Does the masked VDB provision create the VDB first followed by masking? Or it masks sensitive data blocks and performs virtualization?

  • 0
  • 1
  • Question
  • Updated 6 days ago
  • Answered
Does the masked VDB provision create the VDB first followed by masking? Or it masks sensitive data blocks and performs virtualization?

When we mask the VDB it performs a 'Copy on Write' for masked data block. Is it feasible to mask the data block and then snapshot followed by VDB (at one go)... Sequence is important.
Photo of RanjeethRao Kashetty

Posted 3 months ago

  • 0
  • 1
Photo of Hims

Hims, Employee

  • 1,986 Points 1k badge 2x thumb
Hi Ranjeetha,
This requirement is very common, it is architected by a native available Delphix feature called SDD ( Selective Data Distribution ).
https://docs.delphix.com/docs/delphix-masking/delphix-masking-engine-quick-start-guide/provisioning-...


Thanks
--Hims
(Edited)
Photo of Gary Hallam

Gary Hallam, Official Rep

  • 1,618 Points 1k badge 2x thumb
Ranjeeth,
In answer to your direct question, if you are talking about what happens when you provision a virtual database with the masking dropdown set to run a masking job on provision, then the VDB is created first of all and once created the masking job is run against it.  If the masking job fails then the VDB is rolled back and not provisioned.  Your underlying concern of course is that both clear and masked data resides on the file system and Delphix provides a neat and efficient way of potentially rewinding to the unmasked data state.  This was pointed out a long time ago by some of our discerning banking customers.

As Hims points out, Delphix invested a lot of engineering time in creating a solution that would allow you to provision only masked blocks of data outside of the production zone.  This is achieved by replicating the masked VDB to a second engine in a non-production zone.  Our Selective Data Distribution provides a very effective way of zoning the data ensuring clear and masked data separation.  This allows us to meet PCI compliance and other data protection regulations.

In fact, if you choose to subset your data within a masking job (removing data is an effective security measure and a required one in most security scenarios), then these blocks are also prevented from being replicated.

The Selective Data Distribution documentation is available here.

I hope that helps.

Regards,
Gary

Thanks Gary for taking time to respond.


I looked into SDD and it talks about distributing masked data to another engine so that we segregate users specific to their roles to target engine.

In the document, it refers to masking steps involved in SDD and talks about "Masking engine masks the dSource data into a VDB". Is this technically creating a VDB and then applying masking over the VDB or creating a masked VDB straight out of the dSource.

I keep asking this repeatedly because I'm interested in knowing the sequence of activities as it helps me estimate the latency in provisioning masked VDB.

With the term "provision masked VDB" I keep getting confused if its about a "copy on write" for masked data blocks followed by VDB links to the masked & unmasked data blocks.


Photo of Mouhssine SAIDI

Mouhssine SAIDI

  • 4,652 Points 4k badge 2x thumb
Hi,

You got it right “king engine masks the dSource data into a VDB". Is this technically creating a VDB and then applying masking over the VDB”

This is what the engine dose whenever you choose to create a masked vdb, it is also referd as “in place” masking. Notice that only this type of job are listed on virtualization engine and can be used from there

You have also a second type refered to as “on the fly, please cf. the doc to dig on it
https://docs.delphix.com/display/DOCS...

Regards,

Mouhssine
Photo of Gary Hallam

Gary Hallam, Official Rep

  • 1,618 Points 1k badge 2x thumb
Hi Ranjeeth,
You can achieve both as Mouhssine describes.  There are different ways to architect a solution depending upon what you are trying to achieve and the infrastructure constraints that you are working within.  I would recommend discussing this with your Delphix representative.  I would be happy to help offline to clear up exactly your understanding and to connect you to a local project resource for you.  Delphix masking can connect to a virtual database or physical database.
Regards,
Gary
Hi Gary,

My question is not about Delphix masking. I'm more concerned about its integration with virtualization.

I understand what an In-Place masking is. But the scenario I explained is not in-place masking. Neither we are masking anything on dSource nor we are masking a VDB - thats not what we want.

In simple words, I want the VDB that comes out of dSource snapshot already masked. I would like to know how Delphix sequences virtualization & masking? It may do this by packaging the VDB + masking together and execute VDB creation followed by masking VDB - OR - It may mask the sensitive data blocks and create a VDB?

Please clarify which method is followed.

Thanks,
Ranjeeth
Photo of santosh kumar

santosh kumar

  • 330 Points 250 badge 2x thumb
I was in same boat and tried below approach. 

STEP 1 - create VDB
STEP 2 - build masking job
STEP 3 - Associate that job into dSource
STEP 4 - Delete above created VDB
STEP 5 - Spin up new VDB from dSource while associating the JOB created in STEP 2

In our approach, we are treating this as PARENT VDB and spin up new VDBs from Parent which will be used by Project team.

Hope, this helps to get the sequence.
Photo of Mouhssine SAIDI

Mouhssine SAIDI

  • 4,652 Points 4k badge 2x thumb
Hi,

It depends on the methodology you’re using delphix can do both.

1/ on the fly job read clear data from database a and write masked data (masking happens in memory) to database b

2/ in place job read and update with masked values in the same database

The sequence you described is the great approach if you remove step 4 :)

Regards,

Mouhssine