In the modern world of financial services, the protection of your customer’s data is critical. Not only critical for your company’s reputation but to avoid a whole host of legal and financial obligations should a data breach ever happen. Encryption is one way of achieving this but can be expensive, and leaves the data in an unreadable format. Another way of achieving the necessary data protection is to hide it. Data masking leaves the information in a format that can be used for development and quality testing needs, but still fulfills your legal and financial obligations.
Writing for SearchFinancialSecurity, Randall Gamby – Enterprise Security Architect for a Fortune 500 finance company – outlines some of the key requirements when it comes to best practice in data masking. The first step of any operation is to determine the scope. This is a bigger task than it seems and the company will need to know what needs protecting, who is authorized to see it and which applications require it.
In addition to this, access to data isn’t always a simple yes or no question. For example, the customer rep who needs to know the last four digits of a social security number for verification does not need access to the whole number.
The next important step is to decide what data masking techniques to use. Not all of these will be appropriate, depending on the nature of the business and requirements of the person accessing the data. However, they can include:
Blurring: adding random variance to the original value. For example, replacing the amount in a savings account with a random value within a certain percentage range of the original.
- Shuffling: changing the order of numbers in a zip-code for example.
- Substitution: replacing original values with a randomly selected value from a substitution table.
However, sometimes it is important for the value to maintain referential integrity. This is a best practice that is often missed in reality. For example, each type of information must be masked using the same algorithm/seed value (e.g. consistently replacing the value ‘xyz’ with ‘abc’). In many large organizations though, a single masking technique is not feasible due to each line of business having its own unique requirements.
Finally, once decisions have been made about who to give access to what and which techniques are being used – protection of these values must still be considered. This information should be considered extremely sensitive. It is entirely possible, if this information is leaked, for someone to reverse engineer large blocks of sensitive information. A best practice here is to separate the duties. For example allowing IT security to determine methods and set up the values but then denying them access to this information afterwards.
While data masking does have great advantages, care is still needed and strong planning and vision are required as to how the business will operate in the future. All this is needed well before the first piece of information has even been masked.
The security principles set forth in industry standard ISO/IEC 27002 provide a framework for effective security, built around the cycle of Plan, Do, Check, and Act (PDCA). Many good security products are on the market, but all are designed to meet specific threats – and will not block other threats. At GRT Corp. our security philosophy is built around these words by noted security expert Dr. Bruce Schneier: “Security is not a product, but a process.”