What is Data Masking?
Your live production Salesforce org contains some of your organization’s most sensitive and confidential data. In the production environment, the data benefits from rigorous security and privacy protection, but once it is migrated into a test environment for use by developers, administrators, or QA it is unlikely to receive the same level of attention. If steps are not taken to protect this data, your organization may find it is not in compliance with industry regulations and at increased risk of data loss during a security breach.
Data masking, also known as data anonymization or pseudonymization, solves this problem. Live data is anonymized to make it safe for use in non-production environments. Anonymization adds fictitious details to the data to mask sensitive information, such as credit card numbers and customer addresses. If a security breach occurs and the non-production data is compromised, data masking can minimize the risk of exposing sensitive and confidential information.
There are multiple techniques for masking live data. Information can be augmented with prefixes and suffixes, shuffled to rearrange the existing contents, replaced with random noise, or replaced with user-specified data. These techniques protect the production information without diminishing its usefulness.
AutoRABIT helps you secure vital information assets by masking sensitive live data for use outside of the production environment. There are four reasons why data masking is a best practice for Salesforce operations.
4 Reasons to Mask Data
1. Regulatory compliance
Almost all organizations are subject to some form of regulation involving data. Maintaining compliance frequently involves following specific rules for data security. For example, the Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA), and General Data Protection Regulation (GDPR) include specific directives for managing credit card information, health records, and all forms of personally identifiable information (PII), respectively. Companies governed by these regulations face strict legal and financial penalties for non-compliance.
Data masking offers a safe way to maintain access to live data for testing, without compromising sensitive and confidential information. For example, when migrating data into a QA/UAT sandbox, organizations subject to PCI DSS, HIPAA, or GDPR regulations can obfuscate credit card details, health information, and all forms of PII to maintain security and privacy of the data.
2. Insider threats
Data breaches initiated from outside the organization get the lion’s share of attention, but a 2013 study by the Open Security Foundation found that close to 20% of incidents started inside the organization, and these were responsible for almost 70% of exposed data. While developers, administrators, and QA engineers have a legitimate need for test data, they do not need access to sensitive and confidential information from the live Salesforce environment. Masking live data ensures that those who need access to data can perform their job, without increasing the risk of compromising data during a breach.
3. External parties
Outside consultants and service providers play an essential role in many organizations, and it is not uncommon for staff to share data with third parties as part of their daily routine. These transactions have the potential to expose the organization’s most sensitive Salesforce data. Data masking is an effective way of mitigating this risk. Masking production data ensures that staff and outside vendors can share access to test data without compromising sensitive and confidential information from the production environment.
4. Data encryption is not data masking
Data encryption is not the same thing as data masking. This common misconception likely stems from the use of data encryption to secure confidential information as it is migrated between servers or transmitted across a network. Unlike data masking, data encryption can be reversed to reveal the original production data. This makes it an ineffective tool for securing confidential data used during the software development lifecycle.
How Can AutoRABIT Help with Data Masking?
AutoRABIT is an end-to-end release management toolbox for Salesforce. One of AutoRABIT’s most popular features is the advanced data loader, Data Loader Pro. Data Loader Pro can migrate data between sandboxes, without using CSV files, while maintaining relational hierarchies. Built-in data masking enables the data loader to protect sensitive data during migration. Users specify the object, fields, and masking style, and Data Loader Pro protects data during transit and storage.
Masking style options include:
1. Prefix: Adding characters at the beginning of a field’s data
2. Suffix: Adding characters at the end of a field’s data
3. Replace: Completely replacing data in a field with data entered by a user
4. Shuffle: Shuffling the data in one column while all other columns are untouched
5. Random: Generating random and unique values across a given data set
Data masking is integral to any data security strategy. Masking data not only ensures compliance with data security and data privacy regulations but also reduces the risk of compromised data following a security breach.
To learn more about data masking and how AutoRABIT can help meet your data security needs, contact us at [email protected]
Abhilash Murali is a Sr. DevOps Engineer at AutoRABIT. Follow him on Twitter at @abhimur.
