Data Masking for Sharing in Lower Environments

Simplified data masking for development and test databases


A long-standing challenge in most IT environments is that developer, and test environments often need data sets and test data that mimic production data. Whether it is by user role, use case, or more, a practical secure solution is required to protect data in use, at rest and in motion.

Moving data from high environments (production) to lower environments (dev and test) is fraught with privacy, compliance, and data security issues. The approach undertaken in the past has been to simply clone production data and give copies of it to each user, e.g., developers, QA managers, etc. Thus, sensitive data can sprawl across lower environments with little to no control over how the original data is used, who has access to it, and how it is protected against data breaches. In addition, there are masking rules and compliance requirements for GDPR, CCPA, PCI-DSS, and HIPAA that dictate that personal data must be protected at all times, creating a new challenge for organizations.

Traditional masking methods such as encryption of such data sets have not been pragmatic as it renders the real data useless for lower environments. Other approaches that mask data can be time intensive and introduce significant operational costs slowing down application development efforts and business agility.

Here’s a quick demo of our simplified data masking:

Data Masking and Format Preserving Encryption for Lower Environments

Baffle Data Protection Services (DPS) provides simplified static data masking and dynamic data masking to mitigate the risks of leakage from a data source and bulk data breaches for all types of data - credit card numbers, production environments, financial information, and social security numbers.

Data anonymization or pseudonymization from a production system often requires data transforms to support users with different access to data and can slow down development and testing efforts because of the overhead involved. Baffle DPS simplifies data obfuscation via its "no code" approach, enabling simplified static and dynamic data masking.

Baffle data masking supports a variety of masked formats and, as a transparent security layer, remains invisible to applications and ETL processes. Furthermore, Baffle supports a data masking technique called Adaptive Data Security to enable role-based access to masked data, further reducing the risk of data breaches.

Key capabilities include:

  • On-the-fly data de-identification
  • Data masking, static or dynamic
  • Tokenization and Format Preserving Encryption (FPE)
  • Field/column level encryption
  • File and object encryption
  • Role-based access control
  • Secure data sharing with BYOK, KYOK, HYOK
  • Meet compliance with GDPR, CCPA, PCI, HIPAA

How It Works


Baffle Shield sits as a proxy layer between production databases and those in lower environments used for development and testing. Data is encrypted 'on-the-fly' as it moves from the higher to lower environment.

The encryption can be specified on a column level, with different masking algorithms and encryption types based on the data type in each column.

Furthermore, role-based access control enables different encryption or data masking modes to be applied based on the user role. These controls allow sensitive data to be protected while maintaining referential integrity, enabling the encrypted data to be appropriately useful for specific purposes in lower environments.

The same data masking tools can also be used to share data externally with partners and customers while protecting PII, PHI, and other sensitive information for security and meeting compliance with regulatory requirements such as GDPR, CCPA, PCI, and HIPAA.

Below are additional resources if you're interested in learning more or feel free to Request a Demo to speak with one of our solutions architects.

Learn more about Baffle’s Data Protection Services here.

Our Solution

Baffle delivers an enterprise-level transparent data security platform that secures databases via a "no code" model at the field or file level. The solution supports tokenization, format-preserving encryption (FPE), database and file AES-256 encryption, and role-based access control. As a transparent solution, cloud-native services are easily supported with almost no performance or functionality impact.

Icon Cubes


No application code modification required

Icon Stopwatch


Deploy in hours
not weeks

Icon Bolt


No impact to user

Icon Command


Bring your own key

Icon Padlock


AES cryptographic

Schedule a live demo with one of our solutions experts to get answers to your questions