With an overabundance of information being stored or created in electronic format, and various tools for turning data (i.e., personally identifiable information, intellectual property, credit card) into cash, goods, and other services, the risks of doing business have increased. We are hearing more and more about attacks where the target is sensitive data, and the perpetrators are those with elevated levels of trust and access within the business.
There is an assortment of different protection options in the market today, including encryption and data masking. Each of them is designed to ensure data protection. Most people know about data encryption which is the process of encoding messages (or information) in such a way that eavesdroppers or hackers cannot read it, but that authorized parties can.
After reading this June 2012 post “Encryption Won’t Always Save You, but it Certainly Will Cost You”, it appears Gartner IT1 Security and Risk Management Strategies team member Ramon Krikken infers that due to encryption limitations and high cost, an organization’s money might be better spent on different preventative controls to prevent insider threat and protect sensitive data.
Because of this statement, I contacted Kevin Duggan, CEO of Camouflage Software Inc., a data masking software company based in St. John’s, Newfoundland & Labrador, to find out more about data masking and what makes it different from encryption.
What is data masking?
Quickly emerging as a standard in data security and protection, data masking is a method of creating structurally similar but inauthentic versions of an organization’s data that can be used for purposes such as software testing, development and user training (SearchSecurity).
The format of data remains the same; only the values are changed. The data may be altered in a number of ways, including encryption, character shuffling and character or word substitution.
When asked why an organization might consider data masking instead of, or in addition to, encryption as part of their overall data protection strategy, Kevin said that,
While both encryption and data masking have their place within an organization’s data protection strategy, one of the major limitations of encryption that data masking helps overcome is in mitigating the insider threat within an organization in a way that is least impactful to the day-to-day operation of the business.”
The insider threat
Within almost any organization there is a risk associated with data breaches: unauthorized individuals viewing and potentially leaking personally identifiable and other sensitive pieces of information that reside in your databases and applications. While these types of threats are most often associated with malicious outside hackers, according to a 2012 study conducted by the Ponemon Institute, 88 percent of breaches come from inside an organization while only 1 percent are committed by hackers. These insider threats could be regular full-time employees, part-time employees and interns, temporary workers, former employees brought back for special projects, or outsourced employees and vendors.
The cost of a data breach event can be quite alarming and high. The most expensive data breach event discussed in the above study cost a company nearly $31 million to resolve, while the least expensive was $750,000. The study also indicates that the average data breach costs $7.2 million to fully remediate.
How sensitive data gets exposed to insiders
Insiders can often be, sometimes inadvertently, exposed to sensitive data when real world production data is inappropriately used for typical business activities like software application development, testing, training, and data mining for business intelligence. While these types of ongoing business activities are common and generally thought to be harmless, the harm arises when a sensitive piece of information ends up in the hands of a person with malicious intent.
So the dilemma becomes how can you put your sensitive data on lock down, without disrupting the key processes and core operation of your company? After all, these ongoing activities are vital to the successful operation of an organization, and are there to contribute toward the objectives of the business — hence the necessity of having them exist in the first place.
How data masking differs from encryption
Kevin Duggan states,
that the fundamental difference between data masking and encryption is that when encrypted data is decrypted for use, it is reverted to the original data, whereas with masking, the original data is never exposed — masking conceals the identity behind the data while still allowing it to appear realistic. Because masked data is realistic but not real, the end users of the data can still productively use the data that you as an organization are trying to protect. They are only exposed to information at the level of detail they need to be effective in performing their jobs and not the gory details of a person’s sensitive information.”
The main issue that data masking overcomes is that it eliminates the need to outright prevent users from accessing sensitive data. While encryption is an effective means for securing data for storage and transportation, data masking can offer a similar level of security while still allowing ongoing use of the data, as if there were no security measures actually taken. In Kevin’s opinion,
depending on the intended usage of the data being protected, a company might want to consider a combination of both encryption and data masking, instead of just one or the other.”
Is data masking right for you?
When attempting to compare and evaluate different data protection technologies, one really needs to think about how their data is used and viewed by its users. It’s not a simple case of picking one technology over another; identifying the core use of the data you need to protect can steer you in the right direction.
If, based on the internal usage requirements of your sensitive data, data masking is something your organization might need, this best practices and selection criteria video featuring Gartner data masking analyst Joseph Feiman outlines a number of factors that you will want to keep in mind as you set about forming a data masking initiative, some of which include:
- The forces outside of your organization that may be driving the adoption of data masking in your industry;
- Application and database integrity as the two key principles of a data masking solution and what it takes to ensure both are in place;
- When it makes sense to build data masking in-house, vs. buy a commercial off the shelf (COTS) software product;
- Selection criteria for choosing a COTS data masking product from a software vendor
Is an enterprise class data masking solution (and related services) a requirement?
Data masking could be or become an essential requirement for your organization when one considers various perspectives (e.g., dynamic vs static, data masking best practices, cloud computing, big data, open data center alliances, cyberspace protection and security, privacy, insider threats, NIST guidelines, and so on); and this may be particularly true when one considers various potentially related considerations such as perhaps the principle of least privilege (which basically says that for such reasons as security and performance, individuals, operating systems, applications, and so on should have only the access they need for when needed). In any case, for a Toolkit that helps application development, database management, auditing, compliance and security specialists search for the data-masking vendor/technology that optimally suits enterprise objectives, see www.gartner.com/id=1165512.
I would like to convey my thanks to Kevin Duggan and his entire team (John Somerton, Shannon O’Brien, and all others) at Camouflage Software Inc. for allowing us to reach out to them. It is great when you can get input on a topic from inside a leading solution provider’s organization and we really appreciate it. Hats off to all at Camouflage for their contributions to a leading enterprise class data masking solution.
As always, comments are welcome.
Ron Richard, I.S.P., ITCP/IP3P