Data Masking Hides Data in Plain Sight

It happens almost every week, if not more frequently. A server, desktop, or more commonly a notebook is physically stolen -- not hacked, but stolen -- and we also find it contains sensitive, unencrypted data. Perhaps it is a database of clients, or sensitive customer financial or health information.

Just this month news broke that Moses Cone Health System in Greensboro, N.C., had to inform more than 14,000 patients that they may be open to identity theft. A laptop was stolen from a vendor that was working on the data for the health system. The data was password protected, but not encrypted.

While encrypting the data on notebooks would seem to be the ideal solution to avoiding such events, it is not always that straightforward. For instance, even if encryption software is available on the notebook, workers don't always remember to use it. It's also not always possible to confirm that the data actually was encrypted at the time of data loss, or theft. Plus, data that's not encrypted away from highly secured areas in the corporate network is at increased risk to cyber attacks.

Robyn Ready -- project manager for data security at American Student Assistance (ASA), a nonprofit student loan guarantor based in Boston with $28.2 million in annual sales -- set out to find a way to protect the 1.5 terabytes of sensitive student financial information ASA stores, while also making sure developers and application testing teams are able to use "real" data to develop new applications and improve existing ones.

Rather than rely on data encryption, Ready and her team implemented DMSuite, a data-masking tool from Axis Technology LLC. Essentially, data masking is the process of taking real customer data and converting it to completely fabricated data that can't be tied to any real person, but is still fully usable for application testing purposes. This way, if data is stolen, it is useless for identity theft or corporate espionage.American Student Assistance evaluated a number of masking technologies, but many of the vendors required that detailed "parent-child" relationships be established among the various data fields. "We have data flowing in from many different sources, and it just wasn't possible for us to conform to a rigid data masking scheme," Ready says. "We selected Axis because we didn't have to map complex data relationships. It enabled us to mask our data the same way, every time."

In addition, the Social Security numbers ASA uses are not assigned to any citizen. "This [masked] data is fully usable for our internal development, quality assurance, and customer acceptance testing teams," she says.

That capability helps to explain why a growing number of companies are beginning to offer data-masking applications, including IBM Security Systems, Oracle, and startups such as Camouflage.

IT security analyst Pete Lindstrom sees data masking as a way to tame the often untamed corporate testing environments, and even share masked data with outsourcers developing and testing applications. "Too often, these non-production areas are cesspools of weak IT controls, while also hosting a smorgasbord of data that is ripe for the pickings of any attacker that can find their way there. However, in order to properly test your programs, you need data that looks legitimate," Lindstrom says.

"The key to data masking is obfuscating the data in a way that enables you to check your programs, while also still being able to validate and test program functionality," he adds. "It helps to solve one of the pervasive security problems, developers and service providers who are hidden from IT security teams and controls," he says.Ready says the American Student Assistance does not outsource any of its application development or testing, but if it did the data would be masked. "If this data was lost, or improperly accessed, we know that it is useless to anyone else but us. There's a lot of freedom in that," she says.

InformationWeek Analytics has published an independent analysis of the challenges around enterprise storage. Download the report here (registration required).