Rootconf
Rootconf

Rows, columns, and consequences

Speak at Rootconf’s Special Edition on Databases

All submissions

Tanzeel Khan

Compliance Without Compromise: Dynamic Data Masking in PostgreSQL

Submitted Apr 27, 2026

Session type - select the format for your session: 30-minute talk – technical deep dive

Problem: Organizations routinely need to give different user groups access to production data but protecting sensitive information like PII, financial records, or healthcare data is important. Traditional approaches like maintaining separate sanitized datasets, creating masked views, or implementing application-level redaction each come with significant tradeoffs: data duplication, synchronization overhead, security vulnerabilities from complex SQL expressions bypassing views, and inconsistent masking logic scattered across multiple codebases.

Solution:
Dynamic Data Masking (DDM) takes a different approach. Instead of duplicating or pre-processing data, it controls how data appears to users at query time — the same query on the same table returns different results depending on who’s asking. A support agent verifying a customer’s identity sees XXXX-XXX-321, an analyst studying spending patterns sees balances rounded to the nearest thousand with names fully masked, and a CTO sees the complete unmasked record. All of this happens transparently, with no data duplication and no application changes required.

This talk begins with these real-world scenarios to demonstrate why DDM matters, then goes under the hood to explore how it’s built. At its core, DDM is implemented as a PostgreSQL extension (pg_columnmask) that hooks into PostgreSQL’s query rewrite stage, the same stage the database uses for view expansion and rule processing. When a query passes through the rewriter, the extension inspects the user’s role, looks up applicable masking policies, and injects masking functions (built-in or custom) into the query tree before it ever reaches the planner or executor. The application sending the query has no idea masking is happening.

  • Why traditional data masking approaches fall short ?
  • Column-level, role-aware masking policies and security best practices
  • Leveraging PostgreSQL’s query rewriter to transparently mask data
  • Design trade-offs: why an extension-based approach over modifying the PostgreSQL core
  • Compatibility with open-source PostgreSQL tools like pg_dump
  • Performance at scale

Key Takeaways

  • Implementing column-level and row-level fine-grained access control
  • Deep understanding about PostgreSQL’s query rewriter
  • Building PostgreSQL extensions with high compatibility with the open-source ecosystem

Whether you’re a DBA looking to implement fine-grained access controls, a developer curious about PostgreSQL’s query rewrite internals, or an architect evaluating data protection strategies for compliance requirements like GDPR & HIPAA this talk gives you both the practical & architectural reasoning behind dynamic data masking in PostgreSQL.

Tanzeel Khan - Software Developer AWS
RIshabh Tanwar - Software Developer AWS

All submissions

Comments

{{ gettext('Login to leave a comment') }}

{{ gettext('Post a comment…') }}
{{ gettext('New comment') }}
{{ formTitle }}

{{ errorMsg }}

{{ gettext('No comments posted yet') }}

Hosted by

Rootconf
Rootconf
We care about site reliability, cloud costs, security and data privacy