Tips for DevOps and CISO - Why and When Data Masking Is Used | Infognito
News | 12.11.2021
#itsecurity #softprom #infognito
The process of developing and improving IT products has become "endless" and more and more often we engage external contractors for the development and improvement of IT products. At the same time, the risks of "leakage" of confidential user data are increasing, so today we will talk about the Infognito solution, which revolutionized the market for masking valuable information.
For developers, real data is important for making changes in code, testing new functionality, and daily work, but any CISO will insist that confidential data cannot be provided to anyone, even the most trusted developer. Because this can lead to information leakage and, as a result, serious consequences for the company. To maintain parity and make the conditions for the IT department as comfortable as possible, Softprom has included in our portfolio a solution from the Israeli company Infognito, which allows masking any amount of data on the fly.
The content of the article:
1. Data masking - why is it needed
2. Masking - not equal encryption
3. Infognito - how masking works
4. What algorithms are used to distort and mask data
5. Moving on to the most important - areas of application of masking
Data masking - why is it needed?
In the process of developing, testing, or updating software, public cloud services are often used, which do not have a high level of protection, and in 99% of cases do not meet the requirements of regulators setting standards in the field of personal data protection. In addition, third-party companies are often involved in testing and the transfer of real business information to such contractors is completely unacceptable.
There is a solution - masking personal data. The use of distorted data sets or part of the database can lead to the fact that when working with real data, the software will become inoperable for many reasons, for example, the number of records in the database is much more than tested, or the fields for "numbers" were filled with "letters" and so on Further. Discrepancies at the stage of implementation will require additional revision, and these are additional costs, both financial and time. Therefore, Infognito solves two tasks at once: it protects information and provides it promptly for internal and external teams.
Masking - not equal encryption!
At first glance, it would seem that masking and encryption are equivalent methods of protecting confidential data, and that encryption is a special case of masking. Often, people who are not familiar enough with the field of information security associate these concepts with each other. Meanwhile, masked data cannot be brought back to its original value, and any encrypted code can be decrypted with the appropriate keys or with good algorithms for brute force and more time.
Disguised data obtained at the output is a completely different matter - they do not contain the original data. For example, two results of the masking process will give different output results. Thanks to this approach, disguised data can be safely transferred to external and internal teams without fear of leaks and publicity. Masking is an effective method of protecting your data. And sometimes even a way to prevent leaks through insider channels (more on that another time).
How masking works using Infognito
If a company needs to send off-the-shelf copies of certain volumes of data to contractors for testing or analyzing the operation of certain applications, Infognito's solution for creating static masked datasets is perfect for this. Infognito can independently determine sensitive information in the provided databases, focusing on predefined templates and rules. Special fragments or entire databases for unauthorized users are formed upon request, and masked information is inserted into each upload, which does not correspond to real data, but repeats their format.
Dynamic masking with Infognito is used when test and development environments need to access real enterprise data. Typically, a dynamic masking system is installed as another virtual server and masks records on the fly, giving contractors access to already corrupted data. At the same time, the volume of the base and the typical characteristics of the data remain consistent with reality. Interestingly, dynamic masking also differentiates between access to the real database and its “fake” copy. That is, users who need to work with real data will have access to the actual database, while those who do not have access will see a fake database.
What algorithms are used to mask data
Now let's talk about the methods of the substitution of values itself. Infognito uses about 20 different algorithms, depending on what work is being done and what characteristics of the data need to be stored. For example, when it comes to personal data, the pseudonymization method is most often used to combine the last name, first name, and patronymic. That is, the system chooses a different surname, and also changes the name and patronymic, accompanying them with a new identifier in the system. Thus, it becomes impossible to attribute the data to the same person to whom it originally belonged.
Such records as account or credit card numbers are shuffled. Masking implies obtaining random sequences while maintaining the general characteristics of the data. Thus, you will also get 16 digits in the output, but a completely random sequence. They will allow you to test software that operates on payment data, but will not violate customers' rights and jeopardize their payment assets.
Finally, one of the most popular is the method of obfuscation or replacement with other data while maintaining functionality, but making it difficult to analyze and understand the information. Obfuscation has been successfully used for a long time to mask program code in order to exclude the possibility of its analysis and theft. Now the "confusing" data is being used for testing purposes as well. Examples of obfuscation include substitution, mixing, the variance of numeric values, editing / zeroing data.
Each field in the source database can be masked in different ways, depending on your testing and development needs. You can require the system to preserve the gender identity of the subjects of personal data or, for example, not distort their growth, limiting ourselves to pseudonymization of the name. It all depends on how this data will be used further. Infognito, as the most advanced masking system, also allows you to maintain the coherence of value fields with each other. For example, if you mask a customer card number, you can ensure that the number appears the same across multiple products under development to see if the systems in a given customer recognize the same person (in this case, a fictitious person).
Moving on to the most important - areas of application of masking
Competent implementation of the data masking system allows you to solve several problems at once. First, masked data can be safely transferred to development and testing specialists. Secondly, they are great for identifying statistical patterns and transferring information to external analytical systems. Thirdly, well-configured dynamic masking creates to intruders the illusion of access to real data, helping to catch intruders trying to steal and publish fake data.
Today, given the tightening of regulatory requirements, such as the GDPR, HIPAA, or Russian No. 152-FL, masking tools are one of the necessary components for building a comprehensive system for protecting confidential data. Therefore, Softprom added the Infognito solution to its distribution portfolio, which uses all types of masking when developing and testing software for any customers in order to preserve the confidentiality of important information. Modern solutions allow working with various databases, including Oracle, Microsoft SQL Server, SAP (Sybase) ASE, PostgreSQL, MySQL, and others, as well as cloud services such as Amazon AWS, SunGard, VMware Hybrid Cloud, and so on. This makes it possible to provide ubiquitous data protection and create a comprehensive security infrastructure when interacting with developers, analysts, and testers of any software.