The impact of a data breach can be disastrous for an organization and can include loss of customer confidence and trust, financial penalties and other consequences. The average total cost of a data breach is $4 million, up by 29% since 2013 according to the "2016 Cost of Data Breach Study" published by the Ponemon Institute. The average cost per record breached is $158, whereas the average cost per record for the healthcare and retail industries are $355 and $129, respectively. Despite the high risk of the threat, enterprises continue to fall victim to data breaches globally, and it raises significant concerns over protecting the data organizations own, process and store.
While the external threats remain a high priority, the threat to sensitive data also comes from insiders. The threats of employees stealing customer information, personally identifiable information or credit card details are real due to the fact that, in most cases, privileged users like system administrators or database administrators are given authorized access to the data. Often, the real data from the production environment is copied over to the nonproduction environment, which is less secure and not managed with same security controls as the production environment, and resulting data can be exposed or stolen.
Data obfuscation techniques offer different ways to ensure that data remains protected from falling into wrong hands, and fewer individuals can access the sensitive information while meeting business requirements.
What is data obfuscation?
In the technology world, data obfuscation, which is also known as data masking, is the process of replacing existing sensitive information in test or development environments with the information that looks like real production information, but is of no use to anyone who might wish to misuse it. In other words, the users of test or development environments do not need to see the actual production data as long as what they are looking at looks real and is consistent. Thus, data obfuscation techniques are used to protect the data by deidentifying sensitive information contained in nonproduction environments or masking identifiable information with realistic values, enabling enterprises to mitigate the data exposure risk.
The need for data obfuscation techniques
Organizations often need to copy production data stored in production databases to nonproduction or test databases. This is done in order to realistically complete the application functionality test and cover real-time scenarios or test cases to minimize the production bugs or defects. As a result of this practice, a nonproduction environment can become easy target for cybercriminals or malicious insiders looking for sensitive data that can be exposed or stolen. Because a nonproduction environment is not as tightly controlled or managed as the production environment, it could cost millions of dollars for organizations to remediate reputation damage or brand value should a data breach incident occur. Regulatory requirements are another key driver for data obfuscation. The Payment Card Industry Data Security Standard (PCI DSS), for example, encourages merchants to enhance payment card data security with the broad adoption of consistent data security measures that provide a baseline of technical and operational requirements. PCI DSS requires that merchants' production data and information "are not used for testing and development." Inappropriate data exposure, whether by an accidental or malicious incident, could have devastating consequences and could lead to excessive fines or legal action levied for the violation of the rules.
Data obfuscation use cases
A typical use case for data obfuscation techniques could be when a development environment database is handled and managed by a third-party vendor or outsourcer; data obfuscation becomes extremely important to enable the third-party vendor to be able to perform its duties and functions as needed. By applying data obfuscation techniques, an enterprise can replace the sensitive information with similar values in the database and not have to worry about the third-party vendor exposing that information during development.
Another typical use case could be in the retail industry, where a retailer needs to share customer point-of-sale data with a market research company to apply advanced analytics algorithms and analyze the customers' buying patterns and trends. But instead of providing the real customer data to the research firm, the retailer provides a substitute that looks similar to the real customer data. This approach helps enterprises minimize the risk of data exposure or leakage through a business partner or other type of third-party organization.
Stay tuned for part two of this series on data obfuscation techniques.
Read more on building an information security risk management program
Learn about how cyberattacks use obfuscation techniques
Discover why threat monitoring on the dark web can help enterprises