Use Salesforce Data Mask To Secure Sandbox Data

Salesforce Data Mask is a powerful tool for data security, which is widely used by the Salesforce developer and admins lately. Instead of manually securing data and access control to the data for sandbox orgs, admins & developers can use Data Mask to mask the data automatically in a Sandbox. Data Mask allows admins and developers to mask the most sensitive data in sandboxes such as Personally Identifiable Information (PII) or sales revenue etc. Data Mask uses platform-native obfuscation technology to mask the most sensitive data in any full or partial sandboxes. The masking process allows you to mask some or all sensitive data with different levels of masking, depending on the sensitivity & criticality of the data. Once your Sandbox data is masked, it is impossible to unmask it. As it is an irreversible process, it ensures that the data is not replicated in a readable or recognizable way into a different environment. It will not affect your production data, so if you change your mind, it is always possible to refresh the data from production and then create a brand-new Sandbox org.

Levels of Masking

Make Your Data Random: Replacing sensitive, readable sandbox data with some random characters. For example, if you replace the Account Name field in the Account object with random characters, then an account record such as GenePoint in production would convert into gQ1ff95 in the sandbox.
Replace Your Data with Familiar Values: Replacing sensitive, readable sandbox data with some random but recognizable data using proprietary libraries embedded in the managed package. For example, if you replace the First Name, Last Name field in the Contact object with library values then a contact record such as Nancy Simon in production would convert into Fitzpatrick in the sandbox.
Replace Your Data with Data Generated using a Pattern: Replacing sensitive, readable sandbox data with some random but recognizable data using a pattern. For example, if you replace the Email field in the contact object with a pattern, then records such as peter@wiz.com converts into the user-32242@example.com using the pattern user-%5d@example.com.
Deletion: Data Mask converts sensitive, readable sandbox data into empty sets.

Installing the Data Mask

Data Mask is a managed package that you can install in the production org. Then, you can run the masking process from any random sandbox, which is created from a production org to install and use the Data Mask managed package in your production org. First of all, you must enable some features in your production org and specify user permissions. After the package is appropriately installed, Salesforce can upgrade the packages automatically when new features and bug fixes are available.

Configure & Run the Data Mask

The users can configure masking in two different ways. Configure it in the production, and then while a sandbox gets created or refreshed, then configuration appears in the sandbox. Or you can also configure it in an existing sandbox. After the configuration is done, the users can then start to mask the sandbox data based on their preferences. You can run the masking From the Data Mask Home tab of your sandbox, click the dropdown arrow for the masking configuration you want and click on run.

Data Mask Considerations & Limitations

Checkbox, lookup, and picklist data types aren’t supported.
Data Mask disables the following automations during its execution: Triggers, Workflow Rules, Validation Rules, Flows, Field History Tracking, and Feed Tracking.
Data Mask disables validation, Workflow Rules and Triggers created in the org running data masking, but it does not disable them if they are part of installed managed packages, so they can prevent data masking.
A field that turns from optional to required can have data missing. The Data Mask is finished in such a scenario, but skips incomplete records.

Resources

Secure Your Sandbox Data with Salesforce Data Mask

For any query on Salesforce Data Mask, contact support@astreait.com