What is Data Masking?

From 2011 to 2016 the amount of cyber-attacks increased over 700% based on research from the Identity Theft Resource Center in 2016. This increase has shown that more organizations in both the private, public, and government sectors are being attacked per year more than ever. This increase leaves more people susceptible to losing their own personal financial information.

Data masking is a security discipline that is known under a different variation of terms, including Data Obfuscation, data redaction, data sanitization, data scrambling and data deidentification. It is essentially a process that targets to replace the sensitive data sitting in multiple data sources with masked data, by replacing real data with fictitious yet contextually realistic data (Adam would be David, and Adam's passport number would go from G3339876 to E9879970), increasing the security of your information and documents against insiders’ abuse and data breach damage, but still makes sure that the protected information is easily accessible and usable for testing or analytics. This accessibility ensures that your business will continue to work but all the information will be protected.

Reducing the amount of attacks and their severity is considered best business practice. By adopting data masking, many organizations have increased security for protected health information (PHI), personally identifiable information (PII), or intellectual property (IP).


Data Masking

Data Privacy Regulations

Increasing security for PHI, PII, or IP can also help organizations meet security requirements or national compliance standards. Data Masking is particularly integral to meet the Payment Card Industry Data Security Standard (PCI DSS) and Health Insurance Portability and Accountability Act (HIPAA). Though the mandates haven’t yet been released for the European Commission’s General Data Protection Regulation (GDPR) before it is set in motion in May 2018, data masking is believed to be a key strategy to meeting it’s standards.

Data Masking is Evolving

Data Masking is also quickly evolving. While it was originally designed for non-production data protection it is now used in production environments with masking in real time (dynamic data masking/intelligent redaction). The capabilities of data masking have also increased greatly making this a productive security measure that your IT or Risk Management director should consider.

Data masking comes in two main forms: SDM and DDM. SDM stands for Static Data Masking, and is best used in testing and training environments. SDM is a proactive masking while the DDM is real-time masking and redaction of selected content in a non-permanent format. DDM, which stands for Dynamic Data Masking is best used for production environments. DDM adds an additional security layer without a lot of labor intensive front-end work for the user.

Dynamic Data Masking varies mainly by how it stores the data. Most DDMs act like a proxy. They are the “middle-men” between the application and storage tiers. Some of the DDMs work at the database kernel level and can work inside a web application in some instances.

The requirements for data masking have also evolved over the use of the technology and will continue to change due to the ever-changing needs of security. Many well-known computer companies have taken the plunge into data masking including: IBM, Microsoft, Oracle, and a number of other tech companies. While most offer both SDM and DDM, some specialize in one or the other.

When considering data masking it is recommended to use both SDM and DDM for the best security and protection. But obfuscation technologies should satisfy a simple rule: redacted data should be realistic, meaning the referential integrity needs to be maintained, in order to ensure that the testing and other critical operations can be carried on with the fictitious data.

Unstructured Data Masking

Another key form of data masking is the unstructured data redacting technology. Unstructured data masking redacts file types like Word, Excel, and PDF documents and protects those file types by replacing all sensitive information like PII, PHI or IP to fictitious data. Unstructured data masking is great for systematically desensitizing data for increased use throughout an organization. Data masking is a good stop gap measure and another level of protection for your business’ sensitive information.

Other data protection strategies 

Copy data virtualization is more specialized and customized solutions for your business. Copy data virtualization creates a copy of the whole database and then allows permission to the copy and tracks any changes made. Any changes made to the data automatically update the original and can be a great option for those companies that do a lot of collaboration.

FPE, or Format Preserving Encryption is perfect for data that needs to have the original data including numbers preserved. FPE is like SDM and DDM in the fact that the data format is preserved and is reversible putting the information into its original state. You can also implement access time based on entitlements with FPE. The main issue with encryption methods is the risk of sensitive data to be reversed back into its original state, in fact it needs to be reversed during use for testing or development, so no guarantee that if a breach happens, the data stolen will not be compromised.

Although data masking is a known and widely adopted approach to data protection, it is becoming ever more relevant to today’s security standards, as a way to prevent regulatory sanctions, limiting testers and developers’ access to sensitive data, maintaining the capability to adequately perform testing without any risks associated to data breaches.

Furthermore, the need for masking and remediation of the biggest chunk of enterprise data is heading to the Unstructured Data files, which constitutes to ~80% of all enterprise data (and its due to increase to 93% by 2020 according to IBM). It is a much-needed boost to protect your intellectual property, protected health information and personally identifiable information for your company and customers. Consider adding data masking for increased peace of mind. With many different implementations and customization strategies, there’s a data masking protocol that can be added to help secure your information quickly and easily.

LisbonTech is the only data security provider that has the capability to consistently and efficiently mask over 75+ unstructured data files, catering to a wide variety of common use cases that affect organizations of all sizes worldwide.

Request a Demo of our Unstructured Data Masking Solution (UDM) or a complimentary assessment of your unstructured data security requirements now to learn more.


Request a Demo