Editor's note: Part one of this two-part series explained the concept of data obfuscation and why these techniques...
can be valuable to enterprise security programs. This article focuses on the specific approaches and practices for data obfuscation techniques enterprises can take to protect sensitive information and intellectual property.
Different approaches can be taken when designing the data obfuscation architecture to best meet the business requirements of an organization. The first approach is to obfuscate the data before it moves into the target database from the source of the data. The advantage of this approach would be that unobfuscated data is never going to be present in the target database. In the second approach, the data obfuscation techniques are applied on-the-fly to execute and control the data by the system. The advantage of this approach is that data obfuscation, which is also known as data masking, can be applied at any time as data remains present in the target database unobfuscated.
While there are many data obfuscation techniques available to use, substitution techniques consist of randomly replacing the content of a column of data with the information that looks similar, but remain completely unrelated, to the real details. In another technique, substitution data is derived from the column of the database table itself, and data in a column is randomly moved between rows until there is no longer reasonable correlation with the remaining information in the rows. Encrypting data with encryption keys and then providing the keys to the people who want to see the data is another good option. However, encryption has its own drawbacks should the private keys become exposed or compromised.
Best practices for data obfuscation techniques
The success of any project depends on planning and following best practices. In order to achieve success in a data obfuscation project, the following steps can enable organizations to create a comprehensive planning and execution approach.
- Discovering the data
The first step in data obfuscation planning is to identify the data that must be obfuscated to appropriately protect it. This step generally takes an overall 10% to 20% of total project efforts. Since this is not a one-size-fits-all approach, each organization will vary in its unique security requirements, the complexity of its data and the scope for the data discovery. The final deliverable of this phase would be the identification of data exposure risk, data privacy issues and concerns and at what degree the data obfuscation is going to mitigate the risks.
- Architecture design approach
All discovered data might not necessarily be sensitive or more valuable than other data, so classifying the data is a very important step in this phase. The data classification could be done based on compliance requirements such as PCI DSS or HIPAA, or as public, sensitive, private or confidential data. Considering the functional requirement example, making sure that the application will perform appropriately after data obfuscation with consistency is a critical aspect to adequately account for the required resources and include them in the design. In addition, risk profiling and modeling organizations' risk tolerance as to what constitutes an acceptable level of data obfuscation in the environment, and which rows or column to obfuscate, is another critical success factor before moving into the next step.
- Build & configuration
In this step, building and setting up the right set of configurations based on the requirement defined in step two are the key activities. This includes how the data obfuscation components will be integrated, and how a change management process would be initiated. In addition, elements like creation of data obfuscation rules, customization and modifying the inbuilt functionality to meet the requirements, and creating required database sets will need to be done.
This is the final phase of the project: moving the data obfuscation architecture and integrating it into the nonproduction environment. Key activities include creating test databases to test subsets of the database, completing user acceptance testing, creating data obfuscation jobs, tasks, scripts and schedules will be included.
Developing and implementing a data obfuscation architecture is a complex task that requires several steps. However, if done successfully, it can provide enormous security benefits to organizations that wish to provide additional protections for sensitive and confidential data.
Discover how advanced security analytics can help enterprises
Read more on building an information security risk management program
Learn about how cyberattacks use obfuscation techniques