Also known as data anonymization or pseudonymization, data masking is used to reduce the unnecessary spread and exposure of sensitive data within an organization—protecting it while simultaneously maintaining its usability. Data masking replaces real data with functional fictitious data so that it can be used safely in situations where actual data is not needed. Gartner describes it as a technology that “can dynamically or statistically protect sensitive data by replacing it with fictitious data that looks realistic to prevent data loss in different use cases.”
Data masking can protect many forms of sensitive data, including (but not limited to):
- Personally identifiable information (PII)
- Protected health information (PHI)
- Payment card information (subject to PCI-DSS regulation)
- Intellectual property (subject to ITAR and EAR regulations)
With data masking, data values are changed while data formats remain unchanged. For example, credit card numbers have a 16-digit format that looks like this: 1234-5678-9123-4567. Masking data changes the numbers, but maintains the same 16-digit format. Using the example above, the masked credit card number could become: 9876-5432-1987-6543. Data masking uses several methods to alter sensitive data, including character or number substitution, character shuffling, or the use of algorithms to generate random data that has the same properties as the original data.
Given the high priority need for organizations to protect their sensitive data, here are three top reasons IT security practitioners should include data masking in their broader data security strategy.
1) Protect Non-Production Data
For many organizations it’s often necessary to make copies of production data for non-production use. Examples include:
- Application development and testing
- Personnel training
- Business analytics modeling
Having one or more copies of sensitive data floating around increases your risk of it falling into the wrong hands.
While enabling the safe sharing/copying/use of sensitive data, masking lets you protect those data sets, and meet compliance requirements (see Comply with GDPR below), without hampering your business operations.
New deployments or upgrades involve testing against non-production data that will ultimately be diced, sliced and stored. If left unprotected, production data in non-production environments might be accessed by contractors or offshore workers, and possibly moved across locations via the cloud or removable media. And there may be more than one such data set at large. All of it is at risk.
So long as your data remains usable for non-production purposes, masking can control the spread of real data that could be vulnerable to a breach or outright theft. It also reduces your organization’s potential attack surface.
2) Protect Against Insider Threats
Trusted employees who are already inside perimeter defenses—developers, trainers, business analysts—may have a legitimate need to access data, but may not need access to real production data.
In one report data protection software company Camouflage (acquired by Imperva) states, “…the true threat to today’s organizations may in fact be from within; the threat level from insiders should not be underestimated.” A [2013] study from the Open Security Foundation found that while insiders accounted for 19.5% of incidents, they were responsible for 66.77% of the exposed data.1 The Ponemon Institute “estimates that 88% of all security breaches involve insider negligence.” Considering the health care realm alone, founder Dr. Larry Ponemon states, “Internal problems such as mistakes—unintentional employee actions, third-party snafus, and stolen computing devices—account for the other half of data breaches.”
By masking sensitive production data, organizations liberate the data employees need to get their jobs done while reducing the risk of a data breach from a malicious, careless or compromised insiders.
3) Comply with GDPR
The European Union has passed the General Data Protection Regulation (GDPR), a new regulation that takes effect in May of 2018. Intended to strengthen and unify personal data protection, in part it’s a reaction to data breaches affecting EU citizens.
And the penalties for non-compliance have some bite. According to the International Association of Privacy Professionals (IAPP), imposed GDPR sanctions can include:
- A written warning in cases of first and nonintentional noncompliance
- Regular periodic data protection audits
- A fine up to 10,000,000 EUR or up to 2% of the annual worldwide turnover
of the preceding financial year for enterprises, whichever is greater - A fine up to 20,000,000 EUR or up to 4% of the annual worldwide turnover
of the preceding financial year for enterprises, whichever is greater
GDPR introduces two key concepts: data minimization and pseudonymization as ways to protect citizens’ privacy rights while letting data controllers use collected data for other purposes.
GDPR requires that organizations practice data minimization, which is that they collect and use data limited to what is necessary for a specific purpose, retain it no longer than necessary and not make it available to an indefinite number of people. As an example2, if an insurance company collects personal information for the purposes of issuing a policy, and they now want to analyze this data collected from their clients to improve pricing of policies, they would not be able to do it because the personal data collected for one purpose (e.g., issuing a policy) cannot be used for a new purpose (e.g., creating a database for pricing analysis). However, if the data is pseudonymized or anonymized via data masking, then they could use the masked database for pricing analysis.
Pseudonymization can also be used to meet GDPR’s data security requirements. Article 32 lays out the main provisions of what an organization must do to secure personal data, with personal data encryption and pseudonymization being specifically called out. Data masking is a means to pseudonymize data, especially in non-production data environments such as application development and testing, training and analytics. By replacing sensitive data with realistic, fictitious data, data masking solutions help organizations comply with key GDPR requirements.
To learn more about data masking download our whitepaper, Beginner’s Guide to Data Masking.
Get started with GDPR compliance: navigate the data privacy and security requirements.
[1] Report Data Breach Quick View, Open Security Foundation, 2015
[2] Blog Chapter 6: Data Protection Principles – Unlocking the EU General Data Protection Regulation, White & Case, July 2016
Try Imperva for Free
Protect your business for 30 days on Imperva.
