Sensitive data classification

Applies to
ApexSQL Mask


This article explains what sensitive data is, how to classify data as sensitive and how to work with sensitive data filters


Sensitive data is data that contains critical and/or private information such as personally identifiable information, email address, national id, credit card number, social security number etc.

Sometimes database administrators need to share backup or any other data containing files with internal or external stakeholders and therefore in order to protect the sensitive data, data masking becomes an option

ApexSQL Mask sensitive data filters are used for determining whether data is classified or not against certain conditions. Filters use several conditions to determine whether the column contains sensitive data or not. Default scanning works immediately after the initial data source connection is established:

Overview for main interface for data masking

The option to automatically scan sensitive data can be checked under the General tab in the Options window:

Enable and disable automatically scan for sensitive data

If some additional columns need to be classified as sensitive data, this can be done manually by choosing the All columns button in the Home tab and then checking the desired columns:

Enable and disable columns in main grid for data masking

ApexSQL Mask filters can be accessed from the Home tab by clicking the Filters button:

Access to the filters from the main ribbon

Pre-defined filters

There are 50+ predefined filters divided into the 12 categories. By default, all predefined filters are included into the scanning process. Filters can be enabled or disabled by checking and unchecking checkboxes in the Manage data classification filters window:

Enable and disable filters for sensitive data classification

Predefined filters cannot be edited or deleted.

Custom filters

Custom filters can be created in the same Manage data classification filters window by clicking the New button:

Create new filter in manage classification filter form

The Name and Description fields correspond to the new filter name and the description that will be shown in Manage data classification filters window. There are 5 type of default generators: Use original, Predefined, Random, Specific value and Regular expression. If the column doesn’t support a selected generator type, the column won’t be marked as classified:

Select generator type that will be used in data masking process in create filter form


By column name

A shown in the picture, Columns names can be entered to match the exact name or the column pattern can be entered which will address the scope of columns that contain defined pattern in their name:

Add column tame to condition for the filters

By field length

The Field value represents the minimum and maximum length of data in the column.

By data

The values that are entered in the Regex text box can be added to regex expression list with “+” and are used to check the data from the column whether they correspond to any of defined expressions from the list.

Managing custom filters

Custom filters will be listed in separate section and are will be editable and can be deleted, for enabling and disabling check the checkboxes in the custom filter section:

Manage data classification filters window showing how to enable and disable custom filters for data masking

Importing and Exporting

ApexSQL Mask filters can be exported by choosing Export button in the Manage data classification filters window which will save the current state of predefined and custom checked filters so they can be used again in another project. Importing filters from the Import button will load and override the current state of the default loaded filters.

To apply the all changes from the Manage data classification filters window and re-scan the database again, use the Refresh button from the Home tab and it will show the newly scanned columns that will contains sensitive data:

Overview of classified columns in the main grid for data masking

The columns that are flagged with red circle are columns that contain sensitive data