AWS Dynamic Data Masking Announcement Solidifies a Commitment to Complete Data Protection, Data Privacy, and Security

AWS DDM Session Video

An exciting and promising aspect of being in the data security industry is seeing the adoption of technology by major players that will help businesses avoid costly data breaches and keep their most valuable IT asset—data—safe. For example, last week, AWS previewed a new solution for dynamic data masking (DDM) for Amazon Redshift. As an AWS partner, Baffle applauds AWS for this significant achievement and the safeguards it will provide in analytics and data portability.

Why do we feel this capability is so important? 

Redshift DDM allows customers to create views, replacing sensitive data with full or partially masked values controlled through a familiar SQL interface. Customers can restrict different levels of permissions to masked data by applying Redshift role-based access control. Additionally, customers can apply a conditional mask based on other columns, allowing the protection of a column of data in a table based on the values in one or more other columns.

Baffle is excited about this technology because it complements its Data Protection Service, a no-code approach to ingest data securely into a data pipeline that feeds a data warehouse like Redshift. It integrates seamlessly with the Amazon Database Migration Service (DMS) as well as data-mover tools, such as AWS Glue. Baffle uses a cryptography-based approach to tokenize sensitive data as it is inserted into Amazon Simple Storage Service (S3) object stores.

During the presentation at AWS re:Invent 2022 titled, “What’s New with Amazon Redshift (ANT201),” the speaker explained that with Baffle, AWS can modify sensitive or personal data, referred to as Personal Identifiable Information (PII) data based on access control mechanisms and support cell level and column level masking based on defined conditions.

The data can then be copied into Redshift using tools such as AWS Redshift Spectrum or AWS Athena, from which analytics applications or AWS Glue scripts will consume it. Redshift DDM completes the end-to-end vision with responsible consumption of sensitive data from the warehouse.

AWS understands the importance of data protection, privacy, and security 

This news shows the continued AWS commitment to helping businesses maintain data privacy and security efforts through DDM and other methods. Earlier this year at AWS re:Inforce, Kurt Kufeld, VP of AWS Platforms, made a bold statement in his keynote address, noting, “Encryption is the core component of a good data protection strategy.” He also had a clear and concise call to action: “Encrypt everything.”

We operate in a business environment in which the threats against data are more frequent and complex. Data analytics is the backbone of market differentiation across many industries, and organizations that implement best practices for the processing of personal data and the protection of personal data are simultaneously preventing obstacles to achieving larger business objectives.

And when you also consider the increasing noncompliance fines for data storage and processing from the GDPR (General Data Protection Regulation), the CCPA (California Consumer Privacy Act), the DPA (Data Protection Act), and other state and international data protection laws and data privacy laws, the stakes to protect data have never been higher. Many organizations are still acclimating to the learning curve related to all necessary impact assessments required by these governing bodies and actively protecting data in the cloud. So today’s AWS news represents a meaningful step forward.

How Baffle can help

Baffle’s mission has always been to simplify data-centric protection, and this new offering makes it even easier for Baffle customers to secure their entire data analytics pipeline. With Baffle, customers can encrypt their data before it is even ingested into AWS. Furthermore, they can do so via a no-code approach that requires no application changes.

Baffle customers can also protect data via tokenization with format-preserving encryption, field or column-level encryption, and even row-level encryption. In addition, through bring-your-own-key capabilities, Baffle makes it simple for customers to use their own encryption keys, preventing the cloud provider from accessing their data.

Since most organizations work across multiple clouds, Baffle gives customers a centralized data management control pane to protect data across multiple clouds and on-premise databases. Baffle works seamlessly with several AWS services, including Relational Database Service (RDS), Redshift, S3, DMS, KMS, CloudHSM, and Aurora.

Data privacy and security in the cloud can seem complex, whether on a small or large scale. Therefore, organizations must have strong data protection officers (DPO), data controllers, and partners who understand today’s challenges while planning for new obstacles that may emerge down the road. As experts in data privacy, cloud security, and compliance, AWS and Baffle are well-positioned together to help customers protect their user data effectively for current and future requirements.

Learn how Baffle Data Protection Services can protect your data inside AWS RDS instances, Redshift, and S3 buckets.

Join our newsletter

Schedule a Demo with the Baffle team

Meet with Baffle team to ask questions and find out how Baffle can protect your sensitive data.


No application code modification required


Deploy in hours not weeks


One solution for masking, tokenization, and encryption


AES cryptographic protection


No impact to user experience