Data Masking vs. Encryption: Methods For Protecting Business Data

Summary: This 3-minute article explains the benefits of data masking as part of your cyber security protocol. Learn the difference between data masking and encryption. Then, contact DIGIGUARD CYBER SECURITY at 833-33-CYBER (833-332-9237) or visit www.DIGIGUARDsecurity.com for a cyber risk analysis and to discuss your overall data protection solutions.

Rising cybercrime has led to an unprecedented focus on data protection for SMBs. Malware, ransomware, phishing and DDoS attacks are just a few of the many strikes designed and launched by nefarious cybercriminals. The good news is that IT experts continue to develop new, efficient and versatile methods for protecting your hard-earned business data.

What is Data Masking?

Wikipedia (https://en.wikipedia.org/wiki/Data_masking) defines data masking as follows: “Data masking or data obfuscation is the process of modifying sensitive data in such a way that it is of no or little value to unauthorized intruders while still being usable by software or authorized personnel. Data masking can also be referred to as anonymization or tokenization depending on different contexts.” Data masking is also known as data sanitization. One might ask, “Why can’t I encrypt all our company’s private data?” The problem is that although encryption is the most secure way of storing and sharing data, it is not an accessible format for data queries. If all private data were encrypted, engaging in searches based on data fields such as age, home address, marital status and many other personal data points would be impossible.

Data That Needs Masking

Only the most private and personal data should be masked. The main categories to be protected by masking are:

• Protected Health Information (PHI) – According to HIPAA law, all medical data stored by your healthcare provider must be highly secure. The protected health information includes any data that can identify any personal medical conditions, medical care, medical history, including previous health conditions, test results and insurance information.
• Credit Card Payment Information – The payment card industry standard requires vendors to provide robust cyber security protocols to lock down cardholders’ personal data.
• Personally Identifiable Information (PII) – Any data that can be used to identify an individual, including name and social security, driver’s license and passport numbers.
• Intellectual Property – Data related to creations of the mind, including inventions, business plans, designs, and specifications, have high value for an organization and must be protected from unauthorized access and theft.

There are three main categories of data masking:

• Dynamic – Dynamic data masking is a versatile approach that can alter information in real time when the data is accessed from the production dataset. This method ensures that only approved users can access the datasets, whereas users who do not have access privileges can only see masked data.
• Static – Static data masking makes a duplicate dataset of the original in which specific data is partially or totally masked. The original database is kept entirely separate from the duplicate one.
• On The Fly – On-the-fly masking alters private data as it is transferred from one environment to a target environment. It is “on the fly” in that it continuously alters data in the moment as required and authorized. This approach is excellent for businesses with high volumes of communication and data migration between systems, as it always maintains integration while ensuring that only authorized users access data.

Data Masking Techniques

There are several standard methods of data masking:

• Anonymization – Data anonymization entails encoding identifiers that automatically connect individuals to masked data. Anonymization protects the privacy of user activity while supporting the credibility of masked data.
• Pseudonymization – Data pseudonymization allows the swapping out of an original dataset with an alias or pseudonym. Pseudonymization is a flexible approach as it is completely reversible if required.
• Encryption – Certain data should be encrypted and require a password for access. However, encryption should be used in conjunction with other masking methods.
• Redaction – If your company’s sensitive data isn’t required for development or QA, it can be automatically replaced with generic values, ensuring no data has attributes that are part of the original dataset.
• Shuffling – Shuffling data scrambles masked private data so that specific data, though accessible, cannot be connected with the identity of individuals within the set. Shuffling is achieved by assigning private data to different elements. The data is there. However, it is not accessible to non-authorized users.
• Date Switching – Date switching protects dates that must be kept confidential. A date field can be altered to hide the real date. However, any change in the data field will have a global effect on all data in that field. In other words, date switching cannot be personalized. It will apply to all records containing those date fields.

Data masking is a handy cyber security tool for SMBs. However, whenever data is being manipulated in any way, care must be given to maintaining the integrity of the original data. Businesses rely on their data for many purposes. Therefore, it is not wise for average users to be charged with data masking. Too much is at stake. Hiring IT experts to assist and train you or a key team member to securely mask data would be well worth the expense.