In a recent survey, we asked cybersecurity professionals if they mask their data. The results were unsurprising. 90% of respondents said data masking is important. 40% already mask their data, and nearly 50% need to mask it but haven’t yet. Only 10% don’t consider data masking important.

For companies that need to mask their data, we wanted to understand their priorities and timelines. 70% of respondents said data masking is a priority this year, while 30% indicated it’s a priority but they currently lack the budget for it.

Risks

It’s clear that most professionals agree that masking is important, but why? Unprotected data is obviously a bad idea, but how can someone steal it? Does copying data outside of production pose such a high risk?

There are several ways to compromise data in non-production environments:

1. Insider threat. Many people have access to this data: developers, testers, administrators, and more. Most have access to all the data, not just fragments. At least 20% of data breaches are due to insider threats, and this is not something we should ignore.
2. Hackers. When hackers infiltrate an organization, they find it much easier to access insecure test and development systems. Password policies are not always followed, security protocols are often neglected, many systems have internet access, and users also browse websites from them. This is far from a secure environment.
3. Physical intrusion. We don’t usually think about the presence of people in the company. However, it represents a significant risk. For hackers, accessing insecure test and development systems is much easier than breaking into a server room that requires an access card.
4. Data outside the perimeter. There are also devices that leave the company premises or are accessed from within. The theft of a developer’s laptop containing a copy of confidential data can be catastrophic. A tester working from home with sensitive information can be equally problematic.

In short, leaving confidential data unprotected outside of a secure production environment is asking for trouble that borders on criminal negligence. Therefore, it’s no surprise that 90% of security professionals consider masking vital.

Alternatives to Masking

Failing to mask non-production systems leaves confidential data dangerously exposed, but what are the alternatives? Is there a way to avoid masking without excessive security risk?

Alternatives exist, but they aren’t appealing:

1. Protect all non-production systems. Protecting every system is extremely expensive and highly impractical. However, some organizations, primarily government agencies, pursue this approach. These organizations require strict security and background checks for all personnel and classify their entire network as sensitive information.
2. Do not copy data outside of production. Not copying sensitive data outside of production often hinders testing and development. However, it is a viable approach that some organizations have adopted. While more secure than masking, this approach carries high indirect costs. Testing and development costs are significantly higher, development cycles are longer, and software quality is lower.
3. A hybrid approach. An intermediate alternative involves copying sensitive production data only to a small number of highly secure pre-production environments and protecting only these. This aims to mitigate testing quality issues and avoid prohibitive security costs.

In all cases, the final cost of not masking is significantly higher than the cost of masking. While these approaches may have other advantages, in most cases, masking is the preferred approach, adopted by 9 out of 10 security professionals.

Budgets and Priorities

Budgets are currently tight, according to various surveys by Blue Core Research and other organizations. However, investing in cybersecurity in general, and data masking in particular, is a high priority. Even with limited funds, companies are investing heavily in information security. Within information security, even when budgets are reduced, masking remains a high priority for 70% of respondents.

We have been conducting these surveys for several years, and the results are consistently similar. Although the number of companies masking data continues to increase, this increase is much smaller than the number of those that say they plan to do so within the year. As in previous years, we do not expect most people to mask their data by the end of the year.

But Why?

If data masking is important and companies keep saying they’ll do it, why isn’t everyone doing it already?

There are two reasons. The first is that when plans clash with reality, things don’t always go as expected. Even if we want to believe we can accomplish certain goals, sometimes reality forces us to do less than planned.

The second reason, however, is much more important. Statistics show that many masking projects fail. Even though companies budget and invest, the end result is that the data isn’t masked. Understanding the reasons for these failures and addressing them is key to ensuring that budgets and efforts are used wisely and that the masking project is a success.

Data Masking Challenges

So, what’s the problem with data masking? It seems like a simple task, so why do projects fail?

There are several reasons:

Locating the data to be masked is another minor challenge. It’s not a major issue, but it does intimidate clients and hinder the project. Again, guidance and experience can help solve this problem.

Performance is probably the biggest issue. If masking takes too long to complete, it becomes unusable. This is a common problem that causes many masking projects to be shelved. The reasons can be performance limitations of the solution, implementation and optimization, or the most common and difficult performance challenge: triggers. Triggers are part of the database design, are essential for data integrity, and can cause masking to run indefinitely. It’s a complex problem to solve, but it’s possible with the right tools, some effort, and expertise.

Data quality is another important issue. Many masking projects generate masked data that leads to poor testing. If the masked data doesn’t accurately mimic the original data, it won’t replicate the problems present in the original data. This means that developing or testing with masked data is pointless. Consequently, QA and development teams demand access to the original data.

Requirements and objectives are a common obstacle. Many masking projects drag on for months, trying to define requirements and objectives, and ultimately fail. When no one knows what to do and everyone passes the buck, nothing gets done. The solution is for everyone to contribute their expertise and combine their knowledge. However, this requires experience and guidance on what questions to ask and how to manage this type of project.

Final Thoughts

Everyone knows that data masking is important, and many companies are planning to implement it soon. However, success requires the right ingredients. This is true for any project, but it’s especially crucial for data masking.

Unlike many security projects, data masking has very specific deliverables. It’s not enough to simply say “It’s protected” even if the solution doesn’t actually do anything. You have to deliver data that will be used by other teams, and these teams must accept the provided data. To do this, you have to find millions of values ​​and realistically replace them.

It’s not as difficult as it seems, but it’s essential to have the right technology and someone committed to your success, from project management to troubleshooting technical issues.

Contact us today and let us help you plan and execute your data masking project.