Start tracking your progress
Trailhead Home
Trailhead Home

Get to Know Salesforce Data Mask

Learning Objectives

After completing this unit, you’ll be able to:
  • Understand the definition of data obfuscation.
  • Know the business cases for when to replace or delete data.
  • Understand the risks of data deletion.

How Does Data Mask Work?

Data Mask uses platform-native obfuscation technology to mask sensitive data in any full or partial sandboxes. You can configure different levels of masking, depending on the sensitivity of the data.

Tip

Tip

Data obfuscation is a way to modify and ensure privacy protection for PI and PII data. You can mask a field’s contents by replacing the characters with unreadable results. For example, Blake becomes gB1ff95-$. Or you can convert a field into readable values that are unrelated to the original value. For example, Kelsey becomes Amber.

Data Mask is a managed package that you install and configure in an Unlimited, Performance, or Enterprise production org. You then run the masking process from any sandbox created from the production org. The masking process lets you mask some or all sensitive data and ensures that the data is not replicated in a readable or recognizable way into another environment. Data Mask uses nondeterministic obfuscation to prevent reverse engineering or statistical inference attacks from de-obfuscating the newly rendered data.

Once your sandbox data is masked, you can’t unmask it. This process does not affect your production data, so if you change your mind, you can always refresh the data from production and create a new sandbox org. After you configure Data Mask, you can mask data sets as often as needed.

As the sandbox data is masked, previously determined objects and fields undergo a transformation from sensitive, readable sandbox data to obfuscated data.

Make Your Data Random

When you mark fields for replacement using random characters, Data Mask transforms sensitive, readable sandbox data into random data. For example, if you replace the First Name, Last Name, and Email Address fields in the Contact object with random characters, then an entry such as Susan Badger, me@thebadger.com in production would transform into vqiz olmmt, saljohnson@example.com in a sandbox. This transformation enables business processes to function, but preserves the confidentiality in the production environment.

Replace Your Data with Familiar Values

When you mark fields for replacement using library values, Data Mask transforms sensitive, readable sandbox data into random but recognizable data using proprietary libraries embedded in the managed package. For example, if you replace the First Name, Last Name, and Email Address fields in the Contact object with library values, then an entry such as Nancy Simon, nan@see.com becomes Gregory Fitzpatrick, liza.perez@acmeautorepairandpaintz.com. The field types remain the same, so any business processes that rely on specific data types function normally. You can also recognize the type of data and make informed decisions from the random data. Any sensitive information in the production environment remains confidential.

Delete Your Data

When you mark fields for deletion, Data Mask transforms sensitive, readable sandbox data into empty sets. For example, suppose that you delete the Manager Feedback free-form text field on a custom object. This sensitive entry Marcy Darcy has expressed repeated frustration that her peer, Charles Gnarles, borrows her stapler and neglects to return it. is stripped away and becomes an empty field in the sandbox. This transformation provides the most compute-efficient way to eliminate private data from the sandbox.

Warning

Warning

Deletion can remove user ability to test some business processes, so be selective in choosing privacy assurance methods. Once data is deleted from a sandbox, it can’t be restored. This process does not affect your production data, so if you need to restore data, you can always refresh the data from production and create a new sandbox org.

Summary

Data Mask delivers different levels of masking to help keep your sensitive production data private. You can replace sensitive data in your sandboxes with random characters, with similarly mapped words, or eliminate it. With Data Mask, customers don’t concede the rights and privileges associated with the privacy and confidentiality of production data when it’s replicated in a sandbox.