What is data masking?

Data masking is a method for protecting personal or sensitive data that creates a version of the data that can’t be identified or reverse-engineered while retaining referential integrity and usability.

• Personally Identifiable Information (PII) such as names, passport, social security, and telephone numbers
• Protected Health Information (PHI) about an individual’s health status, care, or payment data
• Protected financial data, as mandated by the Payment Card Industry Data Security Standard (PCI-DSS) and the US Federal Trade Commission (FTC) acts and safeguards
• Test data, associated with the Software Development Life Cycle (SDLC)
  
  Masked data is generally used in non-production environments – such as software development and testing, analytics, machine learning, and B2B data sharing – that don’t require the original production data. 
  
  Simply defined, data masking combines the processes and tools for making sensitive data unrecognizable to – yet functional for – authorized users.

The data masking process

The data masking process is an iterative lifecycle that can be broken down into 4 steps corresponding to 4 data masking phases – discovering the data, defining the masking rules, deploying the masking functionality, and auditing the entire process on an ongoing basis.

With the right data masking process in place, your data teams can:

1. Discover and classify sensitive data 
   The data masking process begins  by analyzing the metadata and data in your enterprise systems and classifying PII and sensitive data that require masking. Sensitive data discovery leverages rules-based and LLM-based techniques to identify the data to be masked.
2. Define data masking policies
   Define the data masking policies for your use cases and set up the functionality to enforce them. Where dynamic data masking is required, define the Role-Based Access Controls (RBAC) that should be applied. Ensure that referential integrity and semantic consistency of the masked data are maintained.
3. Deploy  
   A best practice is to deploy data masking tools "close to the source", on premises, so that unmasked data is never transferred to the cloud. Proceed with the necessary security guardrails if data masking is performed in the cloud.
4. Audit and report for compliance
   Generating exportable audit reports – for instance, including schema, table, and column name, as well as type, field, and probability of a match – is an ongoing part of the process.

Data masking solutions are important to enterprises because they enable them to:

• Achieve compliance with privacy laws, like CPRA, GDPR and HIPAA, by reducing the risk of exposing personal or sensitive data, as one aspect of the total compliance picture.
• Protect data in lower environments from cyber-attacks, while preserving its usability and consistency.
• Reduce the risk of data sharing, e.g., in the case of cloud migrations, or when integrating with third-party apps.

Masking tools are now needed more than ever before, to effectively safeguard sensitive data and to address the following challenges:

Regulatory compliance

Highly regulated industries, like financial services and healthcare, already operate under strict privacy regulations. Besides adhering to regional standards, such as Europe’s GDPR, California’s CPRA, or Brazil’s LGPD, companies in these fields rely on PII data masking to comply with the Payment Card Industry Data Security Standard (PCI DSS), and the Health Insurance Portability and Accountability Act (HIPAA). 

Insider threats

Many employees and third-party contractors access enterprise systems on a regular basis, for example for software testing or analytics purposes. Production systems are particularly vulnerable, because sensitive information is often used in development, testing, and other pre-production environments. With insider threats rising 47% since 2018, according to the Ponemon Institute report, protecting sensitive data costs companies an average of $200,000 per year.

External threats

In 2020, personal data was compromised in 58% of the data breaches, states a Verizon report. The study further indicates that in 72% of the cases, the victims were large enterprises. With the vast volume, variety and velocity of enterprise data, it is no wonder that breaches proliferate. Taking measures to protect sensitive data in non-production environments will significantly reduce the risk, one of many data masking examples.

Data governance

Your data masking tool should be secured with Role-Based Access Control (RBAC). While static data masking obscures a single dataset, dynamic data masking provides more granular controls. With dynamic data masking, permissions can be granted or denied at many different levels. Only those with the appropriate access rights can access the real data. Others will see only the parts that they are allowed to see. You should also be able to apply different masking policies to different users.

Over time, many types of data masking have evolved to provide more sophistication, flexibility and security, including:

Static data masking

Static data masking, or in-place masking, is a method often used in non-production environments, such as those used for analytics, software testing and development, and end-user training. In such cases, sensitive data is permanently protected in the non-production copy of the data. 

Data masking tools ensure that the masked data maintains referential integrity, to enable software development and testing.

On-the-fly data masking

The static data masking process introduces risk due to the possible exposure of sensitive data in the staging area, before it is masked.

On-the-fly data masking is performed on data as it moves (in transit) from one environment to another, such as from production, to development or test. This means that the data at rest, in the staging environment, is always compliant.

On-the-fly data masking is ideal for organizations engaging in continuous software delivery, data migrations, and ongoing hydration of data lakes.

Dynamic data masking

Dynamic data masking is used to protect, obscure, or block access to sensitive data that's stored in production. Dynamic data masking is performed on the fly, in response to a data request by a certain user or application. When the data is located in multiple source systems, masking consistency is difficult, especially when dealing with disparate environments, and a wide variety of technologies.  

Dynamic data masking is used for role-based security  – such as handling customer queries, or processing sensitive data, like health records – and in read-only scenarios, so that the masked data doesn’t get written back to the production system.

This technique is frequently used in customer service applications to ensure that support personnel can access the data they need to assist customers while masking sensitive information like credit card numbers or personal identifiers – to maintain privacy and compliance with data protection regulations.

Statistical masking

Statistical data masking is method applied in static or on-the-fly masking. It ensures that masked data retains the same statistical characteristics and patterns as the real-world data it represents – such as the distribution, mean, and standard deviation. 

Unstructured data masking

When it comes to protecting data, regulations do not differentiate between structured and unstructured data. Documents and image files, such as insurance claims, bank checks, and medical records, contain sensitive data. Many different formats (e.g., pdf, png, csv, email, and Office docs) are used daily by enterprises in their regular interactions with individuals. With the potential for so much sensitive data to be exposed in unstructured files, the need for unstructured data masking is obvious. 

Entity-based data masking resolves the most common data masking challenges, while implementing data masking best practices. It masks all of the sensitive data associated with a specific business entity – e.g., customer, loan, order, or payment – and makes it accessible to authorized data consumers based on role-based access controls.

By taking a business entity approach, data masking ensures both referential integrity and semantic consistency of the masked data. Here's how it works:

• Data is ingested by business entities.
• Sensitive data is masked by entity, maintaining referential integrity and semantic consistency.
• The masked dataset is delivered to downstream systems, by business entities.
  
  For example, if customer data is stored in 4 different source systems (let's say orders, invoices, payments, and service tickets), then entity-based data masking ingests and unifies customer data from the 4 systems to create a "golden record" for each customer. The PII data associated with the individual customer is masked consistently, and the anonymized customer data is provisioned to the downstream systems or data stores. Moreover, if, for example, the customer's status was masked to "VIP", which requires a certain payment threshold to have been exceeded, then the customer's payments are increased accordingly to ensure semantic consistency with the VIP status.

This makes entity-based data masking ideal for data analytics, software testing, training, and retrieval augmented generation use cases. 

The entity-based approach supports structured and unstructured data masking, static and dynamic data masking, test data masking, and more. Images, PDFs, text, and XML files that may contain PII are protected, while operational and analytical workloads continue to run without interruption. 

If you’d like to leverage the latest data masking capabilities and want to avoid the vulnerabilities of conventional methods, a business entity approach is the right way to go.