Data security has become a priority for many organizations. As organizations collect increasing amounts of sensitive data and hackers cause more data breaches, the need to properly secure sensitive data grows. Additionally, data protection regulations like the EU’s General Data Privacy Regulation and the California Consumer Privacy Act (CCPA) have taken a hard line on protecting data privacy, with a broader definition of protected data and higher fines for non-compliance and breaches.
An important component of properly protecting sensitive data is implementing a data classification strategy. Different types of data have different levels of sensitivity and need to be protected at different levels. Without determining the sensitivity of data in their possession, organizations need to implement a “one size fits all” security policy that sacrifices some level of either security or usability.
Using data masking an organization can protect their sensitive data at the appropriate level while maintaining a high level of usability. Data masking algorithms can maintain varying levels of realism in the obfuscated data, allowing it to be protected to the degree necessary for its level of sensitivity.
Creating a Data Classification Strategy
Creating a data classification strategy is an important first step to protecting your organization’s sensitive data. Different data has different levels of sensitivity, and as we mentioned above, protecting your data isn’t a “one size fits all” type of problem. If data remains unclassified, it is much more likely that an unintentional data breach will occur simply because employees are unaware of the level of protections that a certain type of data requires.
Data classification strategies can be fairly simple. Training materials designed to help prepare for the Certified Information Systems Security Professional (CISSP), a well-respected cybersecurity certification exam, recommends a five-level data classification strategy:
- Sensitive: The most restrictive data classification. Sensitive data may be protected under “need to know” within an organization.
- Confidential: May cause damage to the company if disclosed.
- Private: Data kept secret for other reasons (i.e. payroll information)
- Proprietary: Information that is disclosed outside the company on a limited basis but may do harm if widely disclosed (i.e. product technical specifications)
- Public: Data that can be openly released outside the company (i.e. marketing materials).
By creating, implementing, and enforcing a data classification policy, organizations can dramatically increase their data security.
How Data Masking Can Help
Enforcing a data security strategy that protects each piece of data at its necessary level is the best approach from a security standpoint. This approach may be difficult from a usability standpoint; however, using a data masking solution can help.
Most people are familiar with the concept of using encryption for security. Encryption is a reversible operation where data is obfuscated using a secret key and can be deobfuscated by anyone with possession of the appropriate secret key. The primary limitation of encryption is that the encrypted data is completely random. Encryption is ideal for storing sensitive data and transferring it to authorized users, but it is black and white, with no gray area for “semi-authorized use”.
Data masking is designed to create a non-reversible but realistic obfuscation of data. Using a variety of different algorithms, sensitive data is transformed into obfuscated data that looks realistic. For example, a phone number that has data masking applied to it can be obfuscated as another phone number.
Data masking is a very flexible tool and is useful for protecting sensitive data due to the ability to use algorithms of varying levels of complexity. A data classification strategy can define different “levels” of obfuscation algorithms for different classes of data. By using data masking to obfuscate data sent to unauthorized users, organizations can secure their sensitive data without rendering the data completely unusuable for the client.
A valid “semi-authorized” use case for sensitive data is testing software designed to interact with the sensitive data eventually but is not currently trusted to do so. Under these circumstances, encryption is a poor choice since the encrypted data will not realistically mimic the true data. With data masking, the degree of realism of the obfuscated data depends on the algorithm used, so data with low sensitivity can be masked in a way that makes it similar to the real data, while more sensitive data can be better protected.
Securing Your Sensitive Data
Developing a data classification strategy and implementing it with a combination of data encryption and data masking is an important component of protecting an organization’s sensitive data. Without a data classification strategy, it is difficult for the organization and its employees to know how to properly protect a certain piece of potentially sensitive data. Data encryption is useful for “authorized” use cases (storing sensitive data, transmitting it to users with need-to-know, etc.) and data masking provides the level of flexibility necessary to deal with “semi-authorized” edge cases.
Data masking is also useful for drawing the attention of a potential attacker away from the real sensitive data held by the organization. Masked data is realistic, improving the probability that an attacker who finds a store of it will mistake it for real data and give up. Since the data masking algorithms are irreversible, a breach of masked data does not impact the organization’s data security.
Regardless of the methods used, implementing a strong data classification and security strategy should be a priority for all organizations storing and processing sensitive data. Data encryption and masking combine well to protect sensitive data, and a data security solution can monitor it and prevent breaches.