Data Masking Explained
We’re living in a world where data is of the most valuable assets. No wonder that protecting confidential and sensitive data has now become more important than ever. That is why national and international sensitive data protection regulations are becoming stricter and stricter. More and more companies nowadays are choosing data masking as one of the ways to keep their data protected, avoid the cost of security breaches and ensure compliance.
In order to understand what data masking is and how it can be useful for modern business we need to understand how it works. Data masking, also called data obfuscation, is a process of hiding real data by replacing it with random characters.
The main goal of data masking is not to let anyone without a permission to see data, have access to it. A very good example of this is a situation when your company is working with an IT contractor and you need to provide access to your database. Just masking your production data will allow your contractor to work with real production data without having access to real and often sensitive data.
The other question that may arise is who uses data masking. If you’re a businessman you surely know about the General Data Protection Regulations that mandates all businesses collecting data from European Union citizens take all necessary actions to protect their data under the penalty of very high fines. Companies dealing with the following types of data can be protected by data masking:
- Personally identifiable information (PII)
- Protected health information (PHI)
- Payment card information (PCI-DSS)
- Intellectual property (ITAR)
Data masking is useful in almost all data security scenarios:
- Protecting data from third-party vendors. You can provide access to your production database to any IT contractors if sensitive and really important data is masked.
- Operator errors. Very often data breaches are a result of a database operator’s error. Also, very often not all operators need access to the entire database or entirely real and accurate data. Data masking can greatly reduce such risks.
Types of Data Masking
There are two types of data masking:
1) Static data masking. When data is masked statically, a copy of data needing protection is made. This copy is masked (obfuscated), placed instead of real data and can be shared around third-party contractors and other necessary parties. Original data cannot be unmasked from the masked copy. Static data masking performs an irreversible operation.
A variation of static masking is called in-place masking. The peculiarity of this type of masking is that the database/schema/table to be masked is the target and source at the same time. During the masking process another target table is created. DataSunrise takes the data from the source table, masks it and inserts into the target table. Then the source table is removed and the target table is renamed as the source table. As a result, you get your source table masked.
2) Dynamic data masking. When you use dynamic data masking if allows to secure sensitive data in real time. As a result, sensitive data never leaves the production database which carries less risks. So, sensitive data is never exposed to those who have access to the database but who are not to see what is inside as the contents are obfuscated in real time, making the contents impossible to understand and use.
There are a number of techniques that data security professionals may use when masking (obfuscating) data. A short description of them is provided below.
1) Substitution. It is one of the most popular and effective methods for data masking. When applying this method real data is substituted with fake but still authentic-looking data. The substitution method is usually applied to phone numbers, zip codes, credit card numbers, Social Security and Medicare numbers, etс. When applying substitution to names, real-life names can be randomly substituted from a supplied or customized lookup file.
2) Shuffling is another very popular way of masking data. It is very similar to the substitution method mentioned above with the only exception that the substitution set needed for substitution is taken from the same column of data that is being masked. To put it simply, the data is randomly shuffled within the column.
3) Encryption is one of the most complex methods of data obfuscation. A special encryption mechanism requires using a “key” to view data based on user rights and privileges.
4) Nulling values out or deleting them. Just applying a null value to a particular field may look like a very simple yet efficient way to mask data. However, this approach is only useful to prevent direct visibility of data. But in most cases it is not as good and effective as it may seem as this way of data masking will fail the logic of most applications.
5) Number and date variance. If you do it right, number and date variance can give you a useful set of data without disclosing important financial information or transaction details. Let’s imagine you need to mask your employees’ salary numbers. To ensure accuracy of the salary range between highest and lowest paid employees when masked you can apply the same variance to all salaries in the set, that way the range doesn’t change.
6) Character Scrambling. It’s a very simple technique after using of which characters are jumbled into a random order so that the original content is hidden. For example, using this technique you can change an employee’s ID #244536 in a production database to read #642345 for everyone not allowed to see the real data.
Steps of Data Masking
When it comes to practical data masking you need the best strategy that works for data masking within your organization. Below are the steps you need to take to make data masking most effective:
- Find your sensitive data: The first step is to recover and identify data that may be sensitive and require protection. It’s better to use a special automated software tool for that.
- Analyze the situation: at this stage data security team should say where the sensitive data is, who needs access to it and who doesn’t.
- Apply masking. One should bear in mind that in very large organizations, it isn’t feasible to assume that just a single masking tool can be used across the entire company. Instead, you might need different data masking types.
- Test Data Masking Results: This is the final step in the data masking process. Quality assurance and testing are required to ensure that the data masking configurations give the required results.
Static data masking, dynamic data masking and sensitive data discovery tools are included in DataSunrise Database Security Suite, so you can choose the most suitable solution for your company. But this is guaranteed, your data will be totally masked!