What is the difference between data encryption and data masking?


What is the difference between data encryption and data masking?



Any company that handles customer data, be it payment card information (PCI), personally identifiable information (PII), or financial account numbers, needs to employ a certain level of data protection. 


Protecting sensitive customer data is essential for building and maintaining trust with your customers, but also forms part of your business’s risk management strategy that covers cybersecurity, compliance, and internal threats.  According to the FBI's 2019 Internet Crime Report, the total cost of reported cybercrimes last year was $3.5 billion.


In this article, we’ll break down the difference between the two most common forms of data protection – data masking and data encryption – so you can determine which method is right for your business. 


What is data encryption?


With data encryption, original, readable data or plaintext is converted to unreadable text or ciphertext using an encryption algorithm. A decryption key is needed to revert encoded data to a readable format.


Data encryption has been known to have several vulnerabilities. Cybercriminals can create programs to hack into encrypted data and access the information. Data encryption is also vulnerable to internal threats if the encryption key is not well protected. Plus if the encryption key is accidentally deleted, the encrypted data is lost forever. 


What is data masking?

Data masking, also known as de-identification, uses a masking algorithm to replace real data with similar values to essentially "mask" sensitive information such as names, credit card numbers, social security numbers, addresses, email addresses, phone numbers and more.

The data can be retained for testing and analytical purposes, but cannot be re-identified or leaked. 


Data masking meets the requirements of most privacy laws including GLBA, HIPAA, GDPR, PCI DSS, PIPEDA, CCPA, and more.


Differences in purpose and implementation

Both data masking and encryption are used to hide the data's original values, but they are not the same, both by purpose and by the implementation.


The purpose of data encryption is to hide data from cybercriminals – an external threat. With data encryption, both data in transit and data on the disk are well protected against hackers and outside threats.


With data encryption, the original content does not change, but the presentation of it does.


The purpose of data masking is to hide data from internal threats such as developers and anyone who can access an encryption key. Data masking algorithms can be used to anonymize data in databases, files, messages, in-memory during runtime – without impeding development time.


With data masking, the presentation of the data stays the same, but the content changes. 


Robust data privacy protection is essential for businesses that operate in the digital age. Every precaution needs to be taken to ensure the security and integrity of sensitive data. Risk officers can take comfort from the fact that tried and tested methods like data encryption and data masking both use sophisticated algorithms, which leave less room for error. However, while encryption offers adequate protection for sensitive data, encrypted data can still be decrypted. Data masking is irreversible, making it especially beneficial for data in use. 


How you choose to protect your data is up to you. If you think data masking is the right choice for your business, Hush-Hush offers a suite of patented data discovery and masking components to suit any size business.  


Request your free demo today. 

free demo

BuildNumber = dev_20210906.1