Data Masking for MySQL Databases
Data Masking is a technique used to secure sensitive data such as credit card information, SSNs, addresses etc. for situations where the data is being shared or used for testing purposes.
There are several methods of data masking, including substitution, shuffling, and redaction, and they are useful in different scenarios. By masking sensitive data, organizations can minimize the risk of data breaches and unauthorized access while still being able to use realistic data for development, testing, and analytics purposes.
MySQL Enterprise Data Masking
Data Masking is available exclusively in the MySQL Enterprise edition as a plugin.
How data masking works in MySQL is that they provide a list of functions in the plugin that are used for data masking, for example
And instead of querying a table directly using the mask functions, the personnel with the right privileges in the organization (usually, the DBA) would define a VIEW that shows the masked data. The view can be seen as a table for the users even if they have limited access to sensitive data. So to access the data, you simply query from the view.
This approach is straightforward, while it has several limitations:
Rely on granular MySQL user accounts / roles. In reality, most MySQL instances only have a handful users. To adopt this plugin, one need to redesign the account setup in MySQL.
Different views are needed for different masking variations. This quickly becomes unmanageable as the underlying tables and vairations increase.
No dedicated module to manage data masking. After all, it's plain MySQL VIEW.
Percona Data Masking Plugin
Percona Data Masking Plugin is a free and open-source implementation of the aforementioned MySQL data masking plugin. It provides a set of functions to mask sensitive data.
Similarly, the way to protect raw data is with a VIEW.
However, Percona Data Masking only works with Percona Server for MySQL. If you use the dominant Oracle's MySQL edition, you will need to look elsewhere.
Bytebase Dynamic Data Masking
Bytebase Dynamic Data Masking doesn't depend on the underlying MySQL views and users. It manages the masking policies and grants inside Bytebase. Masking policy is applied when user queries from the SQL Editor.
Bytebase Dynamic Data Masking consists of the following components:
- Global Masking Rule:
DBAcan apply masking levels in batch, e.g. all columns named as "email" are masked at "Partial" masking level. You can also easily change masking policy without having to reapply the masking policy to thousands of columns, and the hassle of maintaining views is saved.
- Column Masking Rule:
DBAcan set table columns as different masking levels. Column masking rule takes precedence over the global masking rule.
- Access Unmasked data: for the masked content,
DBAcan grant specific users permission to access unmasked data.
Workspace Admin and
DBA here are roles in Bytebase.
|MySQL Enterprise Data Masking Plugin||Percona Data Masking Plugin||Bytebase Dynamic Data Masking|
|Compatibility||MySQL Enterprise Edition Only||Percona Server for MySQL||All MySQL distributions ⭐️|
|Enforced at||Database self ⭐️||Database self ⭐️||SQL Editor|
|Features||Basic||Basic||Advanced with granular masking policy and access grants ⭐️|
The advantage of MySQL Enterprise Data Masking / Percona Data Masking Plugin is they are implemented in the database itself. Thus data masking rules are enforced regarless of how queries are sent to the database. For Bytebase Dynamic Data Masking, queries must go through SQL Editor to be enforced.
The advantage of Bytebase Dynamic Data Masking is its compatibility with all MySQL distributions, feature-rich masking policy and access grants. As long as team can be enforced to query databases via Bytebase SQL Editor (which is desired from the management perspective), then Bytebase Dynamic Data Masking is a perfect choice.