DataMasque Portal

Schema Discovery

Overview

DataMasque can be configured to automatically discover data in your databases during masking. When a masking ruleset contains the special purpose run_schema_discovery task type, DataMasque will inspect the database metadata and generate a discovery report for each masking run. Discovery reports produced are accessible via the Ruleset Generator page.

Note: The schema discovery feature does not currently support Amazon DynamoDB or Microsoft SQL Server (Linked Server) databases.

Methodology

To perform schema discovery, DataMasque discovers all tables and columns under the default schema of a connection. Once all columns have been identified they are then checked for potential sensitive information then flagged appropriately.

DataMasque comes with over 90 built-in keywords to help discover various types of sensitive data (account numbers, addresses, etc.) in your database. Each pattern is classified into one or more categories. The included data classification categories are:

  • Personally Identifiable Information (PII)
  • Personal Health Information (PHI)
  • Payment Card Information (PCI)

Reporting

Per-run data discovery report

After a run_schema_discovery task has completed, the results can then be viewed in the ruleset generator.

The ruleset generator will display the following columns:

Table schema The schema of the table containing a sensitive data match.
Table name The name of the table containing a sensitive data match.
Column name The name of the column which has matched against a commonly used sensitive data identifier.
Constraint Whether the column is a Primary or Unique key. In parentheses it will list the columns in which the constraint is present.
Data Type The data type of the column in the database metadata
Max Length If the column is a text field, this contains the max length of the column, otherwise empty string .
Numeric Precision If the column is a numeric field, this contains the numeric precision of the column, otherwise empty string.
Reason for flag Description of pattern which caused the column to be flagged for sensitive data.
Data classifications A comma-separated list of classifications for the flagged sensitive data. Possible classifications include PII (Personally Identifiable Information), PHI (Personal Health Information), PCI (Payment Card Information) and Custom (User specified custom keywords).
Foreign Keys List of foreign keys relating to the column, with information of the foreign key (FK_Name, Referenced Column).

Note for Oracle: Schema discovery reports will only cover the tables owned by the user or schema as defined in Connection. Schema will take precedence over user.

Note for Microsoft SQL Server: Schema discovery reports will only cover the tables owned by the user's default schema.

Note for PostgreSQL:

  • Schema discovery reports will only cover the visible tables in the current user search path.
  • A table is said to be visible if it's containing schema is in the search path and no table of the same name appears earlier in the search path.

Note:

  • Schema discovery reports will discover primary and unique keys including composite primary and unique keys.
  • This is done by querying the relevant system tables with the constraint name to get all columns under the constraint in order.
  • This is needed for the task key when generating mask_table tasks.

Note for Redshift:

  • Amazon Redshift does not enforce unique, primary-key, and foreign-key constraints. See Defining table constraints for additional information about how Amazon Redshift uses constraints.