There are a number of guidelines to follow when it comes to protecting your data. Questions on how best to achieve this often include examples like “which data should be classified as sensitive?” and “which groups of users should have access to this data?” In fact, there are a number of control methods for securing sensitive data, starting with the basic first line of defense of authentication and access control. These include:
- Encryption
- Persistent (Static) Data Masking
- Dynamic Data Masking
- Tokenization
- Retention management and purging
Writing in a two-part article for Informatica Blog, Claudia Chandra discusses these in detail. Encryption is a cryptographic method of encoding data. There are two ways of doing this, although there are methods of deciphering information without a key. This key management is the greatest concern.
Persistent (or static) data masking obscures the data when it is in storage. This is a permanent solution and, usually, there is no way of retrieving the original data. Multiple techniques are possible, and it is possible to perform reverse masking – though this should be used sparingly.
On the other hand, dynamic data masking de-identifies the data only when it is accessed. The original data is kept in the database – the process acting as a proxy. Different levels of access can be granted depending on user privileges. If the user does not have privileges, a masking function is included.
Tokenization, meanwhile, simply substitutes any sensitive elements with non-sensitive information. Without knowledge of the token system, it is very difficult to reverse the information. However, there are significant security issues, with the token server and mapping database as potential security threats. Next generation tokenization systems are addressing these issues, though.
Retention management and purging is “more of a data management method,” which ensures the data is retained only as long as necessary. The only foolproof method of reducing data privacy risk is to simply eliminate the data. Best practice and good retention and archiving policies are key to the success of this method.
Determining the appropriate method/s requires answers to the following questions:
- Do you need to protect data at rest, during transmission, and/or when accessed?
- Do some privileged users still need the ability to view the original sensitive data or does sensitive data need to be obscured?
- What level of access or granularity of controls do you need?
In any case, a combination of protection methods is likely required – tailored to your requirements. For example, in a non-production environment persistent data masking may be useful, ensuring that no one has access to the original production data, while in a production environment a combination of encryption and dynamic data masking might be more useful.
The best method/s depend on each individual scenario and the set of requirements within an organization.
Big Data and related technologies – from data warehousing to analytics and business intelligence (BI) – are transforming the business world. Big Data is not simply big: Gartner defines it as “high-volume, high-velocity and high-variety information assets.” Managing these assets to generate the fourth “V” – value – is a challenge. Many excellent solutions are on the market, but they must be matched to specific needs. At GRT Corporation our focus is on providing value to the business customer.