Dynamic Data Masking Examples of Usage for Cloud and On-Prem
With the introduction of privacy regulations and sovereignty laws, organizations are required to continuously adapt the access they provision to employees (Business users, analysts, Data Scientists, developers, DBAs), 3rd party, offshore and outsource.
The basic requirement behind privacy regulations that is speficied in numerous articles such as “Right to be forgotten”, Consent, retention based deletion, “security by design”, “security by default” as well as sovereignty laws = ALL IMPOSE THAT ACCESS TO PII WILL BE DONE ON A NEED TO KNOW BASIS.
Dynamic Data Masking and de-Identification using FPE Encrytion are the way to enforce it across IT
Here are few examples how notable organizations are taking steps to address these requirements:
- AIA has deployed DDM to restrict access for many business applications
- Largest regional Bank has implemented DDM and FPE encryption for their Cloudera and Redshift for controlling access to PII while de-Identifying (using FPE Encryption) PII data at-rest.
- Vodafone has deployed DDM on their critical applications to restrict access to PII and customers who asked to be deleted.
What was the main success factor to all these examples?
- The fact that all implemented with ZERO CODE and with no changes to their underline operational and analytical data stores.
SecuPi has invested years in building a set of Policy Enforcement Points (PEPs) that enable our customers to implement DDM and FPE Encryption with ZERO CODE.
Why? If we need to use a DDM function in the database, we need to change the application source code to invoke the DDM function. Sounds trivial – but with IT overhead, priorities and resource constraints this is IMPOSSIBLE TO ACHIEVE – hence ZERO CODE CHANGES for both DDM and FPE Encryption is the only way to go forward.
Other important factors:
- Platform support: privacy and sovereignty laws are not restricted to Snowflake or Oracle. You need a platform that can support from your Mainframe to native-Cloud applications, from Teradata and Cloudera CDH to Snowflake and CDP.
- Broad set of capabilities – from Dynamic Data Masking, filtering customer data based on citizenship/location, FPE Encryption and real-time activity monitoring. Regulations change and you do not have the luxury to deploy new data security tool every year…
When to use Dynamic Data Masking and De-Identification using FPE Encryption?
DDM is used to protect data in use (without touching the underline data in the databases) where FPE Encryption is used to protect data at-rest (changing the underline data in the databases) – which your DBAs hate, as this will easily cause data corruption as data is flowing from one database to another…
Another way to look at this is that Dynamic Data Masking is used to protect access to data by business users, data analysts, scientists as well as developers, DBAs while FPE Encryption main use case is to protect data from unauthorized DIRECT access to the data sources by developers and DBAs.
Due to negative implications of encryption – including risk of data corruption, implementation complexity and performance degradation, the use of FPE Encryption should be minimized in scope, namely to focus primarily on PCI data sets as well as focus on cloud analytics IT environments (DaaS environments such as Snowflake, Redshift, Databricks and Azure Synapse).