Use wildcards option for creating redaction mask
The Use wildcards is used for finding the group of data that will be masked.
When the Use wildcard option is selected, a wildcard must be added to the Find what text box. To do that, click on the ellipsis button in the Create redaction mask window:
That will open the Wildcard editor window in which can be added pattern for searching sensitive data that will be masked:
Defining patterns for a wildcard is possible with the use of specific characters that can be found by in the Syntax drop-down list. The pattern will be made by combining those special characters:
When the pattern is created, by a click on the OK button, the Wildcard editor window will be closed. The created wildcard will be presented in the Find what textbox.
The next step is to choose symbols which will be used for masking and to type them in the Replace with textbox:
Use Partial masking option for creating redaction mask
Partial masking will mask the specified part of the data string. Partial masking is the best to use when the Match case or Use wildcards options are selected next to it.
In the Partial masking option can be chosen the following:
- First – how many first values of the data will be replaced with the chosen character or the group of the symbols
- Last – how many last values of the data will be replaced with the chosen character or the group of the symbols
When the position and how many characters will be masked are selected, in the Replace with textbox type character or group of symbols which will mask sensitive SQL Server data:
Use Include nulls option for creating redaction mask
The Include nulls option, when selected will mask the nullable values from the sensitive SQL Server data:
How to newly created redaction mask applied to the chosen column
When all the options for masking the data in the Create redaction mask window are selected, the next step is to click the Apply button:
The Apply to columns window will be opened, where the list of sensitive columns in the loaded database will be shown. A selection of desired columns for masking should be created using the arrows from the Available grid to the Applied grid. When the columns are selected click on the OK button:
Then the Create redaction mask window will be shown again and if all required fields are filled, click on the OK button:
The newly created redaction mask will appear in the Manage mask window:
The Redaction mask created in this way can be used to mask sensitive SQL Server data.