In today’s data intense environments, business and government agencies collect unprecedented amounts of data. It’s estimated that more than 50% of this data can be classified as confidential. This sensitive, personal, financial, and health information is protected by several industry and governmental data privacy regulations, such as HIPPAA, PCI DSS, GLBA, and European Privacy Laws. Failure to keep this data secure can impact your organization immensely. According to a research report from the Ponemon Institute, the average cost of a data breach was $194 per record, or $5.5 million per company in 2012. But the price of data breeches is not only monetary. The negative PR following a data breach and the loss of your customer’s trust can devastate your organization.
According to report, 69% of organizations find it difficult to restrict user access to sensitive information in IT and business environments.
Most organizations only focus on keeping data secure for application users, data analysts, and business users. But what about production support? Administrators? DBAs? Outsourcing and offshore initiatives? How are you securing data for privileged users and super users? How are you protecting production data that is used in your data warehouse, test, training, or new production environments? Are you creating and maintaining separate privacy solutions for the different applications in your organizations?
To address these questions, organizations need to implement a complete data privacy solution needs to be in place with dynamic data masking and test data management. The challenge many businesses have is getting the right information to the right person while protecting data privacy. With dynamic data masking, individual users are able to see the data they need to do their jobs, in real time, without affecting performance.
Privileged users are responsible for 50% of all compromised data according to the Ponemon Institute. To avoid being part of this statistic, implementing test data management creates smaller copies of production environments and then permanently masks sensitive or confidential data such as Social Security Numbers and credit card numbers to reduce the risk of a data breech.
I’m concerned that “Privileged users are responsible for 50% of all compromised data.”
I found great advice from Gartner in this area in a report that analyzed solutions for Data Protection and Data Access Governance. The title of the report is “Market Guide for Data–Centric Audit and Protection.” Gartner also defined the “Cloud Encryption Gateway”, which performs encryption, tokenization or both before the data is sent to the cloud.
Aberdeen Group reported in a very interesting study with the title “Tokenization Gets Traction” that tokenization users had 50% fewer security-related incidents than non-users and 47% of respondents are using tokenization for something other than cardholder data. Aberdeen also has seen a steady increase in enterprise use of tokenization as an alternative to encryption for protecting sensitive data.
Ulf Mattsson, CTO Protegrity
You specifically mention dynamic data masking as part of a complete solution to protect sensitive data. While I agree that dynamic data masking has its uses, you mention outsourcing. If you are providing data to a third party (such as for outsourcing, where you no longer have control of that data) then dynamic data masking is effectively useless. What’s needed in such cases is static (AKA persistent) data masking which means that you produce a copy of your data where the sensitive data is permanently overwritten with realistic but fictitious data. For example replace names “John” with “Frank”. Similarly, replace all social security numbers, account numbers, etc. Even in development and test environments your users may need to have access to the sensitive field in order to verify that their tests are completing successfully, so again, static data masking in such cases would be required. If you would like to try a static data masking solution then you can download a free DataVeil license from http://www.dataveil.com . All features are enabled and the license will never expire.