Our initial experience with Oracle Data Masking Tool
Use Cases and Deployment Scope
We often send client information to external entities (other agencies, non-profit organizations, etc). While the detailed data is required (they need to be able to drill down from the summary information), there's no need to provide the real name, real SSN, real address, etc. However, we have to maintain referential integrity with the data (that is, if Steve Parker is being masked as John Smith, we need <i>all </i>instances of Steve Parker to yield John Smith). The Oracle Data Masking tool allows us to do just that. We also use it now to create a development/test copy of production data, without risking exposing HIPAA information. Since the access to dev/test environments is not as tight as the access to production, the masking relieves us from worrying about exposing client information in less-secured environments.
Pros
- It offers several ways in which you can mask your data; for example, you can choose to replace all names with "real fake names", or choose to replace all SSNs with existing SSNs, but randomly assigned. You control the algorithm.
- It works on non-Oracle databases as well (in our case, we use it for both Oracle and SQL/Server).
- The overhead is minimal (it doesn't take long to run, and it doesn't consume too many system resources.
Cons
- The learning curve was not trivial - but we got through it.
- Cost - this product is not cheap.
Likelihood to Recommend
The tool is excellent when you need to provide all the details about your clients, yet hide their identity - all while maintaining the referential integrity of the data (so child-records of the masked parent record and maintain the same fake ID of the parent).
