The Oracle Data Masking Pack new new in 11g and
replaces real production data with realistic but false
(scrubbed) data, all based on masking rules from the Data
The Data Masking Pack is a separately licensed Oracle
Enterprise Manager pack that has been included with both OEM
Database Control and OEM Grid Control starting in Oracle
Database 11g r2. The Data Masking Pack is
documented as part or the Oracle Real Application Testing
Oracle notes three types of data masking:
"Compound masking: this
technique ensures that a set of related columns is masked as
a group to ensure that the masked data across the related
columns retain the same relationship, e.g. city, state, zip
values need to be consistent after masking.
Deterministic masking: this technique ensures
repeatable masked values after a mask run. Enterprise may
use this technique to ensure that certain values, e.g. a
customer number gets masked to the same value across all
databases. We will elaborate on this technique as it is a
very common use case.
masking: when businesses need to send their data to
a 3rd party for analysis, reporting or any other business
process, this technique transforms the original data into a
masked representation of itself using a secure key-based
reversible masking function. Once the data is recovered from
the 3rd party, the business can recover the original data by
reversing the masking using the same key."
The Oracle data masking pack costs about $11,500 per processor
or abut $230 per named user, but
see the Oracle Store
for current prices.
The Data Masking Pack is useful in two areas:
- Sharing data with third parties:
The regulatory compliance data confidentiality.
The data masking pack allows you to share your
production with third parties, confident that the
confidential data has not been compromised.
- Copy production to test: You
can preserve the confidentially per regulatory
compliance laws an copy production data to a test
environment without disclosure.
Within Oracle Enterprise Manager, the Data Masking Pack
enables centralized masking of confidential data in test and
development databases or databases supplied to external
vendors and third parties. The masking is defined using
out-of-the-box masking formats via the OEM console, thereby
storing all masking information centrally and not in the
dispersed and manual scripts that were traditionally used.
Condition-based masking is possible. The process is
irreversible, and it replaces the confidential data with
scrubbed but realistic-looking data using masking rules.
Database integrity rules are also followed when the masking
process takes place.
When the database is cloned from production using OEM,
the data masking can be executed as an integrated part of the
cloning process, or it can be run independently with the
dm_fmtlib package procedures. This helps
in complying with privacy and personal information laws such
as HIPAA, Sarbanes-Oxley (SOX) and the Payment Card Industry Data
Security Standard (PCIDSS).
There is also a very useful search function that allows
you to query the data dictionary of any database and
identify the tables and columns that need to be masked since
they may be carrying confidential data.
Licensing the Data Masking Pack
There is no trial version of Data Masking Pack. Data
Masking is available with the DB console or OEM 11G GRID /
You can Download it (full product set)
from OTN and test it. If you have an RDBMS 11gR2 you can
just configure DB Console (if not already done) and go into
the Data Mask Section.
However once you start/want to
use it on Production Environments, you need a license for
it, so you need to contact your Oracle Sales Representative.
Installing the Data Masking Pack
You start by downloading the data masking Pack software
If you are using Oracle Data Masking through OEM Grid
Control you need to make sure that the dm_fmtlib
package has been installed in the target database. The
dm_fmtlib package can be created by
running the following two supplied scripts, while connected
as the dbsnmp schema owner:
You can interface with the Data Masking Pack using OEM,
or by calling any of the dm_fmtlib procedures.
Oracle Data Masking Pack also supports masking of data in
heterogeneous databases, such as IBM DB2, Microsoft SQL
Server (MS-SQL), Sybase, and Informix, through the use of
the Oracle Database Gateways.
Built In Data Masking Formats in the Data
Oracle has many built in Masking Formats as part of the
data masking library.
There are some built in routines such as:
- Shuffle the original data
- Substitute masking (a
deterministic masking that ensures the same value in
yields the same result)
- Table Column (select a
random entry from another table)
The Data Masking Pack also includes "primitive" masks
- Fixed Numbers
- Fixed Strings
- Random Dates
- Random Digits
- Random Numbers
- Random Strings
There are also custom data masking rules for specific
real-world data strings. These masking rules include:
- American Express credit card Numbers
- Discover credit card Numbers
- Generic credit card Numbers
- ISBN Numbers
- MasterCard credit card Numbers
- National Insurance Numbers
- Social Insurance Numbers
- Social Security Numbers
- United Parcel (UPS) Codes
- US Phone Numbers
- Visa credit card Numbers
Oracle notes that the Oracle Data Masking Pack includes
the following features:
- Mask format libraries
- Mask definitions
- Masking techniques
- Condition-based masking
- Compound masking
- Deterministic masking
- Application masking templates import or export
- Mask format library import or export
- Masking script generation
- Clone and Mask workflow
package has the following procedures. Fir example,
here is the rule for generating a social security number:
dbsnmp.dm_fmtlib.mgmt_dm_gen_ssn('A', 'A', '52')
Here are the some of the procedures within the
cn = Canada
sin = Canada social
ph = phone number
vc = Visa Card
Oracle Training from Don Burleson
The best on site
training classes" are just a phone call away! You can get personalized Oracle training by Donald Burleson, right at your shop!
Burleson is the American Team
documentation was created as a support and Oracle training reference for use by our
DBA performance tuning consulting professionals.
Feel free to ask questions on our
considering using the services of an Oracle support expert should
independently investigate their credentials and experience, and not rely on
advertisements and self-proclaimed expertise. All legitimate Oracle experts
Oracle technology is changing and we
strive to update our BC Oracle support information. If you find an error
or have a suggestion for improving our content, we would appreciate your
and include the URL for the page.
Copyright © 1996 - 2017
All rights reserved by
is the registered trademark of Oracle Corporation.
Remote Emergency Support provided by