What is data masking?
Data masking, also known as data anonymisation or pseudonymisation, is the process of obscuring or masking sensitive data by replacing it with 'realistic' but not 'real' data. Ideally, this data will also be fully functional, preserve referential integrity and not 'break' the application.
The goal of data masking is to ensure no sensitive information is available outside of an authorised and secured production environment.
Four important reasons to mask sensitive data
1. Third party sharing
Sensitive Information often gets shared with external organisations. Usually this would be for outsourced application development, statistical analysis and for research purposes. Nobody can be trusted, nor should they be, so if the sensitive data is not masked, then an organisation is extremely vulnerable to a data breach.
2. Insider threat
Insider threat has become the biggest risk to organisations, and safeguarding against this is imperative. Research, advisory and consulting organisations recently published the following information:
Accenture & InformationWeek: Security breaches are increasingly coming from the inside.
Gartner: 70% of all security incidents come from insiders.
Forrester: 80% of threats come from insiders and 65% are undetected.
Insider threat is not limited to employees only; you also need to consider contractors, vendors and other third party companies doing work on your systems.
3. Sensitive data is not needed for business functions outside of a production environment
Development, functional testing, patching/upgrade cycles, performance/stress testing, business processes development, application integration/interfacing, training, data/statistical analysis and business intelligence have got no requirement for your personally identifiable information! Why would such processes need to know who you are or require your specific personal details rather than simply using realistic data that is not personally identifiable? If these business functions do require such specific sensitive information, then they need to be reclassified as production and suitable security measures implemented to secure this information.
4. Legislative compliance
Data masking is a specific requirement of the General Data Protection Regulation (GDPR). Many South African companies could be directly affected by GDPR, but more importantly, all South African companies are affected by POPI and are required to take adequate measures to protect personally identifiable information in their custody.
Typical sensitive data security breaches
Production databases are commonly copied into development, test and UAT environments to allow for better application development. Obviously, production is an easy source of large and varied quantities of data.
It is also generally assumed that production environments are properly secured and audited, whereas security in non-production environments is weak or non-existent.
Access to non-production environments is not managed or audited either.
Developers, testers, contractors and users have unrestricted access to sensitive information they would normally be prohibited from seeing.
And lastly, we all know that application schemas in development and test environments have very weak passwords that are never changed and are 'common knowledge' among the teams.
Risk mitigation
Masking all sensitive data that resides outside of a secured production environment reduces the risk of data leaks.
Masked data or data subsets provides development, test and UAT environments with realistic, varied data and data of sufficient volumes enabling more thorough and accurate testing, which in turn reduces implementation risk.
For more information on our data masking services, please contact us on:
info@encryptech.co.za
+27 11 593 2394
http://www.encryptech.co.za/
Share