Data Masking Hides Data in Plain Sight

It happens almost every week, if not more frequently. A server, desktop, or more commonly a notebook is physically stolen -- not hacked, but stolen -- and we also find it contains sensitive, unencrypted data. Perhaps it is a database of clients, or sensitive customer financial or health information.

Just this month news broke that Moses Cone Health System in Greensboro, N.C., had to inform more than 14,000 patients that they may be open to identity theft. A laptop was stolen from a vendor that was working on the data for the health system. The data was password protected, but not encrypted.

While encrypting the data on notebooks would seem to be the ideal solution to avoiding such events, it is not always that straightforward. For instance, even if encryption software is available on the notebook, workers don't always remember to use it. It's also not always possible to confirm that the data actually was encrypted at the time of data loss, or theft. Plus, data that's not encrypted away from highly secured areas in the corporate network is at increased risk to cyber attacks.

Robyn Ready -- project manager for data security at American Student Assistance (ASA), a nonprofit student loan guarantor based in Boston with $28.2 million in annual sales -- set out to find a way to protect the 1.5 terabytes of sensitive student financial information ASA stores, while also making sure developers and application testing teams are able to use "real" data to develop new applications and improve existing ones.

Rather than rely on data encryption, Ready and her team implemented DMSuite, a data-masking tool from Axis Technology LLC. Essentially, data masking is the process of taking real customer data and converting it to completely fabricated data that can't be tied to any real person, but is still fully usable for application testing purposes. This way, if data is stolen, it is useless for identity theft or corporate espionage.