For Your Eyes Only: Why Data Masking Needs to Be in Every Data Security Strategy

Data security is rife with complexities. The threats against an organization’s data are massive and ever-evolving, and the consequences of a breach are devastating, sometimes crippling, for a business, so it’s unsurprising that there are dozens if not hundreds of factors to be taken into consideration when it comes to securing databases.

That’s why it’s so refreshing when an aspect of data security makes perfect, uncomplicated sense. Like data masking. It’s simple: if you want to disguise something or keep others from seeing it clearly, you mask it.

THE IDEAL DATA DISGUISE

While it isn’t as easy as drawing a mustache on an organization’s personally identifiable data, data masking is a relatively simple way to replace real data with fake but fully functional data so it can be used in situations where placeholder data is required but the actual data isn’t.

Data masking essentially ensures that only the people who need to see data can see it and that they only see it when they should. It’s used to protect various types of data, including intellectual property, personally identifiable data, protected health data, as well as financial data, such as payment card information. The key to data masking is keeping data formats unchanged while changing the data values so the actual data is obfuscated.

For example, the employees of an organization may be assigned an eight-digit employee ID number written like so: 8765-4321. If that data were to be masked, the eight-digit format would remain the same but the values within it would be changed: 3561-2847. Some of the more common methods of data masking are character substitution, numeric variance, character shuffling and format preserving encryption.

AN ESSENTIAL MASQUERADE

There are a number of reasons data masking is essential. Some of the top reasons are as follows:

Third parties can’t be trusted.

Retail companies share customer data with market researchers, for example, and healthcare organizations share patient information with medical researchers.

Sending actual personally identifiable data, payment card information, or protected health information to these third-parties would not only be risky because of how many people could potentially access it for misuse but also because doing so may run afoul of the compliance regulations governing different industries.

Neither can insiders.

According to a 2016 study by the Ponemon Institute, upwards of 25 percent of all data breaches involve employee or contractor negligence. Whether through maliciousness or carelessness, the legitimate data access privileges of employees contribute to many data breach and leak incidents.

This threat can be minimized by allowing each employee to see only the data they require to complete their work with the remaining data masked.

Many business operations don’t need real data.

Plenty of organizations require data in order to build and test new programs or functions, as well as to test necessary patches and upgrades. It would be impossible to tell if a program is going to perform as it needs to if it can’t be tested with data. However, if it were tested with the actual data of users, customers, or employees, it would open up that data to the eyes of all kinds of employees or contractors who don’t require access to it.

It would also allow that data to be stored in potentially insecure development environments that may be vulnerable to hackers. Compliance regulations may also come into play here.

The European Union said so.

The EU has new legislation coming into effect in May of 2018 that regulates how any organization storing or processing the data of any person in the EU can handle that data. Among many other requirements, the General Data Protection Regulation (GDPR) specifically mentions in Article 32 that data masking be used to pseudonymize sensitive data to help protect EU citizens from data breaches and other unauthorized access.

Considering that failing to abide by the GDPR can result in everything from a written warning to a fine of 20 million EUR, it’s in an organization’s best interest to comply.

MAKING SENSE OF DATA SECURITY

There are many database security solutions that make plenty of sense. Data masking is chief among them because they are at the heart of an organization and contain a potential goldmine for employees and hackers willing to get malicious in order to turn a profit on the black market.

Data masking is just one of the steps companies need to take to avoid becoming the subject of negative press, class action lawsuits, and cautionary tales for years to come.