Data masking should be a vital part of your security posture, as it can keep sensitive data protected from prying eyes. But what does it involve? And is it enough? Let’s dive right in and find out.
Data masking is a technique used by companies that handle sensitive data to make it more secure. It replaces sensitive data with scrambled or fake data, in order to throw off any bad actors who might gain access, and can protect sensitive data at rest or in transit.
If you need to share sensitive data for training or testing, data masking helps you do this in a way that protects the material, as well as being functional for use.
You should make sure you’ve mapped out where your sensitive data lives beforehand so you can understand what exactly you’ll need to mask.
Some examples of data masking include:
Data masking enhances your data security, by reducing the risk of your data being leaked or misused.
Sensitive data such as Personally Identifiable Information (PII) or Personal Health Information (PHI) needs to be protected for a number of reasons. Not only will you need to ensure it’s protected for legal reasons, but you also have a moral duty to your customers too.
1. It can help you stay compliant with regulations like HIPAA and GDPR
Whether you’re in finance or healthcare, there will be data regulations you’ll need to comply with, such as PCI DSS, HIPAA, CCPA or GDPR. Data masking can help you meet these requirements and avoid hefty fines or reputational damage.
2. Keep your business running effectively
If you need to share data for testing or training purposes, data masking can help you produce a functional version of your data that can be provided.
3. Reduces the risk of data loss
With data scrambled or encrypted, the risk of data loss or misuse is reduced as bad actors are unable to steal the data.
4. Increases customer trust
If customers know you’re doing everything you can to protect their data, you can increase loyalty with your customer base, and potentially win new business via recommendations too.
There are a few different types of data masking that organisations can use to protect sensitive data, such as:
Different companies might choose different methods based on how sensitive the data is, and what it’s being used for.
There are numerous techniques used for data masking, but the main ones are:
1. Substitution: Swapping out real data for fake data, such as changing customer addresses.
2. Shuffling: Randomly shuffling one column of a database so that they don’t match their original records e.g. changing date of births so that they don’t correspond with the correct customer.
3. Date-switching: Changing dates by a fixed amount of time (such as 100 days) to ensure real dates aren’t visible.
4. Nulling or blurring: Replacing some or all of the characters of a data field with null values or other characters, like asterisks or ‘X’.
5. Lookup substitution: Masking a production database with an added lookup table that provides alternative values to the original data, allowing you to use realistic data for testing without overexposure.
6. Encryption: Using a cipher to create ciphertext, which can only be read with a decryption key.
7. Tokenisation: Replacing sensitive data with unique identifiers called ‘tokens’.
Expert tip - Rich Vibert, CEO of Metomic: “The type of technique you choose to use will depend entirely on what you’re using the data for, and how sensitive your data is. For example, if you’re handling sensitive data that absolutely cannot get in the wrong hands, you might choose to go down the more complicated route of encryption, because it’s worth your while. Whatever technique you choose to use, you’ll be enhancing the security of your data, which is vital in a world where data breaches are happening almost every day.”
In general, data masking can help you comply with GDPR as it stops sensitive data being exposed to those who shouldn’t have access to it. When it’s working correctly, and can’t be traced back to the original data, it can be a great tool to have in your arsenal.
But you should bear in mind that data masking alone won’t be enough to comply fully with GDPR. You should also have measures in place to understand how you’re getting consent for data collection, and what you’re using that data for.
As with everything, there are a few limitations that come with data masking, including:
Expert tip - Rich Vibert, CEO of Metomic: “Take the time to get it done properly from the beginning. There’s no point investing in tools that can help you mask the data if they’re not going to work for your benefit. Make this a priority, and set time aside to implement it correctly.”
Your data security posture should be comprehensive, and take into account all of the places your sensitive data could be stored, including your SaaS apps.
We use data masking to ensure that the data we hold for our customers is protected, and secure.
Find out how we helped leading insurance provider, Zego to take back control of their sensitive data, https://metomic.io/blog/how-zego-protects-their-google-docs-around-the-clock.