By Vitaly Dubravin

Strange question, isn’t it? Data masking and encryption are like apples and oranges, but the question is not strange at all. There are many similarities between both technologies, though the differences are substantial. Each of them is designed to ensure data protection, which can be substantially improved when both are used in synergy.

Data encryption is the process of transforming information using some algorithm (a cipher) to make it unreadable to anyone except those possessing a key. It is widely used to protect files on a local, network or cloud disk drives (EFS, PIE), Network communications (IPSEC, VPN) or just a web/email traffic protection (TLS/SSL). All these technologies are designed to secure communication/storage media from the intruders, though provide limited ability to control data privacy on a very granular level (like a database record). There are known methods to make an encrypted document accessible by the multiple people with individual keys, but it requires an expensive investment into the security infrastructure and becomes impractical when applied to the database. Data encryption ensures that only people who should have access to the data will gain safe access to the datasets, including the ones they are not suppose to see. Data encryption is not designed to address a role based security problem.



This is a niche for the Data Masking. Masking is the process of obscuring specific data elements within data stores. It hides data elements that users of certain roles should not see and replaces them with a similar-looking fake data. Data masking is used to generate a realistic (not real!) dataset for development, testing and user training purposes. This is a one-way irreversible transformation (similar to a one-way cipher) that produces dataset that is “safe to lose”. You can ship such sets even beyond the event horizon and your data privacy will not be compromised. Such transformation is often called a static data masking or just a data masking, considering one-time or batch-mode transformation nature.

Dynamic data masking can transform the data on the fly based on the user role (privileges). It is used to secure real time transactional systems and speeds up data privacy, compliance implementation and maintenance. If tomorrow California will introduce a law requiring only Californian customer service to see its citizens PII data, then it’s a matter of minutes to make all applications in the company compliant with the new regulation. No expensive BRDs, RFPs, development and testing. Just add one more rule to the data masking engine and you should be good to go (assuming you have implemented dynamic data masking by now).

Data masking does not encrypt information. You can see all data records in its native form and no decryption key is necessary. But you will see only what you are allowed to see today and not a byte more. And tomorrow you may see even less, if the rules will change overnight.

Best ciphers can be cracked (may be in a million years using today’s technology), while masked data cannot be unmasked. Resulting data set does not contain any references to the original information. That makes it absolutely useless for the attackers.

A well designed system should use data encryption to protect legitimate users from wire tapping and impersonation and utilize data masking to ensure granularity of data access. Even if an individual user account is compromised due to a socially engineered attack, the wast majority of the data records will not be exposed. The attacker will end up with the realistically looking garbage data instead.

Both technologies are relatively easy to implement, for as long as you know what and how to do it right. And an investment into a secure environment will preserve company reputation and customer loyalty for years to come.