Dynamic Data Masking

Increase permitted use cases in the cloud with dynamic data masking and privacy controls.

What is Dynamic Data Masking

Dynamic data masking protects data at query time by modifying or hiding sensitive values without changing the underlying data. Immuta implements a suite of security and privacy controls that are applied dynamically using this approach.

How Immuta does Dynamic Data Masking

Data policies are written in plain language

Author an attribute-based access control policy in plain language, without requiring specialized engineering resources. If your team prefers, they can also write policy-as-code.

Employ pre-built controls

Specify how to protect sensitive data using one or more of the 60+ prebuilt security and privacy controls that can be applied dynamically at query time for anonymization, pseudonymization, obfuscation, or minimization.

Protect data in real-time

Take the decision-making out of data consumers’ hands with safe and instant access to authorized data from any BI tool, workbench, or notebook using dynamic policies.

Security & Privacy Controls

Dynamic Data Masking

Copying data and manually removing or anonymizing values can delay analysis and weaken data utility. Immuta’s dynamic masking policies support hashing, regular expression, rounding, conditional masking, replacing with null or constant, with reversibility, with format preserving masking, and with k-anonymization, as well as external masking — all without ever copying or moving data.

Conditional Data Masking

Protect yourself from data leaks without resorting to manual changes. Immuta automates access restrictions based on masking policy conditions, such as time-based windows, user’s geography, and data in adjacent cells or reference tables. Immuta’s conditional logic in masking policies provides flexible policy enforcement while reducing risk.

Differential Privacy

Differential privacy statistically guarantees that any individual record within a data set cannot be identified. Immuta is one of the few data platforms to provide differential privacy. It is one of our dynamic privacy enhancing technologies PETs) that works by injecting noise into queries to protect the privacy of individual records and enable increased data sharing.

Dynamic K-Anonymization

Eliminate manual, code-based approaches that require a team of mathematicians to prevent re-identification. Immuta enables data teams to apply k-anonymization at query time from any connected database, allowing you to seamlessly prepare sensitive data for use. Compared to other approaches, k-anonymization has been shown to be the most effective for data masking.

Randomized Response

Protect yourself from data attacks without resorting to time-intensive security methods that require coding or new ETL pipelines. Immuta’s randomized response helps achieve local differential privacy for specific columns, making it possible to put mathematically guaranteed limits on an attacker’s ability to exploit your data.


Increase permitted use cases

Easily apply dynamic security and privacy controls on sensitive data to meet requirements from legal and compliance teams for cloud use cases. Policies are authored in plain language so any stakeholder can understand how sensitive data, such as PII, PHI, or other sensitive data, is being protected.

Accelerate time to data

Get safe and instant access by applying dynamic security and privacy controls at query time for each user. Eliminate the engineering resources and costs required to write code or copy data to protect sensitive data.

Reduce engineering burden

Apply security and privacy controls dynamically at query time without having to copy and manage protected data sets. This reduces the need for specialized engineering resources to implement dynamic data masking, while reducing risk by using proven and advanced techniques.

Frequently Asked Questions

What is static data masking?

Static data masking (SDM) masks data at rest rather than in active use. It does so by creating a copy of an existing data set and scrubbing it of all sensitive and/or personally identifiable information (PII). Once the information is masked, the data can then be stored, shared, and accessed for use without putting sensitive information at risk.

What is dynamic data masking?

Dynamic data masking is the process of using fake, hidden, or purposefully “noisy” data to conceal or mask the sensitive elements in a data set. Within existing databases, masking techniques such as k-anonymization, differential privacy, and randomized response can protect sensitive data from being reverse-engineered or re-identified. These masking techniques help ensure data remains private without hindering its ability to be used for analysis.

What is the difference between data masking vs. encryption?

Data masking operates by modifying or hiding sensitive values in a data set without changing the underlying data. In doing this, it creates a “fake” version of the data that is still usable for analysis/tools/etc. Data encryption, on the other hand, completely changes data into an illegible code that can only be reversed back into its original form with the assistance of an encryption key. This renders the data useless to anyone without the encryption key, where masked data can still be used for various purposes without exposing the more sensitive information involved.

Is data nulling considered data masking?

Yes, data nulling can be considered a data masking technique. Nulling masks sensitive data in a data set by replacing any given value with a NULL. When applied, the underlying data will appear to be NULL rather than its original value. This removes any identifiability from the column, at the cost of removing all utility. It is useful to apply this policy to numeric or text attributes which have a high re- identification risk, but little analytic value.

Have 29 minutes?

Let us show you how Immuta can transform the way you govern and share your sensitive data.