Undercover data: how to prevent
security breaches with data masking

Between January and September 2021, there were an estimated 996 data security breaches worldwide, with over 4.1 billion records compromised as a result. That’s 4.1 billion instances of private, potentially sensitive data – that customers had entrusted to organisations – in the wrong hands.

Ninety-seven of those breaches took place in September alone, with over 91 million records hacked over the course of the month and one single incident accounting for 61 million of them.

The culprit? An unsecured database, storing information ranging from the financial, to the intensely personal. The company responsible for the breach synced data from health, fitness and medical trackers, holding data on their users’ names, location, weight, height, login credentials and more.

With the rise of IoT and Big Data, the records that organisations collect and store are becoming increasingly personal, sensitive and difficult to manage, with an increasing amount of ‘unstructured’ data (IoT information, images, emails – essentially any data that can’t be stored in a relational database management system) posing a significant security challenge. For all the advantages of this data – deeper insights, automation, personalisation, faster decision making, AI and Machine Learning capabilities – security remains a weakness that businesses need to address as a matter of urgency, especially as they seek a more fluid, flexible approach to monetising their data. Just as businesses rush to explore new possibilities with data, so are cyber criminals developing new methods of accessing it.

Aside from legislation and regulation around data privacy, such as GDPR and the Data Protection Act, organisations also have an ethical responsibility to their users to protect their information and ensure that their data will only be used in the way that they have agreed. Data may present an opportunity for you to add value and convenience to your customers – and differentiate your business as a result – but if you fail to protect it, you eradicate that value, and their trust. The most seamless, tailored customer experience in the world is not worth your data being compromised.

And as for that afore-mentioned GDPR: the maximum fine for an infringement in the UK currently stands at £17.5 million, or 4% of annual turnover (whichever is greater).

How to balance data security and data flexibility

If you want to monetise your data, it needs to remain accessible and agile internally, while maintaining watertight security to external ‘malicious actors’ (any group or individual who poses a cyber threat to your business). So how can businesses balance the two requirements, keeping their data safe while still adapting and evolving new methods to extract commercial value from the information at hand?

Data masking: an Agile method of securing data

Data is at its most vulnerable when it’s in development, such as migrating to a new management platform, or during the testing stages of an analytics implementation. Yet to make projects like these a success, developers need ‘real’ data to power them during the development cycle. How else can you tell whether the system is operating effectively, and generating the results you want? Testing and development teams often work with direct copies of the active database as a result, meaning that vast amounts of sensitive data is accessible during the process.

When it comes to agile development – short, sharp sprints that deliver tangible digital outcomes fast, as outlined in our AIM framework – this can become even more difficult to manage. Rather than one big data migration/testing/development exercise, projects are broken down into smaller workflows, requiring flexible, fast and continuous access to data. Data obfuscation offers a way to deliver agile data outcomes, while ensuring that security is maintained.

What is data obfuscation?

Data obfuscation literally obscures your data, by scrambling, covering or removing sensitive information when accessed by non-authorised users. There are three types of data obfuscation:

Encryption

If records are lost or stolen, encryption ensures that they are inaccessible. Data is encoded, by algorithm, into unreadable text, with a decryption key (passcode) needed to convert it back into a readable format. Systems like SSL can be used to encrypt information in transit – such as during an online payment – but further encryption or other obfuscation methods are needed when the data is ‘at rest’ (i.e., not in use).

Tokenisation

Used for structured data fields, like bank details, tokenisation turns a meaningful piece of data into a random string of characters that bears no relation to the original. The ‘keys’ to these tokens are stored in a database or mapping vault, and the original data never leaves the organisation, making it difficult to exchange and test data during development cycles, and difficult to scale.

Data Masking

As the name suggests, data masking disguises the sensitive details of your data, while keeping the right format and function. It’s the most dynamic method of securing data while it is in use, and the best fit with agile data software development and unstructured data management. Unlike other methods of securing data, it doesn’t prevent users from connecting directly to the database or running queries that expose sensitive data: it simply ‘masks’ that information instead, providing fake but realistic records to non-authorised users, while allowing authorised users to access the real data. For example, a credit card number appears in the same format, but is replaced with randomly generated digits.

Why data masking is best for Agile development

As data masking occurs in real time, and doesn’t alter the format of the data it’s protecting, it’s the most compatible method of data obfuscation for agile development methodologies like the AIM framework. It’s easily scalable – no mapping vault is required, for instance – making it a practical way to secure data for repeated sprint workflows without disrupting or slowing down development, testing and implementation.

An Agile approach to data management

Data security is a fundamental part of any data solution – whether it’s modernising legacy systems for better digital integration or developing new ways to monetise your data. As cyber criminals continue to develop new tactics to access data, flexibility is key to keeping your data safe while still getting measurable results from your data development initiatives.

To find out more about how Agile maintain data security while developing agile data solutions, contact us today to speak to our team of experienced data consultants.