What should I use - "Oracle Data Redaction" or "Oracle Data Masking"

In 12c Oracle introduced a new feature called "Data Redaction" – Limiting sensitive data exposure by dynamically changing returned data. Since Oracle Data Reduction feature was introduced it feels that a lot of people are confused by this feature with data masking pack, I am getting a lot of questions like:

  • What the difference between "Data Redaction" and "Data Masking"?
  • When should I data redaction and when should I use data masking?
  • Now that I have can use data redaction why should I use data masking?

Before we can answer those questions we should first understand what is data masking and the deference between physical data masking and dynamic data masking.

Data masking is all about changing sensitive data to a meaningful data that the application can handle but not REAL data that can be compromised; let's say we want to mask credit cards data we can change:

 

3755-1003-7777-8809 – XXXX-XXXX-XXXX-8809
Or 
3755-1003-7777-8809 – 3755-1231-1231-8809

Physical Data Masking

Masking the original data and changing it physically inside the database. If physical data masking is used the original sensitive data is completely removed from the masked database. Oracle solution to physical data masking is Oracle Masking Pack which is part of Oracle Grid Control.

Dynamic Data Masking

 In Dynamic data masking only the result set is being masked and the original data stays untouched. Oracle solution for dynamic data masking - Data Redaction feature introduced in 12c but is available from 11.2.0.4.

So when should we use "Data Masking Pack" and when should we use "Data Redaction" feature, the answers for that  question are straight forward – data redaction should be used to protect sensitive data on production environments  and "Oracle Data Masking" should be used to protect non-production environment as it will change the original data.

In the next articles few will dive deeper and understand how and when should we use
"Oracle Data Redaction" and "Oracle Data Masking"

Until then,

Keep it safe