How to protect sensitive data and limit risk of data exposure or leaks?

The impact of data breach can be a disastrous event to an organization and can include loss of customer confidence, trust, financial penalties etc. The average total cost of a data breach is $4 million up by 29 percent since 2013 according to the “2016 Cost of Data Breach study” report published by Ponemon Institute.

The average cost per record is $158 whereas the cost per record breached ranges from $355 to $129 for healthcare and retail industry respectively. Despite the high risk of the threat, enterprises continue to fall victim to data breaches globally and it raises a significant concern over protecting the data organizations own, process and store.

While the external threats remain highly potential, the threat to sensitive data is also from insiders. The threats example, employees stealing customer information, PII data or credit card details are real due to the fact that in most cases privileged users like a system administrator or database administrator are given authorized access to the data. Often the real data from the production environment is copied over to the non-production environment which is less secure and not managed with same security controls like the production resulting data can be exposed or stolen.

Data Obfuscation (DO) techniques offer different ways to ensure data remains protected from falling into wrong hands yet fewer individuals can access the sensitive information to meet the business requirement.

What is data obfuscation?

In the technology world, data obfuscation is the process of replacing existing sensitive information in test or development environments with the information that looks like real production information but is of no use to anyone wishing to misuse it. In other words, the users of the test or development environment do not need to see the actual production data as long as what they are looking at looks real and is consistent. Thus, data obfuscation is a technique used to protect the data by de-identifying sensitive information contained in non-production environments or mask identifiable information with realistic values and enables enterprises to mitigate the data exposure risk.

The need for data obfuscation

Organizations often need to copy production data stored in production databases to non-production or test database in order to realistically complete the application functionality test to cover real-time scenarios or test cases to minimize the production bugs or defects. As a results of this practice, non-production environment can become an easy target for cyber criminals or malicious insiders looking for sensitive data that can be exposed, lost or stolen.

With the non-production environment not being as tightly controlled or managed as the production environment, it could cause millions of dollars for organizations to remediate reputation damage or brand value should a data breach incident occurred. Changing regulatory requirements is another key driver for data obfuscation with regulations like Payment Card Industry (PCI) Data Security Standard (DSS). The PCI DSS encourages and enhances cardholder data security to facilitate the broad adoption of consistent data security measures globally to provide a baseline of technical and operational requirements. Inappropriate data exposer, accidental or malicious, could have devastating consequences and could lead into excessive fines levied.

Data obfuscation use cases

A typical use case could be when a development environment database is handled and managed by a third-party vendor or outsourcer. Data obfuscation becomes extremely important to apply and enable the third-party vendor to be able to perform their duties and functions as needed by applying data obfuscation techniques to replace the sensitive information with similar values in the database.

Another typical use case could be in the retail industry, wherein retailers need to share customer point-of-sales data with market a researcher company to apply advanced analytics algorithms to analyze customers’ buying patterns. But instead of providing the real customer data, providing substitute data could be a better bet. This approach helps minimize the risk of data exposure or leakage.