
Database data masking is the process of replacing sensitive values in a database with realistic but fictitious substitutes, so that non-production environments (development, testing, analytics) contain structurally valid data without exposing real PII, financial records, or protected health information. It is a foundational requirement for organizations subject to GDPR, HIPAA, PCI DSS, and CCPA, and a critical control for reducing breach exposure across the data lifecycle.
This guide covers what database data masking is, the types and techniques used, why automated sanitization matters for compliance, and how to implement snapshot-based masking natively within a cloud DBaaS platform without third-party tools.
Database data masking replaces real values with fictional but structurally valid substitutes so teams can work with realistic data without regulatory exposure.
Enterprise databases contain PII (names, addresses, national IDs), PHI (patient records, diagnoses), and financial data (account numbers, transaction histories) that must be protected under multiple regulatory frameworks. Simply restricting access to production databases is insufficient when development, QA, and analytics teams need data that reflects real-world patterns and volumes.
Data masking solves this by creating a transformed copy of the database where sensitive columns are replaced with plausible but non-reversible alternatives. A customer name becomes a random name; a Social Security number becomes a structurally valid but unused number; a birth date is shifted by a random offset. The masked data retains its format, type, and referential relationships, allowing applications and queries to function normally on the masked copy. The specific masking approach depends on the environment and use case, with the two primary categories being static and dynamic masking.
Static data masking applies a permanent, one-time transformation to a copy of the database. The process follows a snapshot, mask, and provision workflow: a snapshot of the production database is taken, masking rules are applied to the snapshot, and the masked copy is provisioned as a new database instance for non-production use. The original production data is never modified. This makes it ideal for dev, test, and staging environments where data does not need to reflect real-time production changes. This is the approach Tessell's sanitization workflow is built on.
Dynamic data masking intercepts queries in real time and masks values on the fly based on user roles and permissions, without altering the stored data. A privileged user sees the real value; an unprivileged user sees a masked version of the same field. This approach is used in production environments where role-based access control must enforce data visibility without creating separate database copies. Dynamic masking is supported natively in SQL Server, Azure SQL, Oracle Data Redaction, and PostgreSQL through extensions. Tessell's built-in sanitization workflow is static, not dynamic.
Substitution: Replaces real values with values from a lookup table of fictitious alternatives. The most common technique for names, addresses, and identifiers.
Scrambling / Shuffling: Rearranges values within a column so that real data exists in the dataset but is detached from its original row. Preserves statistical distribution.
Tokenization: Replaces sensitive values with non-reversible tokens stored in a secure vault. Allows de-tokenization by authorized systems if needed.
Format-Preserving Encryption (FPE): Encrypts values while maintaining their original format and length. A 16-digit credit card number remains a 16-digit number after encryption.
Redaction: Replaces values with a fixed mask character (e.g., XXX-XX-1234). Simple but less useful for testing because it does not produce realistic data.
Using raw production data in development, testing, and analytics environments creates significant compliance and security risk. If a non-production environment is breached, the exposed data is identical to production, triggering the same regulatory notification and remediation obligations as a production breach. Non-production environments typically have weaker access controls, making them attractive targets. According to the Perforce 2025 State of Data Compliance and Security Report, 60% of organizations have experienced data breaches or theft in non-production environments, an 11% increase from the prior year.
Regulatory frameworks increasingly mandate data protection in all environments, not just production:
GDPR (Articles 25, 32): Requires data protection by design and by default, including pseudonymization of personal data where feasible. Non-production use of real personal data without masking is a compliance gap.
HIPAA (Security Rule): Mandates safeguards for all electronic protected health information (ePHI), regardless of environment. Test environments with unmasked patient data violate the minimum necessary standard.
PCI DSS v4.1: Prohibits using production cardholder data in test environments unless those environments meet full PCI DSS controls. Masking production data before provisioning to test avoids this requirement.
CCPA / CPRA: Grants consumers the right to know what data is collected and how it is used. Using real consumer data in non-production without a legitimate processing purpose creates exposure.
Automating this process is no longer optional for enterprise database teams. Manual, ad hoc sanitization introduces delay, human error, and compliance gaps that compound with every provisioning cycle. The next section covers how Tessell addresses this with native, snapshot-based sanitization.
Tessell provides snapshot-based database sanitization as a native feature of its managed DBaaS platform, with no third-party tools required. Unlike approaches that require Delphix, Informatica, Redgate, or Oracle Data Safe, Tessell's masking capability is built directly into the Availability Machine and accessible through the same console used for provisioning, backup, and lifecycle management. Tessell was recognized as a Gartner 2025 Cool Vendor in Data Management, validating this integrated approach to enterprise database operations.
The Tessell sanitization workflow supports both ad hoc (on-demand) and scheduled automation. DBAs upload custom SQL scripts to the Tessell Script Library that define which columns to mask and which technique to apply. These scripts are then executed against database snapshots, producing sanitized copies that can be cloned to new instances in any cloud region on AWS, Azure, GCP, or OCI.
Tessell supports sanitization across all six database engines: Oracle, PostgreSQL, MySQL, SQL Server, MongoDB, and Milvus. The process is consistent regardless of engine or cloud, eliminating the need for separate masking tools per database platform. The following walkthrough demonstrates this workflow end to end.
The following walkthrough demonstrates the end-to-end sanitization process using a PostgreSQL database on AWS. The same workflow applies to Oracle, MySQL, SQL Server, and MongoDB on any supported cloud.
To begin, we have created a PostgreSQL instance on AWS with a sample Airport database loaded (sample_database_airport_db).
We have connected to the database using pgAdmin 4 in this example. However, you can use whatever database client you prefer. We are working with the "employee" table, and the columns we are focusing on are "birthdate" and "password". These are the columns we will mask in the steps that follow.
Navigate to the Tessell Availability Machine for your database instance: DB Services > Availability Machines > [Select DB Instance] > Snapshots. Click Take Snapshot, provide a name, and submit. Tessell automatically creates snapshots at provisioning, so a baseline snapshot may already exist. This snapshot captures the full database state as the input for sanitization.
Navigate to DB Service > Script Library. Upload a SQL script that defines your masking rules. The script specifies which columns to transform and what technique to apply.
Since we are working with PostgreSQL in our example, we will focus on the "Airport DB Masking Script - PostgreSQL". By clicking on the name of the script, you are brought to a details page that shows the available versions. You can download the script by clicking on the ellipsis.
Here is a copy of the script that we are using. As you can see, we will be masking the password column and setting the birthdate column for all employees to "1971-11-11".
--- Script
-- Sample Sanitization Script -------
-- This script updates sample_database_airport_db database
-- Table updated:
-- Field password in table employee
-- Field birthdate in table employee
--
\c sample_database_airport_db;
update employee set password='************';
update employee set birthdate='1971-11-11';
Scripts support all Tessell database engines. Teams maintain a library of masking scripts for different database schemas and compliance requirements. This DBA-controlled approach ensures that masking logic is customized to your data model rather than relying on generic pattern matching.
Navigate to the Tessell Availability Machine to access the snapshot we created earlier. Select DB Services > Availability Machines > [Select the DB Instance] > Snapshots.
Tessell automatically provides snapshots when you first provision an instance, as well as when you load a sample database. Since we have a snapshot available, select the Sanitization tab. On the Sanitization tab, click Sanitize Snapshot. Choose the snapshot, provide a Sanitized snapshot name, select the masking script (Airport DB Masking Script - PostgreSQL) and a version if applicable, and then click Submit.
Tessell applies the script against a copy of the snapshot, producing a sanitized version. The original snapshot remains unmodified. Progress is visible in the Tessell console during execution.
Once the operation is complete, you will see the sanitized snapshot listed and ready for cloning.
Now that the sanitized snapshot is available, navigate to the Dataflix section to create the sanitized instance. There is a shortcut on the upper right-hand corner of the Sanitization tab where you can access the Dataflix app. You can also navigate to DB Services > Dataflix > [Select the DB Instance].
Once in Dataflix, select the snapshot you want to clone from under the Sanitized Snapshots tab, and then click the Clone button.
Walk through the cloning process, which will create a new instance based on the sanitized snapshot. This process looks nearly identical to the standard provisioning wizard within Tessell. The clone can be deployed to the same region, a different region, or a different cloud provider entirely (AWS, Azure, GCP, OCI). This supports distributed development teams that need compliant test data in their local cloud environment.
The cloning process will begin. You can click on the Creating status to view progress.
Now that the process is complete, connect to the cloned instance using your preferred database client. In our example, we are using pgAdmin 4 as we did earlier with the original PostgreSQL instance.
As you can see, the birthdate and password columns have been modified based on the masking script we applied in Step 2. The password values are now masked, and all birthdate values have been set to "1971-11-11" as defined in the script.
Verify that referential integrity is preserved across related tables and that the masked data is usable for the intended test workloads. For audit and compliance purposes, Tessell logs all sanitization events within the platform, providing a verifiable trail for GDPR and PCI DSS audits. This eliminates the need for manual documentation of when masking was applied and by whom.
The steps above cover on-demand sanitization for ad hoc requests. But running this process manually every time a team needs fresh test data introduces operational risk and delays. Tessell solves this with two built-in automation capabilities: scheduled sanitization and cross-region Data Access Policies.
For teams that provision test environments regularly, manual sanitization creates operational friction and risks missed masking cycles. Tessell's built-in scheduler eliminates this by running masking on a defined cadence without DBA intervention.
Navigate to the Sanitization tab under the Availability Machine (DB Services > Availability Machines > [DB Instance]), select the Show Schedules button, and then select Create Schedule.
On the Create a sanitization schedule window, provide a Schedule Name, Description, Frequency (daily, weekly, or custom cron expression), Snapshot retention period, Snapshot name prefix, the masking Script to use, and the version. Click Save to activate the schedule. Tessell will automatically take a snapshot, apply the masking script, and produce a sanitized copy at each scheduled interval.
Now that we have a sanitization schedule created, the next step is to create a Data Access Policy. This policy can copy sanitized data from one region to another on the cloud of your choice.
Tessell's Data Access Policies extend automated sanitization to cross-region and cross-cloud delivery. Create a Data Access Policy that specifies which regions and clouds should receive the sanitized snapshots. In our example, we will create sanitized copies of the PostgreSQL instance in US East (Ohio), US East (N. Virginia), and US West (Oregon). Select the sanitization schedule created in the previous step, set the number of snapshots to retain, and click Create.
Tessell automatically replicates the sanitized copy to the target regions, making compliant test data available to distributed teams without manual snapshot management. You can view the data flow on the Data Flow tab of the Availability Machine.
This capability is unique to Tessell's multi-cloud architecture. Sanitized snapshots can be pushed to any combination of AWS, Azure, GCP, and OCI regions, giving global development teams access to fresh, compliant test data on a predictable schedule. As this schedule runs, you will have additional sanitized snapshots available for cloning as needed.
Identify and classify sensitive columns before scripting: Conduct a data discovery and classification exercise to map all PII, PHI, and financial columns across your schema. Masking rules are only effective if they cover all sensitive fields.
Preserve referential integrity across related tables: If a customer_id is masked in the customers table, the same transformation must be applied to the orders table. Use deterministic masking (same input always produces the same output) for foreign key columns.
Use consistent, deterministic masking for foreign keys: Hash-based or lookup-based substitution ensures that referential relationships survive the masking process. Random masking on key columns will break joins and application logic.
Automate masking on every data movement into non-production: Never rely on manual, ad hoc masking for recurring test environment provisioning. Schedule sanitization to run automatically so that no unmasked production data enters non-production.
Maintain audit logs for compliance reviews: Record when sanitization was applied, which script was used, and who initiated the process. This is required for GDPR accountability and PCI DSS audit evidence.
Validate masked data usability before releasing to developers: Run automated test suites against the masked database to confirm that application logic functions correctly with the substituted data. Masking should not break application behavior.
Tessell's Availability Machine handles steps 4 through 6 natively: automated scheduling ensures every non-production copy is masked, all sanitization events are logged, and cloned instances can be validated before release to development teams.
Database data masking is a non-negotiable requirement for any enterprise that uses production data to populate development, testing, or analytics environments. The regulatory landscape in 2026 (GDPR enforcement, PCI DSS v4.1, HIPAA, CCPA/CPRA, and the EU AI Act) makes automated sanitization a compliance imperative, not a best practice.
Tessell eliminates the need for standalone masking tools by building snapshot-based sanitization directly into its managed DBaaS platform. Teams define masking logic once in the Script Library, apply it on demand or on schedule, and deliver sanitized data to any cloud region across AWS, Azure, GCP, and OCI. Combined with Tessell's ISO 27001, SOC 2, and PCI DSS v4.1 certifications, this provides end-to-end data protection from production to non-production without additional tooling or integration overhead.
To see how Tessell handles database data masking for your environment, book a demo at tessell.com/book-a-demo or start a free trial.