The average cost of data breaches has surged to $4.24 million in 2021 — the highest total cost in the 17-year history of the annual IBM Cost of a Data Breach Report.

Remote or flexible working has been identified as leading causes of data breaches, as more workers are operating computers and software via the cloud without adequate infrastructure for data security. This mass migration to cloud computing makes businesses more susceptible to cyber attacks as files are stored and transmitted over the internet, leaving them vulnerable to interception.

Since 2018, the EU’s general data protection regulation (GDPR) has made it a legal requirement to secure personal and private data. Although the original rules no longer apply in the UK since Brexit, they have been replaced with the ‘UK GDPR’, which provides the same guidelines for companies that handle individual’s personally identifiable information (PII) — such as their name or email address.

Failure to comply with these rules can result in hefty fines. But the implications of a data breach are not just financial; trust and reputation are also at stake, which is why IT professionals use information security software such as data masking tools to protect important and sensitive data.

What is data masking?

Software developers are increasingly using Agile practices to improve the speed and efficiency of development and adopting a DevSecOps (development, security and operations) approach to automate the delivery of secure software and ensure safety is baked in at every stage.

During testing and development, data is frequently exchanged — often with third parties. To maintain the privacy and integrity of shared information (and remain GDPR compliant), data masking programmes provide a crucial layer of protection and prevent its contents from being stolen or breached along the way.

Data masking, also known as data obfuscation, is an automated process that hides original classified data with modified or dummy data — whilst providing a functional alternative in its place. This process ensures a data set remains intact whilst disguising the personal information it represents, allowing analysts, software and application developers to experiment and share the data in non-production environments without the risk of exposure to potentially dangerous third parties.

In organisations where staff have different levels of access to privileged information, data masking can also be used to prevent internal data breaches. Masking a data field prevents anyone who is not authorised to view its contents from doing so, meaning that personally identifiable information or commercially sensitive data is protected when sharing with third parties or unauthorised personnel.

Implementing data masking as a preventative measure also ensures data becomes useless to attackers in the event of a breach, maintaining data security and inherent functionality.

Data masking should not be confused with encryption. Encryption involves encoding information by converting it from its original form into an alternative form — known as ciphertext. As ciphertext must then be decrypted to be useful, it is at this point that data becomes vulnerable. Masked data, on the other hand, can be useful in its masked state. The question, therefore, is not ‘Do I mask or encrypt the data?’, but rather ‘When should you use masking, when should you use encryption, and when should both be applied?’

Which data masking method should I use? 

There is not just one type of data masking used to secure sensitive data; the suitable method for your business will depend on the parameters of its application and the end-use of the data in question.

Static data masking

Static data masking is used to create a masked golden copy of a data set in its original environment. It then duplicates the masked data in a separate database proxy, from where it can be shared safely.

Dynamic data masking

Unlike static data masking, this method does not require a second data source to store masked data. Instead, sensitive data is made available to authorised systems, and original contents are shuffled in real-time to disguise them. This means that sensitive data remains in its original database and is never exposed to unauthorised users.

On-the-fly data masking

This dynamic data masking method functions on demand, masking data while it is transferred from production systems to test or development systems. By maintaining a masked version of the data that is kept synchronised with production data, the masking process does not need to be repeated every time a change is initiated.

On-the-fly data masking is helpful for organisations that deploy software frequently and need to stream data from production to multiple test environments.

Deterministic data masking

Simply put, this technique ensures that one data value is replaced by another data value of the same type whenever it crops up. For example, the software would replace an individual’s actual name with a false name everywhere it appears in a database.

Statistical data obfuscation

Statistical data obfuscation relies on stochastic perturbations — an algorithmic way of optimising systems with numerous unknown parameters. Differential privacy is an example of a statistical data obfuscation system; it shares information about a dataset by describing its general patterns without relinquishing any privileged information about the individuals in the dataset — protecting privacy without impacting overall results.

Ensuring your company and client data is protected when shared with third parties is vital for security and GDPR conformity. Burning Tree’s partner Accutive offers a range of solutions that rapidly automate data discovery and masking to keep your sensitive data both safe and functional. Get in touch with our cyber security specialists to find out how we can help transform your security.