Data Masking as Part of Your GDPR Compliant Security Posture
May 08, 2018

Nick Turner
Zenoss

With data breaches consistently being in the news over the last several years, it is no wonder why data privacy has become such a hot topic and why the European Union (EU) has put in place General Data Protection Regulation (GDPR) which will become enforceable on May 25, 2018, which is less than a month away!

GDPR applies to any company that collects or processes the personal data of EU data subjects, which could be EU residents or visitors. It regulates how to protect an individual's Personally Identifiable Information (PII), which includes all data that could potentially be used to identify an individual such as their name or e-mail address. And the fines for non-compliance are severe up to 20 million euros or 4% of the worldwide annual revenue of the prior financial year, whichever is higher.

While authorities will be reliant on customers reporting non-compliance and there will be a bigger focus on more serious violations, it is important to identify areas of risk and to take appropriate action. GDPR stresses that software which handles PII follow principles of data protection by design and by default. An appropriated technical and organizational measure to achieve this is with "pseudonymization."

Pseudonymisation is an overarching term for obfuscation approaches like data masking which intends to secure confidential information that directly or indirectly reveal an individual’s identity.

Data masking is the ability to replace or obfuscate sensitive data with a non-sensitive equivalent. So, for example, rather than using credentials that reflect an individual’s name such as "nturner" using something like "xyz9876". Now this approach only works if in the same application that data masking can't indirectly reveal an individual's identity by associating with a captured IP address or e-mail.

Only data that is truly anonymous is exempted from data protection but data that has the potential to reveal identifies is classified as pseudonymized which is still considered personal data. GDPR does incentivize the use of leveraging pseudonymization as part of your security posture to satisfy the design of data protection. In the case of a data breach, if the data is unintelligible to any person who is not authorized to access it then certain notification requirements are no longer required. Additionally, data access requests and disclosure requirements are relaxed when pseudonymization is leveraged.

So how does all of this pertain to the use of software in your infrastructure or in the cloud? For applications where PII is not required as part of use of the platform, it is recommended to employ data masking for user credentials associated with access to the software; and in scenarios where email addresses are needed, that group distribution lists or associated masked email addresses are leveraged. This is so that in the event of a data breach, there is no direct PII available in that system and the information would be unintelligible as it would require access to additional systems to correlate back to an individual.

Of course, that is easier said than done, but again considering the severity of non-compliance the associated work of limiting exposure by employing data masking is a small price to pay that will benefit your organization in the long run.

Nick Turner is Director, IT Operations, at Zenoss
Share this

Industry News

December 19, 2024

Check Point® Software Technologies Ltd. has been recognized as a Leader in the 2024 Gartner® Magic Quadrant™ for Email Security Platforms (ESP).

December 19, 2024

Progress announced its partnership with the American Institute of CPAs (AICPA), the world’s largest member association representing the CPA profession.

December 18, 2024

Kurrent announced $12 million in funding, its rebrand from Event Store and the official launch of Kurrent Enterprise Edition, now commercially available.

December 18, 2024

Blitzy announced the launch of the Blitzy Platform, a category-defining agentic platform that accelerates software development for enterprises by autonomously batch building up to 80% of software applications.

December 17, 2024

Sonata Software launched IntellQA, a Harmoni.AI powered testing automation and acceleration platform designed to transform software delivery for global enterprises.

December 17, 2024

Sonar signed a definitive agreement to acquire Tidelift, a provider of software supply chain security solutions that help organizations manage the risk of open source software.

December 17, 2024

Kindo formally launched its channel partner program.

December 16, 2024

Red Hat announced the latest release of Red Hat Enterprise Linux AI (RHEL AI), Red Hat’s foundation model platform for more seamlessly developing, testing and running generative artificial intelligence (gen AI) models for enterprise applications.

December 16, 2024

Fastly announced the general availability of Fastly AI Accelerator.

December 12, 2024

Amazon Web Services (AWS) announced the launch and general availability of Amazon Q Developer plugins for Datadog and Wiz in the AWS Management Console.

December 12, 2024

vFunction released new capabilities that solve a major microservices headache for development teams – keeping documentation current as systems evolve – and make it simpler to manage and remediate tech debt.

December 11, 2024

CyberArk announced the launch of FuzzyAI, an open-source framework that helps organizations identify and address AI model vulnerabilities, like guardrail bypassing and harmful output generation, in cloud-hosted and in-house AI models.

December 11, 2024

Grid Dynamics announced the launch of its developer portal.

December 10, 2024

LTIMindtree announced a strategic partnership with GitHub.