Dynamic Data Masking: The Missing Piece in DBaaS Security

Effective access control is a significant challenge in enterprise data warehouses, especially those built on platforms like Snowflake, BigQuery, and Redshift. These warehouses centralize large volumes of sensitive data, which continuously grows and evolves as organizations rely on it for analysis and business expansion. Despite this dynamic nature, data-level access controls are often static—if implemented at all—exposing these critical data repositories to potential security risks.

One of the most sought-after capabilities in a data-centric security model is dynamic data masking. Dynamic masking automatically obfuscates or hashes sensitive data, like financial account numbers, from unauthorized users while allowing full visibility for those with proper access privileges. For example, your data analysts may still need to see partial purchase data for analytics, but they certainly don’t need the actual, identifiable account numbers in plain text.

A Real-World Case Study in Snowflake

One of our customers recently used Cyera’s classification and remediation workflows to automatically mask sensitive data in Snowflake. Here’s a step-by-step look at how they approached it, showcasing the end-to-end workflow in action.

Background:

• The customer's data warehouse often stored customer transaction data with account numbers in plain text.
• As new datasets were added, these account numbers were frequently exposed to the entire data analytics team, creating security and compliance risks.
• The goal: automatically detect account numbers and mask the data to prevent data analysts from seeing full account numbers (instead, just the last six digits).

Masking Policy:

• The customer defined a custom masking policy to mask all but the last six digits of account numbers. Only the warehouse administrators had permission to see the full plain-text account numbers.
• Traditionally, administrators rely on manual SQL commands to apply, modify, or remove masking policies—an inefficient and error-prone process that struggles to keep pace with constantly evolving data landscapes.

Data Classification via Cyera:

• Cyera scanned the Snowflake database and identified columns containing account numbers in plain text.
• The customer configured a workflow in order to take the classification identified by Cyera and apply a dynamic masking policy to columns containing account numbers.
• While this customer’s initial use case was straightforward, Cyera’s advanced classification engine continuously learns the environment to detect and mask new data types automatically.

Dynamic Application:

• This workflow runs as new data is scanned. Instead of manually identifying and applying masking policies, the customer relies on Cyera to track new columns containing account numbers as data is created in Snowflake, eliminating the need for manual intervention.

Key Takeaway:

• With Cyera, organizations can dynamically identify sensitive data, attach the correct masking policies, and keep them updated without endless manual work. This eliminates a major operational burden and ensures that if new data (e.g., new columns, tables, or databases) includes sensitive information, it’s automatically masked.

Enabling Dynamic Remediation at Scale

While this highlights account numbers masking in Snowflake, it’s part of a larger remediation framework we’re building at Cyera. In addition to masking, organizations can leverage our platform for:

• Data Classification & Tagging
  
  • Cyera’s automated classification tags data to ensure all sensitive data is accurately labeled and governed, to be dynamically masked later on.
• Dynamic Access Controls
  
  • Cyera’s classification engine helps enforce least-privilege policies based on real-time data sensitivity. Cyera gives security and compliance teams continuous visibility into where sensitive data resides, how it’s used, and who has access to it. Our platform can automate access controls to minimize over-permissive access and ensure sensitive information remains secure.
• Compliance Enforcement
  
  • Cyera automatically updates permissions for new or reclassified data, which is crucial for meeting strict regulatory standards like DORA, GDPR, and HIPAA.

These enable benefits, such as: 

• Reduced Overexposure: Users and roles no longer have broad privileges they don’t need.
• Fast, Automated Remediation: No more manual review or complex scripting to mask sensitive columns.
• Continuous Security: As data changes or new data appears, Cyera updates classification, sensitivity, and policies with it, ensuring your security posture is never static.

Conclusion: Secure Your Data, Not Just the Perimeter

Data is the new perimeter. As cloud adoption grows, traditional network or application-based access controls fail to prevent unauthorized access to sensitive data. Modern threat actors can easily bypass perimeter defenses through phishing attacks, compromised credentials, or even malicious insiders.

Application-based access controls often rely on static permissions and lack visibility into underlying data, rendering them ineffective against credential compromise and insider threats.

To address this, organizations are pivoting from “What network resources should a user access?” to “What specific data, and under what conditions, should a user be able to access?”

Today, securing data at rest and in transit, as well as who has access to it, requires a data-centric approach. Cyera’s platform delivers end-to-end automation—from classification to access controls, dynamic masking, and beyond—ensuring your teams can focus on innovation without sacrificing compliance or security.

Request a demo today to experience the Cyera platform.