This document provides an overview of a proposed data masking architecture using Delphix. It includes diagrams of the high-level architecture and data flow. The key components are a production database, Delphix masking engine, and non-production target database. The process involves creating a golden copy of the production data, masking it using the Delphix engine, and delivering the masked data to non-production. It also provides specifications for the masking engines, prerequisites, networking requirements, and best practices for configuring masking jobs and optimizing performance.

1. © 2019 Delphix. All Rights Reserved. Private and Confidential.
© 2019 Delphix. All Rights Reserved. Private and Confidential.
Data Masking Draft Architecture

2. © 2019 Delphix. All Rights Reserved. Private and Confidential.
© 2019 Delphix. All Rights Reserved. Private and Confidential. 2
Data Masking-only

3. © 2019 Delphix. All Rights Reserved. Private and Confidential.
Prod Database/Files
Host
Staging Target Host
mounting DB to be masked Target DB Host
mounting masked DB
Customer process
Delphix Masking Engine
FIREWALL
PROD NON PROD
Delphix High Level Architecture – Data Masking-only
• Customer creates and refreshes in prod a
Golden Copy to be masked
• Delphix Masks the database. Customer
provides backup in order to rollback if needed
• Customer delivers masked data to non prod
JDBC
SFTP

4. © 2019 Delphix. All Rights Reserved. Private and Confidential.
Architecture – SQL Server
4
Production
Host
Staging Host
Target
Host
1433
Port Description
22 SSH
80 HTTP
443 HTTPS
1433 JDBC
Delphix Engine
8 vCPU, 64-128 GB RAM
300 GB System Disk
Delphix Storage <10ms
latency, size 100GB
Admin console
Production Database
DB Copies are Physical and requires DBA Support for
continuous new copies.
Can be on the same server or a different
FIREWALL
Customer process

5. © 2019 Delphix. All Rights Reserved. Private and Confidential.
Data Masking-only assumptions
• Delphix will only mask data, customer will refresh and deliver data to non prod
• Delphix final architecture will be created after detailed assessment to validate:
– Database/file size to be masked
– Data refresh frequency
– Time to complete masking

6. © 2019 Delphix. All Rights Reserved. Private and Confidential.
Data Masking Engine - specs
Description Qty Notes Comments
Masking Engines 1 Each engine is a Vmware 6.x virtual appliance with:
• 8 VCPU
• 64 GB RAM
• 400 GB disk (300GB system + 100GB for file masking)
N. of engines will vary based on masking SLAs
(es. Time to complete masking)
Database Staging hosts 1 Staging host is used for DB Golden Copy masking Assume 1 staging for SQL SERVER
Space for Golden Copy to be masked and
staging areas to export/import
XX TB 1 Copy of the DB + 1 copy as staging area

7. © 2019 Delphix. All Rights Reserved. Private and Confidential.
Activity Delivery Time Customer Staff
Delphix Server Install Fully Configured Delphix 5.3.x
VMGuest 8vCPU 64GB
300GB base storage
Masking Engine Started
~ 3 hours VMWare Admin
Delphix Masking Admin
Validate Masking Setup Connect SQL Environment
Masking Training and Review
1 hour setup SQL Server DBA
Delphix Masking Admin
POV Delphix Masking – On Premise
Activity Delivery Time Customer Staff
Setup and Run Profiler In Scope domains are: Name, Addr,
Birthdate,SSN,Subscriber ID
~ 8 hours Delphix Masking Admin (Architect)
SQL DBA
Run Masking Job Masking Jobs 4-8 hours Delphix Admin (Architect)
SQL DBA
Security Analyst
Validate Masking Solution 5 items needed for masking
Name, Addr, Birthdate,SSN,Subscriber ID
4 Hours Delphix Admin (Architect)
Security Review
SQL DBA

8. © 2019 Delphix. All Rights Reserved. Private and Confidential.
© 2019 Delphix. All Rights Reserved. Private and Confidential. 8
Delphix requirements

9. © 2019 Delphix. All Rights Reserved. Private and Confidential.
VMware prerequisites for Delphix Masking engine
Refer Docs link for OS specific pre-reqs :
https://docs.delphix.com/display/DOCS/Virtual+Machine+Requirements+for+VMware+Platform
Component Requirements Notes
Virtualization Platform VMware ESX/ESXi 6.x (recommended)
VMware ESX/ESXi 5.x (supported)
▪ VMware HA: enable, VMWare DRS: generally disabled
▪ HT sharing: recommend “None”, no sharing of CPUs
▪ ESX Memory Overhead: must leave at least 6% of allocated free of ESX
Virtual CPUs 8 vCPUs ▪ CPU reservation is strongly recommended
Memory 64GB ▪ Memory reservation is required
Storage 500GB of free space (system disk)
< 8ms storage latency
SCSI Controllers LSI Logic Parallel ▪ 4 vSCSI controllers are required with storage evenly spread across them to
maximize data throughput
Network < 1 ms network latency for VDB ▪ Between Delphix engine ad DB/File server where data are to be masked
▪ Jumbo frames (9000 bytes MTU) provides improvements to throughput
▪ 10GbE NIC in the ESX Server is recommended

10. © 2019 Delphix. All Rights Reserved. Private and Confidential.
Inbound Network Ports – Masking engine
• Delphix Masking engine will connect to databases to be masked via jdbc type 4 connection. Used ports will depend on the
database type and configuration
• Delphix Masking engine will connect to files to be masked via standard FTP/SFTP connection
Protocol Port Numbers Use
TCP 22 SSH connections to the Delphix Engine.
TCP 80 HTTP connections to the Delphix GUI (optional).
UDP 161 Messages from an SNMP Manager to the Delphix Engine (optional)
TCP 443 HTTPS connections to the Delphix GUI.

11. © 2019 Delphix. All Rights Reserved. Private and Confidential.
Outbound Network Ports – Masking engine to SQL Server
• Delphix Masking engine will connect to databases to be masked via jdbc type 4 connection. Used ports will depend on the
database type and configuration
• Delphix Masking engine will connect to files to be masked via standard FTP/SFTP connection
Protocol Port Numbers Use
TCP 25 Connection to a local SMTP server for sending email.
TCP/UDP 53 Connections to local DNS servers.
UDP 123 Connection to an NTP server.
UDP 162 Sending SNMP TRAP messages to an SNMP Manager.
TCP 443 HTTPS connections from the Delphix Engine to the Delphix Support upload server.
TCP/UDP 636 Secure connections to an LDAP server.
TCP/UDP various Connections to target environments such as databases (JDBC) - for SQL Server default port is 1433
And for files (FTP, SFTP, NFS, or CIFS).

12. © 2019 Delphix. All Rights Reserved. Private and Confidential.
© 2019 Delphix. All Rights Reserved. Private and Confidential.
Best Practices – Masking

13. © 2019 Delphix. All Rights Reserved. Private and Confidential.
Best Practices – Masking
Important Considerations for Sizing & Configuration of a Masking Solution
• Masking consists of a masking workload, which executes in a masking ecosystem
• Masking involves two basic operations:
1. Movement of data via network back-and-forth between Data Store(s) and Masking Engine
2. Calculation/Generation of the masked values locally on the Masking Engine
• The basic flow is PULL-MASK-PUSH (PULL = read/retrieve from data store, PUSH=write/send to data store)
• “In-Place” masking reads a table, masks, then updates the original table (SELECT – mask – UPDATE)
• Only the columns to be masked (and possibly a key) need be moved across the network
• The database must locate the row to UPDATE when masked values are returned (extra work for DBMS)
• “On-the-Fly” masking reads from one table, masks, the writes a new table (SELECT – mask – INSERT)
• ALL columns of the table must be moved across the network
• The database can merely add the new row to a heap (new rows can be contiguous, less work for DBMS)
• Total masking workload is created by one or more masking Jobs, which can execute concurrently, or serially
• How many tables, rows/table, columns/row, specific masking algorithm, in-place or on-the-fly
• Ecosystem can constrain masking throughput/performance, balance is important. Masking can be throttled by send/receive.

14. © 2019 Delphix. All Rights Reserved. Private and Confidential.
Best Practices – Masking
Masking Engine Configuration
a.Install Masking Engine in separate, dedicated VM (ie: not in same VM as Virtualization Engine)
a. Use Combined OVA version of software, however run in isolated, separate VM
CPU Resource Planning – per Masking Job
a.Plan for 1 to 2 CPU Cores per Masking Job (depends on specifics of masking workload & capacities of masking ecosystem)
Masking Job Configuration Settings
a.For virtualized tables to be masked, use “in-place” masking method
b. For un-virtualized tables/data sources, conduct analysis to choose method: “on-the-fly” or “in-place” masking
b.The following recommendations apply to “in-place” masking of virtualized tables
b. Configure ONE (1) Update Thread per Masking Job (Default value is 4; do NOT use Default)
c. Configure ONE (1) Stream per Masking Job (Default is 20; Do NOT use Default)
a. If you need to mask multiple objects concurrently, use multiple jobs, not multiple streams
d. For ANY column being masked which is also indexed, specific the DROP INDEXES check box
e. For ANY column being masked which is involved in a trigger, check the DISABLE TRIGGERS check box
f. For ANY column being masked with is involved in Integrity Constraints/Declarative Integrity, check the DISABLE
CONSTRAINTS check box

15. © 2019 Delphix. All Rights Reserved. Private and Confidential.
Best Practices – Masking
Database Specific Optimizations
a. For SQL Server, make sure that an index exists to address the update,
a. otherwise Masking will dynamically add an identity column at start of job, drop index at end of job
a. Beware: this can have long-term space implications in the data store
b. Since SQL Server must traverse an index for each row to be updated, size of table becomes important
a. As row-count in table increases, causing index to grow in depth, more work needed per row to traverse
c. A prototype technique exists to segment a single table for parallel masking, however is not universally applicable

16. © 2019 Delphix. All Rights Reserved. Private and Confidential.
SQL Compatibility Matrix
16
Supported
OS Version
SQL Server
2008
SQL Server
2008 R2
SQL Server
2012
SQL Server
2014
SQL Server
2016
SQL Server
2017
SQL Server
2019
Windows
Server 2008
R2
Supported Supported Supported Supported N/A N/A N/A
Windows
Server 2008
R2 SP1
Supported Supported Supported Supported N/A N/A N/A
Windows
Server 2012
Supported Supported Supported Supported Supported Supported N/A
Windows
Server 2012
R2
Supported Supported Supported Supported Supported Supported N/A
Windows
Server 2016
N/A N/A Supported Supported Supported Supported Supported
Windows
Server 2019
N/A N/A N/A N/A Supported Supported Supported
https://docs.delphix.com/docs/datasets/sql-server-environments-and-data-sources/sql-server-support-and-requirements/sql-
server-support-matrix

17. © 2019 Delphix. All Rights Reserved. Private and Confidential.
Source and Provisioning Environment SQL Server Compatibility
Matrix
17
Provisioning Target Environment
Source
Environment
SQL Server
2008
SQL Server
2008 R2
SQL Server
2012
SQL Server
2014
SQL Server
2016
SQL Server
2017
SQL Server
2019
SQL Server
2008
X X X X X X
SQL Server
2008 R2
X X X X X
SQL Server
2012
X X X X X
SQL Server
2014
X X X X
SQL Server
2016
X X X
SQL Server
2017
X X
https://docs.delphix.com/docs/datasets/sql-server-environments-and-data-sources/sql-server-support-and-requirements/sql-
server-support-matrix

18. © 2019 Delphix. All Rights Reserved. Private and Confidential.
• SQL Server
SQL Server
• DB User Permission
18
• DB User Permission