Framework for the Assessment of Data Masking Performance Penalties in SQL Database Servers. Case Study: Oracle

Dynamic data masking (DDM) is a powerful data-security technique for protecting personal and other sensitive information in databases from unauthorized access. A DDM can be used to mask or obfuscate information in real time, as it is accessed by unauthorized users. This prevents sensitive information from being exposed, while still allowing authorized users to access the data. In current multilayered applications, data masking may be incorporated as special modules placed anywhere between the storage and user interface. In this paper, we consider the solution of implementing masking directly in the persistence layer so that data do not travel unmasked along the network. The data at rest are unchanged (i.e., unmasked), but when users query the database, the sensitive columns in the results are displayed in a masked format, which makes it impossible to identify the original data. Given the diversity of masking features proposed by commercial and open-source database servers, this study proposes a framework for assessing the performance penalty of SQL queries when using database masking relative to the original (unmasking) scenario. We implemented and applied the framework to a basic masking scenario in the Oracle database server using the TPC-H benchmark database. Exploratory analysis and Machine Learning models suggest that DDM has a weak impact on query performance. This could be a powerful incentive for incorporating DDM in real-world software applications when up to 100GB data is stored using Oracle database server.