Data Masking as Part of Your GDPR Compliant Security Posture
May 08, 2018

Nick Turner
Zenoss

With data breaches consistently being in the news over the last several years, it is no wonder why data privacy has become such a hot topic and why the European Union (EU) has put in place General Data Protection Regulation (GDPR) which will become enforceable on May 25, 2018, which is less than a month away!

GDPR applies to any company that collects or processes the personal data of EU data subjects, which could be EU residents or visitors. It regulates how to protect an individual's Personally Identifiable Information (PII), which includes all data that could potentially be used to identify an individual such as their name or e-mail address. And the fines for non-compliance are severe up to 20 million euros or 4% of the worldwide annual revenue of the prior financial year, whichever is higher.

While authorities will be reliant on customers reporting non-compliance and there will be a bigger focus on more serious violations, it is important to identify areas of risk and to take appropriate action. GDPR stresses that software which handles PII follow principles of data protection by design and by default. An appropriated technical and organizational measure to achieve this is with "pseudonymization."

Pseudonymisation is an overarching term for obfuscation approaches like data masking which intends to secure confidential information that directly or indirectly reveal an individual’s identity.

Data masking is the ability to replace or obfuscate sensitive data with a non-sensitive equivalent. So, for example, rather than using credentials that reflect an individual’s name such as "nturner" using something like "xyz9876". Now this approach only works if in the same application that data masking can't indirectly reveal an individual's identity by associating with a captured IP address or e-mail.

Only data that is truly anonymous is exempted from data protection but data that has the potential to reveal identifies is classified as pseudonymized which is still considered personal data. GDPR does incentivize the use of leveraging pseudonymization as part of your security posture to satisfy the design of data protection. In the case of a data breach, if the data is unintelligible to any person who is not authorized to access it then certain notification requirements are no longer required. Additionally, data access requests and disclosure requirements are relaxed when pseudonymization is leveraged.

So how does all of this pertain to the use of software in your infrastructure or in the cloud? For applications where PII is not required as part of use of the platform, it is recommended to employ data masking for user credentials associated with access to the software; and in scenarios where email addresses are needed, that group distribution lists or associated masked email addresses are leveraged. This is so that in the event of a data breach, there is no direct PII available in that system and the information would be unintelligible as it would require access to additional systems to correlate back to an individual.

Of course, that is easier said than done, but again considering the severity of non-compliance the associated work of limiting exposure by employing data masking is a small price to pay that will benefit your organization in the long run.

Nick Turner is Director, IT Operations, at Zenoss
Share this

Industry News

March 21, 2023

OpenText launched the latest version of ValueEdge -- an innovative modular, cloud-based DevOps and value stream management (VSM) platform.

March 21, 2023

Oracle announced the availability of Java 20, the latest version of the programming language and development platform.

March 21, 2023

Rafay Systems introduced Environment Manager, a solution that empowers enterprise platform teams to improve the developer experience by delivering self-service capabilities for provisioning full-stack environments.

March 20, 2023

To meet the growing demand for Oracle Container Engine for Kubernetes (OKE) with global organizations, Oracle Cloud Infrastructure (OCI) is introducing new capabilities that can boost the reliability and efficiency of large-scale Kubernetes environments while simplifying operations and reducing costs.

March 20, 2023

Perforce Software joined the Amazon Web Services (AWS) Independent Software Vendor (ISV) Accelerate Program and listed its free Enhanced Studio Pack (ESP) in AWS Marketplace.

March 20, 2023

Aembit, an identity platform that lets DevOps and Security teams discover, manage, enforce, and audit access between federated workloads, announced its official launch alongside $16.6M in seed financing from cybersecurity specialist investors Ballistic Ventures and Ten Eleven Ventures.

March 16, 2023

Hyland released Alfresco Content Services 7.0 – a cloud-native content services platform, optimized for content model flexibility and performance at scale.

March 16, 2023

CAST AI has announced the closing of a $20M investment round.

March 15, 2023

Check Point® Software Technologies introduced Infinity Global Services, an all-encompassing security solution that will empower organizations of all sizes to fortify their systems, from cloud to network to endpoint.

March 15, 2023

OpsCruise's Kubernetes and Cloud Service observability platform is certified to run on the Red Hat OpenShift Kubernetes platform.

March 14, 2023

DataOps.live released an update to the DataOps.live platform, delivering productivity for data teams.

March 14, 2023

CoreStack and Zensar announced a strategic global partnership. CoreStack will provide its AI-powered NextGen cloud governance and FinOps capabilities, complementing Zensar’s composable cloud operations offering.

March 14, 2023

Delinea introduced the Delinea Platform, a cloud-native foundation for Delinea's PAM solutions that empowers end-to-end visibility, dynamic privilege controls, and adaptive security.

March 13, 2023

Sysdig announced a new foundation that will serve as the long-term custodian of the Wireshark open source project.

March 13, 2023

Talend announced the latest update to Talend Data Fabric, its end-to-end platform for data discovery, transformation, governance, and sharing.