Data Masking - in-flight vs. at-rest

Many organizations are faced with the threat of data theft, from which legal battles, hefty fines and negative publicity can arise. Interestingly enough stealing data is not always that difficult. In this post we will review certain aspects of data masking, a technique used to disguise personable and sensitive information.

Data masking encompasses two key areas: in-flight and at-rest. In-flight data masking is different than encryption; the goal of this technique is to temporarily transform data from its original value before it is viewed on screen, or printed, depending on predefined security rules, such as a login name or Active Directory group. This is perhaps better described as a "need-to-know" transformation. The real data is not changed, but its representation is transformed based on who sees it. For example a supervisor may see a customer's full credit card information but a customer representative may only see the last four digits. While some applications may provide built-in support for similar features, most do not offer this capability.

At-rest masking is a technique typically used by corporations that need to restore backup copies of their production systems for quality assurance, package implementation testing or software development projects. This type of masking is typically considered much more difficult for many reasons, including process changes, testing tool and script compatibility, discovery of logical entity relationships within a database and across systems and more. For example, from a process standpoint, who in your organization would be responsible for defining and maintaining the data transformation of Social Security Numbers? Should a Social Security Number be transformed the same way on DB2, Oracle and SQL Server databases? How will testing batch processes be affected if cross-system data integrity is no longer maintained after data masking? Is it possible to stage data masking over multiple days depending on the size of each system? How often should non-production systems be refreshed?

In some cases data resides in flat files, XML documents, PDF documents (such as invoices) or images. Very few vendors seem to be able to mask data outside of what an ODBC driver can provide.

While in-flight data masking is technically difficult to achieve (and very few vendors are available), at-rest data masking may seem technically simpler but poses significant challenges that impact software development life cycle and package implementation projects alike. Perhaps the most difficult aspect of a masking project is to identify the business and technical requirements so that a solution can be picked, be it a vendor or a custom solution.

Some of the vendors that offer masking solutions include Compuware and IBM. There are a few other vendors that are more specialized if your masking needs are limited to Oracle for example. On SQL Server specifically, it is possible to devise a complex and effective masking solution using SSIS.

However the real complexity of the project is not the technology, but rather the process, as discussed above. My advice with this type of project is to carefully select vendors and possibly leverage consulting firms that may be able to guide you in the difficult task of gathering requirements and selecting a vendor. 


Print | posted @ Sunday, June 28, 2009 10:36 PM

Comments on this entry:

Comments are closed.

Comments have been closed on this topic.