Key Points:

• Data masking involves replacing sensitive data with scrambled or fake data for security. It protects sensitive information at rest or in transit and aids data sharing for testing or training.
• It ensures compliance with regulations like GDPR and HIPAA, reduces data loss risks, enhances customer trust, and maintains business functionality.
• Techniques include substitution, shuffling, encryption, and tokenisation.

What is data masking?

Data masking is a technique used by companies that handle sensitive data to make it more secure. It replaces sensitive data with scrambled or fake data, in order to throw off any bad actors who might gain access, and can protect sensitive data at rest or in transit.

If you need to share sensitive data for training or testing, data masking helps you do this in a way that protects the material, as well as being functional for use.

You should make sure you’ve mapped out where your sensitive data lives beforehand so you can understand what exactly you’ll need to mask.

Some examples of data masking include:

• Replacing PII with symbols or characters
• Scrambling the data (although this isn’t as secure). For instance, you could scramble the digits of a National Insurance or Social Security Number
• Encrypting your data

Data masking enhances your data security, by reducing the risk of your data being leaked or misused.

Why is it important?

Sensitive data such as Personally Identifiable Information (PII) or Personal Health Information (PHI) needs to be protected for a number of reasons. Not only will you need to ensure it’s protected for legal reasons, but you also have a moral duty to your customers too.

Here are a few more reasons why data masking is important for your business:

1. It can help you stay compliant with regulations like HIPAA and GDPR

Whether you’re in finance or healthcare, there will be data regulations you’ll need to comply with, such as PCI DSS, HIPAA, CCPA or GDPR. Data masking can help you meet these requirements and avoid hefty fines or reputational damage.

2. Keep your business running effectively

If you need to share data for testing or training purposes, data masking can help you produce a functional version of your data that can be provided.

3. Reduces the risk of data loss

With data scrambled or encrypted, the risk of data loss or misuse is reduced as bad actors are unable to steal the data.

4. Increases customer trust

If customers know you’re doing everything you can to protect their data, you can increase loyalty with your customer base, and potentially win new business via recommendations too.

What are the different types of data masking?

There are a few different types of data masking that organisations can use to protect sensitive data, such as:

1. Static data masking: This involves creating a new copy of the data that is entirely fictitious, in order to keep the original data anonymous. It ensures that the database can be used for non-production purposes.

2. Dynamic data masking: The data is masked in real-time, depending on the users’ permissions. For example, an app user might only be able to see part of the data available, based on whether they’re an admin or not. In this scenario, the original database remains untouched.

3. On-the-fly masking: On-the-fly data masking alters sensitive data in real-time with scrambled characters. Industries such as healthcare and finance can find this useful to work with realistic but protected datasets, and still comply with regulations.

Different companies might choose different methods based on how sensitive the data is, and what it’s being used for.

What are the different techniques used for data masking?

There are numerous techniques used for data masking, but the main ones are:

1. Substitution: Swapping out real data for fake data, such as changing customer addresses.

2. Shuffling: Randomly shuffling one column of a database so that they don’t match their original records e.g. changing date of births so that they don’t correspond with the correct customer.

3. Date-switching: Changing dates by a fixed amount of time (such as 100 days) to ensure real dates aren’t visible.

4. Nulling or blurring: Replacing some or all of the characters of a data field with null values or other characters, like asterisks or ‘X’.

5. Lookup substitution: Masking a production database with an added lookup table that provides alternative values to the original data, allowing you to use realistic data for testing without overexposure.

6. Encryption: Using a cipher to create ciphertext, which can only be read with a decryption key.

7. Tokenisation: Replacing sensitive data with unique identifiers called ‘tokens’.

Expert tip - Rich Vibert, CEO of Metomic: “The type of technique you choose to use will depend entirely on what you’re using the data for, and how sensitive your data is. For example, if you’re handling sensitive data that absolutely cannot get in the wrong hands, you might choose to go down the more complicated route of encryption, because it’s worth your while. Whatever technique you choose to use, you’ll be enhancing the security of your data, which is vital in a world where data breaches are happening almost every day.”

Does data masking comply with GDPR?

In general, data masking can help you comply with GDPR as it stops sensitive data being exposed to those who shouldn’t have access to it. When it’s working correctly, and can’t be traced back to the original data, it can be a great tool to have in your arsenal.

But you should bear in mind that data masking alone won’t be enough to comply fully with GDPR. You should also have measures in place to understand how you’re getting consent for data collection, and what you’re using that data for.

What are the limitations of data masking?

As with everything, there are a few limitations that come with data masking, including:

1. Implementation can be a challenge: Time-poor security professionals who are juggling lots of tasks may not implement data masking effectively, leaving it vulnerable to bad actors who can reverse engineer the data to expose the original source.

Expert tip - Rich Vibert, CEO of Metomic: “Take the time to get it done properly from the beginning. There’s no point investing in tools that can help you mask the data if they’re not going to work for your benefit. Make this a priority, and set time aside to implement it correctly.”

2. Integration with employees’ work: Disrupting your employees isn’t ideal, and the time it takes to introduce this into the business can be difficult. You might also have to supply additional resources to ensure that business as usual can still continue.

3. Balancing security and efficiency: Too much masking can mean the data you do have becomes unusable. You’ll need to find a balance between having enough security in place that the data is of no use to bad actors, but still usable for your team.

4. Data leakage is still a risk: Data masking is a very effective security tool but it doesn’t entirely get rid of all your problems. As cyberattacks become ever more sophisticated, data leakage of masked data could prove difficult for your business, especially if the hackers know how to unscramble your data. However, masked data will always be more secure than unmasked data.

How Metomic can help you

Your data security posture should be comprehensive, and take into account all of the places your sensitive data could be stored, including your SaaS apps.

We use data masking to ensure that the data we hold for our customers is protected, and secure.

Find out how we helped leading insurance provider, Zego to take back control of their sensitive data, https://metomic.io/blog/how-zego-protects-their-google-docs-around-the-clock.