Data Masking as Part of Your GDPR Compliant Security Posture
May 08, 2018

Nick Turner
Zenoss

With data breaches consistently being in the news over the last several years, it is no wonder why data privacy has become such a hot topic and why the European Union (EU) has put in place General Data Protection Regulation (GDPR) which will become enforceable on May 25, 2018, which is less than a month away!

GDPR applies to any company that collects or processes the personal data of EU data subjects, which could be EU residents or visitors. It regulates how to protect an individual's Personally Identifiable Information (PII), which includes all data that could potentially be used to identify an individual such as their name or e-mail address. And the fines for non-compliance are severe up to 20 million euros or 4% of the worldwide annual revenue of the prior financial year, whichever is higher.

While authorities will be reliant on customers reporting non-compliance and there will be a bigger focus on more serious violations, it is important to identify areas of risk and to take appropriate action. GDPR stresses that software which handles PII follow principles of data protection by design and by default. An appropriated technical and organizational measure to achieve this is with "pseudonymization."

Pseudonymisation is an overarching term for obfuscation approaches like data masking which intends to secure confidential information that directly or indirectly reveal an individual’s identity.

Data masking is the ability to replace or obfuscate sensitive data with a non-sensitive equivalent. So, for example, rather than using credentials that reflect an individual’s name such as "nturner" using something like "xyz9876". Now this approach only works if in the same application that data masking can't indirectly reveal an individual's identity by associating with a captured IP address or e-mail.

Only data that is truly anonymous is exempted from data protection but data that has the potential to reveal identifies is classified as pseudonymized which is still considered personal data. GDPR does incentivize the use of leveraging pseudonymization as part of your security posture to satisfy the design of data protection. In the case of a data breach, if the data is unintelligible to any person who is not authorized to access it then certain notification requirements are no longer required. Additionally, data access requests and disclosure requirements are relaxed when pseudonymization is leveraged.

So how does all of this pertain to the use of software in your infrastructure or in the cloud? For applications where PII is not required as part of use of the platform, it is recommended to employ data masking for user credentials associated with access to the software; and in scenarios where email addresses are needed, that group distribution lists or associated masked email addresses are leveraged. This is so that in the event of a data breach, there is no direct PII available in that system and the information would be unintelligible as it would require access to additional systems to correlate back to an individual.

Of course, that is easier said than done, but again considering the severity of non-compliance the associated work of limiting exposure by employing data masking is a small price to pay that will benefit your organization in the long run.

Nick Turner is Director, IT Operations, at Zenoss

The Latest

November 15, 2018

Serverless infrastructure environments are set to become the dominant paradigm for enterprise technology deployments, according to a new report — Why the Fuss About Serverless? — released by Leading Edge Forum ...

November 14, 2018

What to automate? Which parts of the delivery process are good candidates? Which applications will benefit from automation? At first, those sound like silly questions. Automate all your repetitive processes. If you think that you'll do the same thing manually more than once, automate it. Why would you waste your creative potential and knowledge by doing things that are much better done by scripts? Yet, an average company does not adhere to that logic. Why is that? ...

November 13, 2018

I'd love to see more security automation deeply integrated into the development process. Everybody knows since the 1990s that security as an afterthought just doesn't work, yet we keep doing it. The reason, I think, is because it's very hard to automate security ...

November 09, 2018

DEVOPSdigest asked experts from across the IT industry for their opinions on what steps in the SDLC should be automated. Part 5, the final installment, covers deployment and production ...

November 08, 2018

DEVOPSdigest asked experts from across the IT industry for their opinions on what steps in the SDLC should be automated. Part 4 is all about security ...

November 07, 2018

DEVOPSdigest asked experts from across the IT industry for their opinions on what steps in the SDLC should be automated. Part 3 covers the development environment and the infrastructure ...

November 06, 2018

DEVOPSdigest asked experts from across the IT industry for their opinions on what steps in the SDLC should be automated. Part 2 covers the coding process ...

November 05, 2018

Everyone talks about automating the software development lifecycle (SDLC) but the first question should be: What should you automate? With this question in mind, DEVOPSdigest asked experts from across the IT industry for their opinions on what steps in the SDLC should be automated. Part 1 starts with by-far the most popular recommendation: Testing ...

October 31, 2018

Halloween is a time for all things spooky, but not when it comes to your mobile app experience. A poor experience can not only scare off your customers but keep them away for good ...

October 30, 2018

As organizations have embraced open source, they have become polyglot — using multiple programming languages and technology stacks to accomplish software and hardware related tasks. Enterprises are caught between the benefits provided by a polyglot environment and the complexities and challenges these environments bring. Ultimately, if the situation remains unchecked, polyglot will kill your enterprise ...

Share this