Data Masking Facts Vs Fiction
6/25/2021
With data breaches, malware attacks and frequent cases of ransomware making headlines, protecting sensitive data has become a necessity. Data privacy tools like data masking are the go-to method for many organizations as data masking not only takes care of the essential task of de-identifying sensitive data, but it also helps businesses meet the compliance requirements of data privacy laws like HIPAA, GDPR, CCPR and more.
But as with most things, there is a lot of misinformation, or “fake news” around data masking that stems from lack of understanding. One of the reasons data masking is so misunderstood is the sheer number of synonyms associated with this activity, like data de-identification, data anonymization, data pseudonymization, data obfuscation, data obscuring, and so on. Data masking is also often confused with data encryption, which is a different tool altogether.
In this blog, we’ll separate the myths from the facts, to help you make the best buying decision for your business.
Myth #1: Data Masking Is A Form Of Encryption
Wrong. Data masking is not encryption. There are similarities, like the fact that both methods replace data with different data, and both are considered security protection mechanisms. The fact is data masking and encryption differ by both purpose and implementation. (Discover more about this here.)
Essentially, data masking uses one-way data replacement and maintains the current data format and rules so that data retains its usefulness for testing and development.
Myth #2: Enterprise Data Masking Requires A Centralized System
While it is true that creating a centralized is system is difficult, from the perspective of k-anonymity it makes no difference who makes decisions. In the case of t-closeness and l-diversity, the closer the decision maker to the system the better.
Myth #3: We Can Always Re-Prioritize Data Masking Later
Most organizations are under pressures to deliver on-time. But the fact is, compliance requirements start from the very moment data is moved from the production environment to non-production. This is when data masking needs to take place. Implementing data masking later means that unauthorized staff have already had access to real data, which means automatic non-compliance with data privacy laws.
Myth #4: Backup-Restore Is Better Than Exporting To A Server
In this case, there are pros and cons for each scenario, but any process should be construed based on the particular needs of the business, not on common misconceptions. And remember, when you perform backup and restore, you'll inevitably use an app server anyway. Just because a utility is command prompt based, doesn’t mean it’s not an application.
Myth #5: "Safe Harbor" Is Enough
Not quite. HIPAA requires one of two methods to determine which sensitive information to anonymize: "Safe Harbor" and Expert Determination. You should always first establish if "Safe Harbor" anonymization methodology if the right choice for your needs. HIPAA states that "Safe Harbor permits a covered entity to consider data to be de-identified if it removes 18 types of identifiers (e.g., names, dates, and geocodes on populations with less than 20,000 inhabitants) and has no actual knowledge that the remaining information could be used to identify an individual, either alone or in combination with other information." If this does not apply to your activities, then Safe Harbor might not be enough.
As with any buying decision, choosing a data privacy solution requires identifying your own needs and researching which particular solution is best to meet those needs. Hush-Hush offers a free 7-day trial of all data privacy products, as well as free demos, to help DBAs, compliance officers and DevOps teams make the right choice for their organization.