e
q
u
e
s
t
a
d
e
m
o
Why Data Masking
{TOC}
Why Data Masking
The Business Case
As the public demands a better degree of protection, so the laws become stricter. As such, companies try to make sure they protect themselves with all possible means. The two most common measures are encryption and data masking.
Data masking (also known as data anonymization, data de-identification, and data obfuscation) has become mainstream in IT functions of healthcare, financial, educational, government, and other types of organizations carrying sensitive personal data in the last decade. Organizations use it to protect against internal threats, to hide sensitive information while exposing data to external users, and to exchange data with third parties.
Many organizations employ data masking to comply with legislation, while others use it as a preventative measure even if not obligated by law. There are reputational costs and class-action litigation costs, as well as credit check costs for financial institutions and fraud costs for health insurance organizations.
Compliance
Data Masking is a trusted and proven method of data protection that meets the requirements of data privacy laws such as the GDPR, HIPAA, CCPA, GLBA, FERPA and more. Data masking allows organizations to maintain the convenience of using their customers' data while removing any real identifiers. Using data masking, the data can be de-identified, so that personal information remains anonymous in the context of support, analytics, testing, or outsourcing.
Whether your business operates in the healthcare, financial, educational or government sector, data masking is a trusted method for meeting the requirements of the privacy laws relevant to your industry. The cost of non-compliance and data breaches is very high. The fines themselves could run into millions of dollars per multiple U.S. court rulings. "It is not only appropriate but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information," says Federal Trade Commission Chairwoman Edith Ramirez.
In development
Most businesses use test data for testing, QA, and training purposes outside of the development environment, but often don’t give much thought to how that data is protected. Data masking protects data in non-production environments by substituting identifiable values like names, surnames, social security numbers, and credit card numbers with similar values that cannot be used to identify an individual. For this reason, data masking as part of the development cycle prevents security gaps from occurring in the normal flow of data in your organization and sanitizes data before it travels within and without the business.
Data Masking VS Encryption
Both, data masking and encryption are used to hide data's original values.
Yet, they are not the same, both by purpose and by the implementation.
The Purpose
The purpose of encryption is to hide data from the hacker. In data security classification, the hacker is an external threat and has no access to encryption keys. Both data in transit and data on the disk are well protected with encryption against hackers outside of the organization.
The purpose of data masking is to hide data from the developer. The developer often does have the key to encryption. Not only that, encrypted data, unless there is a specific provision, might not fit the predefined field sizes in the storage and makes it extremely hard to comprehend values for the developer. The difficulty in comprehension slows down development.
The Implementation
Encryption is a method that allows the intended communication information or message, referred to as plaintext, to be encrypted using an encryption algorithm, generating ciphertext that can only be read if decrypted. Thus, the information itself does not change the content, but changes a presentation.
Data masking, or de-identification, is a method that allows the intended information to change its content in such a way that it retains the form of the information presentation yet completely loses the content. While sometimes statistical methods allow to guess original values for some types of data masked with certain methods, given certain precautions, one can reduce the probability of re-identification.