Data protection is the responsibility of any organisation that collects and holds information about individuals for any reason other than their own personal, family or household purposes. Failure to put procedures in place designed to prevent data getting into the hands of unauthorised third parties can result in significant financial penalties as well as potentially terminal reputational damage if the data has been compromised.
However, according to a survey from Risk Based Security [1] the number of records exposed by a data breach in 2020 increased to 36 billion globally with “the most exposed data types in the year including names and access credentials in the form of email addresses and passwords. Most data breaches occurred due to hacking, with 77.5% of events originating outside of the victim organization, 17% of breaches originating within the organization, and 67% due to errors”.
Clearly, investing in the latest cyber security solutions and implementing standard data management policies and procedures are not enough by themselves to prevent malicious actors from accessing your network and helping themselves to your critical data. What is needed is an additional level of security, data obfuscation, that can render the data useless even if you have suffered a successful breach.
Data obfuscation is a methodology used to disguise or obscure all or parts of the data record to make it meaningless or unusable to anyone other than authorised personnel. In addition to protecting data at rest, it is widely used to enable financial and other sensitive information to be shared internally and with third parties as well as in a software development environment to enable realistic testing without using production data.
There are three main approaches to data obfuscation that can be applied depending on how and why the data is being used and who has a legitimate need to access it on a day to day to basis. Each works in a slightly different way. Encryption and Tokenisation are both reversible but the most common method is Data Masking which cannot be reversed.
Encryption is a very secure way of storing or sharing data but means that it cannot be used for analysis or processing without the decryption keys held by the data owner and a third party.
Tokenisation is widely used to protect financial transactions such as credit card payments. It works by replacing bank details and payment card numbers with meaningless values to prevent it being used by anyone that is not authorised but without disabling normal processing. The real data values can still be accessed by authorised users by linking the token back to the original data.
Data masking is the most widely used method and also replaces real data with fake values but unlike tokenisation it cannot be reversed. This means that it is highly secure as well as a less expensive option compared with the other methods. It also makes it ideal for use by software and application developers during the testing and QA stages. By swapping the real data for fake data it maintains its integrity but reduces the risk of an accidental or malicious breach.
Data masking is also highly flexible and enables you to choose which fields need to be masked and in what format, for example, some numbers in a string can be replaced with an x or possibly randomised depending on the specific application. This is commonly used for online transactions to obfuscate digits of phone numbers such as widely used during online user authentication.
Like all aspects of data quality management, data migrations and transformations, data obfuscation is not a quick and easy process. It requires careful planning and the right tools and is likely to take more time than you might think. Firstly you will need to consult widely across your organisation to establish which data should be obfuscated and whether encryption, tokenisation or masked is the right approach. This is very much dictated by how the data is intended to be used and might mean a different approach for different parts of the business. Financial transactions such as card payment processing will probably need encryption, for software development and testing data masking is likely to the most cost-effective option.
At IDS, our data consultants can help you with all your data quality projects. With our tried and tested methodology and iData toolset, we can ensure that your data meets all the strictest requirements for security and privacy including data obfuscation as well as making your business more efficient, reduce costs and enable you to rely on your data for those critical business decisions.