How data masking can help protect the business
The impact of a data breach can be disastrous for an organization, including loss of customer trust, financial penalties, and more. The average total cost of a security breach is $ 4 million, 29% more than in 2013, according to the Ponemon Institute’s 2016 study on the cost of these incidents. The average cost per registered trade-mark is $ 158, while the average cost per registration for the health and retail sectors is $ 355 and $ 129, respectively. Despite the high risk, companies continue to be regularly breached and this raises significant concerns about how companies store, process and manage their data.
If external threats remain a high priority, the threat to sensitive data also comes from within. The theft of customer data, personal information or payment card details by employees is a reality. And often because privileged users – administrators of systems or databases – can access this data. Too often, very real data from the production environment is copied to the development environment, which is less secure and less monitored than the production environment.
Data masking techniques offer different ways to ensure that data remains protected against the risk of falling into the wrong hands, and that fewer people can access sensitive information. All without prejudice to business needs.
What is data masking?
Data masking is the process of replacing real sensitive data, in a test or development environment, with information that resembles them, but that would be of no use to anyone who might want to misuse it.
In fact, users of test or development environments do not need to see actual production data as long as the data available to them is consistent. Thus, masking techniques are used to protect data by disidentifying sensitive information contained in non-production environments, or by masking identifiable information with realistic values.
The need for masking techniques
Organizations often need to copy production data stored in databases to test or development databases. And this in order to perform the functional tests of the applications and cover real scenarios to minimize the risk of bugs or defects in production.
As a result of these practices, non-production environments can be prime targets for cybercriminals or malicious collaborators. And all the more so since these environments are not usually as tightly controlled as production environments.
Regulatory requirements are another driver for data masking. For example, the PCI DSS standard requires merchants that production data and information “not be used for testing and development”. Exposing card payment data, by accident or malice, could have devastating consequences.
The uses of data masking
Unsurprisingly, data masking is frequently used when the development environment is left to a third party, such as an outsourcing provider. Here, the company can replace its sensitive information with comparable values to allow its provider to do its job properly without risking exposing its data.
Another typical example in the retail industry is when a merchant wants to share point of sale data with a research firm to apply advanced analytics algorithms to study customer habits and trends. . Instead of providing the actual customer data, the merchant substitutes comparable data: moreover, it reduces the risk of data leakage.
