In today’s increasingly distributed workplaces, the need for data protection is at an all-time high. As of February 2022, 42% of remote-capable employees have a hybrid schedule that combines working from home and being in the office. An additional 39% work exclusively off-site.
This shift to remote and hybrid work environments increases the risk of vulnerable data exposure. The use of multiple devices and unsecured networks to access and share data creates new avenues for cyberattacks via unauthorized access.
There are a number of processes available to protect and secure your data. Two of the most common techniques are data masking and data encryption. In this article, we will explore what data masking is, how it differs from encryption, and how they work together for improved cybersecurity.
What is Data Masking?
Making something appear different than its actual form is known as obfuscation. Data obfuscation or data masking protects sensitive elements in a database or across multiple databases, such as:
- Personally identifiable information (PII)
- Payment card and other financial information
- Intellectual property
- Protected heath information (PHI)
- Commercially sensitive information
To ensure data privacy, data masking replaces real data with modified values, such as characters or numbers. For example, replacing customer names with a standard value (e.g., ‘John Doe,’ ‘Jane Doe’) preserves the original data format while protecting the real names from unauthorized identification.
By masking sensitive information, you are able to retain and share the data across systems and databases while minimizing security risks. There are two main forms of data masking: static and dynamic.
Static data masking protects sensitive data when it is moved from the production environment for the purpose of research, troubleshooting, analytics, and reporting. The masked data is duplicated into a separate database, or external environment, where it can be shared with both internal and external stakeholders. This is a one-way, irreversible process that enables testing, training, and development without compromising the original data.
Dynamic data masking, by comparison, masks data in real-time production environments. It does not require a secondary database to hold the masked data. Instead, dynamic masking occurs in real-time in response to user requests. Authorized users are able to view the original, unaltered data, and unauthorized users see masked data values.
How is Data Masking Different Than Data Encryption?
Data encryption and data masking are distinct methods of data protection. They are designed to solve different problems related to data security.
Encryption uses sophisticated algorithms to encode the original data into an unreadable ciphertext. It is widely used to protect sensitive data against external threats, such as hackers and other cybercriminals. Data encryption is most useful when you do not require real-time data usability, making it well-suited to protect data at rest or in transit.
Data masking is especially useful for data in use, which is data that is being directly accessed by one or more users. For example, teams often need to access data for work in non-production environments, such as quality assurance, development, and testing. Masking renders realistic values that maintain the data integrity needed for such processes without exposing sensitive information. This safeguards data from internal threats, including both malicious and unintentional errors.
Unlike encryption, data masking is irreversible. Once sensitive data is masked, there is no way to transform it back to its original state. As long as you have the correct decryption key, encryption is reversible and the ciphertext can be restored back to its original state. However, data encryption also introduces risk in the event that the encryption key is lost, deleted, or compromised by unauthorized users.
How Data Masking and Data Encryption Work Together
Encryption and masking are effective methods of guarding against unauthorized access and improper use of sensitive data. Encryption is commonly employed to protect data at rest and in transit. If the network or system is compromised or data transfer is intercepted, encryption renders the data useless to the unauthorized user.
Data masking is more appropriate for data in use. This is because masking hides data from unauthorized users without impacting its usability. As data circulates or is accessed in non-production environments, it is desensitized and protected against internal and external threats.
Highly regulated industries often use a combination of masking and encryption to comply with various data privacy laws. Health Insurance Portability and Accountability Act (HIPAA).
Any organization that handles or processes protected health information (PHI) is subject to HIPAA rules. Data at rest or in transit is addressed in the HIPAA Security Rule, which identifies safeguards for data protection.
According to the Department of Health and Human Services (HHS), encryption reduces the risk of unauthorized exposure or theft of PHI. Title 45 of the Code of Federal Regulations (CFR), Section 164.312, states that covered entities and business associates must “implement a mechanism to encrypt and decrypt electronic protected health information.”
HIPAA rules also seek to preserve the privacy of individually identifiable health information (IIHI). This is information that can be linked to a specific person, so the use and disclosure of IIHI has restrictions to protect the individual’s privacy.
Data masking enables HIPAA covered entities to use and share health data without violating privacy rules. According to 45 CFR Section 164.514, there are 18 identifiers that must be masked within a data set before it can be shared. Under HIPAA, these identifiers include but are not limited to the following:
- Names
- Social Security numbers
- Telephone numbers
- Medical record numbers
- Biometric identifiers (e.g., fingerprints, voice)
- Full-face photos
- Certificate or license numbers
- Device identifiers and serial numbers
Once PHI is masked, it can be freely shared for uses such as medical studies and assessments.
Payment Card Industry Data Security Standard (PCI DSS)
The storage, processing, and transmitting of cardholder data is regulated by PCI DSS security standards. While these standards are not set forth by governmental legislative bodies, compliance violations can result in financial penalties based on the discretion of the Payment Card Industry Security Standards Council (PCI SSC).
PCI DSS Requirement 3 provides guidance on protecting cardholder data. Cardholder data consists of the following:
The cardholder’s name, card expiration date, and card service code.
The Primary Account Number (PAN), which is the card number displayed on the front of the card.
Sensitive Authentication Data (SAD), including the magnetic track data, PIN or PIN block, and card verification value (CVV).
If the data is encrypted, you are allowed to store a cardholder’s name, the PAN, and the card’s expiration date and service code. However, you are not permitted to store SAD information, even if that data is encrypted.
Encryption protects PCI DSS data when it is stored or in transit, while masking preserves confidentiality when sharing or displaying data. This is especially important when it comes to PAN data, which is often targeted because malicious actors can use it to impersonate or steal the cardholder’s identity. Masking requirements for PAN display applies to all display mediums, including computer screens, receipts, reports, and faxes.
General Data Protection Regulation (GDPR)
Organizations subject to the GDPR must meet two comprehensive compliance categories: data protection and data privacy. Data protection safeguards against unauthorized access, while data privacy addresses how data is used and for what purposes.
According to GDPR, a crucial aspect of data privacy is the use of data encryption. To protect consumer data and reduce the risks associated with storage and transfer, the GDPR’s Recital 83 specifically recommends “using techniques such as encryption.”
Data masking can be used to satisfy the GDPR’s mandate that organizations implement data minimization. By removing any real identifiers, organizations can use customer data for analytics, testing, and other support processes while preserving the anonymity of personal information.
The GDPR refers to the data masking process as pseudonymization, which is referenced throughout its Articles and Recitals:
Article 6(4) identifies pseudonymization and encryption as appropriate safeguards for processing data for a purpose other than for which it was collected.
Article 25 cites pseudonymization as an appropriate technical and organizational measure to meet GDPR requirements.
Article 32 requires secure processing techniques, including the pseudonymization and encryption of personal data.
Article 89 lists data minimization and pseudonymization as appropriate protections for processing data for archiving purposes.
Protect Sensitive Data with Masking and Encryption
Whenever you collect, store, or transfer sensitive data, you must take appropriate steps to keep it secure. Using a combination of data masking and encryption ensures that you have end-to-end protection to secure data at rest, in transit, and in use.
To protect crucial data with simplified file encryption, organizations look to solutions such as WinZip® Enterprise. With powerful AES encryption that complies with Federal Information Processing Standards (FIPS), your sensitive information is protected at rest and in transit.
Pairing WinZip Enterprise with leading data masking tools makes for comprehensive data security. WinZip Enterprise is fully customizable, giving IT administrators granular control over encryption standards, password policies, backup schedules, and more.