Secure and Limit Exposure to Sensitive Data

HexaTier’s Dynamic Data Masking feature provides real-time masking of sensitive data whether running on-premises, cloud-hosted or Database as a Service (DBaaS). Dynamically mask any sensitive data and Personally Identifiable Information (PII) accessed from application screens, reports, development, and DBA tools. While providing developers, testers and admins access to production and non-production databases without exposing sensitive data. Most importantly, there are no changes made to the database or application layer.

Real-time data masking

Hide Personally Identifiable Information

Implement column-based masking

Comply with database regulations

Easy to install, use and maintain

Key Benefits

  • Real-time masking of sensitive and PII information in production and non-production databases
  • Protect against internal and external threats
  • Detect and prevent against SQL injections
  • Customize security policies to comply with database regulatory needs
  • Comply with compliances that require masking of sensitive data, like PCI-DSS regulation 3.3 and others
  • Easily define security and masking policies
  • No changes to the database or application layer

Diagram 1: Demonstrates HexaTier's Dynamic Data Masking feature.

How Dynamic Data Masking Works?

  1. Request Based Masking: The query is received from the application and is rewritten with the masking actions before it’s sent to the database in real time. As the database receives the query it includes the masking actions that the database is required to perform.
  2. Response Based Masking: With the use of Database Reverse Proxy technology, a request is sent to the database as is and the data is received and masked in real time by HexaTier.

Advantages of Dynamic Data Masking vs. Static Data Masking

  • The sensitive information never leaves the database in request level
  • No changes are required to the database or application layer
  • Customized access per IP address, per user, per Active Directory users/groups or per application
  • No duplicate or off-line database required
  • Prevents exposure to sensitive information in production databases and non-production databases
  • Activities are performed on real data, saving time and providing real feedback to developers and quality assurance teams


Read the full article

How to Use Discovery of Sensitive Data; Setting Masking & Monitoring Policies

Technical Features

Policy-driven Separation of Duties. Policy-based masking ensures that sensitive and personal identifiable information accessed from application screens, packaged reports, development and DBA tools is masked based on a user’s security credentials. For example, the following table illustrates which sensitive elements might be masked based on the function of the viewer:

  • DBA: salaries and credit cards 
  • Outside contract employees: customer names
  • Developers: customer PII

Customize. It's easy to tailor the security policy to meet specific regulatory or business requirements. Differentiated levels of access can be granted to application users based on their business roles, whether those users are internal employees, such as human resources personnel, or are part of an external workforce, such as customer service staff in a call center. 

Flexible. Masking policies can be defined per column, per IP address, per user, per Active Directory users/groups or per application. It's possible to choose the masking policy to suit the context and authority of the user.

Across Multiple Platforms. Applying dynamic masking based on security policies provides security consistency across multiple platforms and applications.

Efficient. Changes in policy require absolutely no changes to application source code or to databases. HexaTier masking supports legacy applications as easily as ones that were coded yesterday. Security masking is defined once across all platforms. The same database can even be used in both production and development environments.

 Scalable and Agile Solution. HexaTier uses a software-based approach that is easy to install, operate, and maintain. Since it doesn’t intrude on the database, there is no need to make changes to the architecture. It automatically detects the database and application environment, including application names, username and users' IP addresses. Once installed, it uses four key features to secure, discover, monitor and mask the database from internal and external attacks.  

Protects MS SQL Server, MySQL and PostgreSQL databases. Web applications using MS SQL Server and MySQL databases will withstand malicious attacks.

Protects Databases in the Cloud.  HexaTier protects Microsoft Azure SQL Database and Amazon RDS for MySQL and SQL Server.