Dynamic Data Tokenization

Like data masking, data tokenization is a method of data anonymization which involves obscuring the meaning of sensitive data in order to render it useless to potential attackers.

Unlike data masking tools, data tokenization involves substituting sensitive data with a non-sensitive equivalent, or “token”, for use in databases or internal systems. The token is a reference that maps back to the original sensitive data through a tokenization system.

A token consists of a randomized data string that doesn’t have any exploitable value or meaning. Although tokens themselves don’t have any value, they retain certain elements of the original data – such as format or length – to support seamless business operations. Identity and financial information are commonly tokenized, such as Social Security Numbers, passport numbers, bank account numbers, and credit card numbers.

The data tokenization process, a type of "pseudonymization", is designed to be reversible. For example, a company can present one version of de-identified data to an unauthorized user population, and support a controlled re-identification process through which certain users can still have access to the real data.

Data tokenization allows enterprises to protect sensitive data while maintaining its full business utility. With tokenization, data consumers can freely access data, without risk.

Data tokenization is essential for today’s businesses because the majority of data breaches are the result of insider attacks, whether intentional or accidental. Consider these enterprise statistics:

• 50% believe that detecting insider attacks has become more difficult since migrating to the cloud
• 60% think that privileged IT users pose the biggest insider security risk to organizations
• 70% feel vulnerable to insider threats, and confirm greater frequency of attacks

What Data Needs to be Tokenized?

When we talk about sensitive data, we're specifically referring to Personal Health Information (PHI) and Personally Identifying Information (PII) .

Medical records, drug prescriptions, bank accounts, credit card numbers, driver’s license numbers, social security numbers, and more, fall into this category.

Companies in the healthcare and financial services industries are currently the biggest users of data tokenization. However, businesses spanning all sectors are starting to appreciate the value of this alternative to data masking. As data privacy regulations become more stringent, and as the punishments for noncompliance become more commonplace, prudent organizations are actively looking for advanced solutions to data protection, that can also maintain full business utility.

Encryption is another common method of data obfuscation. During the encryption process, sensitive data is mathematically changed. However, the original pattern remains within the new code, which means it can be decrypted with the appropriate key. To access the key, hackers use a variety of techniques, such as social engineering or brute computing force.

The ability to reverse encrypted data is its biggest weakness. The level of protection of the sensitive data is determined by the complexity of the algorithm used to encrypt it. However, all encrypted data can ultimately be reversed and broken.

Tokenizing sensitive data offers several key benefits, such as:

• Reduced risk
  Avoid security breaches because tokens do not reveal the original value's sensitive information.

• Reduced encryption cost
  Only the data within the tokenization system needs encryption, eliminating the need to encrypt all other databases.

• Reduced privacy efforts
  Data tokenization minimizes the number of systems that manage sensitive data, reducing the effort required for privacy compliance.

• Business continuity
  Tokens can be “format preserving” to ensure that existing systems continue to function normally.

The following are 6 key use cases for data tokenization:

1. Compliance scope reduction

   With data tokenization, you can reduce the scope of data compliance requirements because tokens replace data irreversibly. For instance, exchanging a Primary Account Number (PAN) with tokenized data results in a smaller data footprint, thus simplifying PCI DSS compliance.

2. Data access management

   Data tokenization gives you more control over data access management, preventing those without appropriate permissions, from de-tokenizing sensitive data. For instance, when data is stored in a data lake or warehouse, tokenization assures that only authorized data consumers have access to sensitive data.

3. Supply chain security

   Today, many enterprises work with third-party vendors, software, and service providers requiring access to sensitive data. Data tokenization minimizes the risk of a data breach originating externally by keeping sensitive data away from such environments.

4. Data lake/warehouse compliance

   Big data repositories, such as data lakes and data warehouses, persist data in structured and unstructured formats. From a compliance perspective, this flexibility makes data protection controls more challenging. When sensitive data is ingested into a data lake, data tokenization hides the original PII, thus reducing compliance issues.

5. Business analytics

   Analytical workloads, such as Business Intelligence (BI), are common to every business domain, meaning that the need to perform analytics on sensitive data may arise. When the data is tokenized, you can permit other applications and processes to run analytics, knowing that it's fully protected.

6. Avoid security breaches

   Data tokenization enhances cybersecurity by protecting sensitive data from would-be attackers (including insiders, who were responsible for 60% of the total number of  data breaches in 2020). By exchanging PII data with non-exploitable, randomized elements, you minimize risk, while also maintaining its business utility.

Despite its many benefits, data tokenization also has its limitations. The most significant is the risk associated with storing original sensitive data in one centralized token vault. Storing all customer data in one place leads to:

• Bottlenecks when scaling up data

• Risks of a mass breach

• Difficulties ensuring referential and format integrity of tokens across systems

The way to reap the benefits of data tokenization, while avoiding its risks, is by adopting a decentralized system, such as a data mesh.

In addition to actually protecting sensitive data from being exposed, data tokenization also helps enterprises comply with an increasingly stringent regulatory environment. One of the most pertinent standards that tokenization supports is the Payment Card Industry Data Security Standard (PCI DSS).

Any business that accepts, transmits, or stores credit card information is required to be PCI-compliant, and adhere to PCI DSS to protect against fraud and data breaches. Failure to comply with this standard could lead to devastating financial consequences, such as huge penalties and fines, plus additional costs for legal fees, settlements, and judgements. It can also lead to irrevocable brand damage or even going out of business.

Tokenization supports PCI DSS compliance by reducing the amount of PAN (Primary Account Number) data stored in an enterprise’s databases. Instead of persisting this sensitive data, the organization need only work with tokens. With a smaller data footprint, businesses have fewer requirements to comply with, reducing compliance risk, and speeding up audits.

A business entity approach eliminates the need for a single centralized vault. A business entity delivers a “ready-to-use,” complete set of data on a specific customer, credit card, store, payment, or claim, which can be used for both operational and analytical workloads.

Rapidly evolving data privacy and security laws are making data tokenization a top priority for enterprise IT.  

This paper examined the definitions of, and the need for, data tokenization, including benefits, use cases, and risks 

It concludes by discussing a business entity approach to data tokenization, a superior alternative to the current standalone or homegrown solutions.