Data Masking Best Practices - Policies are no longer optional

Introduction

Starting in 2002 with the California data privacy law CA 1386 up until recently with the Massachussetts data privacy law MGL 93H, companies are being required to protect customer data and have a data privacy policy in place.  The first step to address this is to establish or update your data privacy policy based on industry best practices.

Data Masking Maturity Model

A maturity model aids in objectively defining, understanding and assessing sensitive data security. Used as a guide to higher levels of quality, the maturity model can lead to far-reaching improvements in the efficiency and effectiveness of the data masking program thereby reducing costs.

• There is no sensitive data policy, limited knowledge about its whereabouts, and how to protect it

• The people, processes and tools used to mask and protect sensitive data are evolving. These are reactionary and produce unpredictable results.

• One-off initiatives have begun to inventory and mask data. Masking scripts have been written.

• The enterprise has formalized and disseminated a data masking policy and the organizations, processes, training, and tools needed for protecting sensitive data are based on the policy

• Processes are in place and tools for inventorying, masking, provisioning, monitoring, and auditing sensitive data are uniformly used across the enterprise and consistently produce high quality results.

• User provisioning automatically provides entitlements to sensitive data for those users with a need to know.
• Monitored databases provide automatic logging and alerts to the ISO of breeches to this policy.

Data Masking Process

A masking policy is based on the principle that sensitive data needs to be identified, monitored, masked, and audited. Experience has shown that a process perspective is extremely important to improve efficiency and will result in a consolidated masking policy integrated across your enterprise. The use of masking tools in conjunction with your data masking policy will help institutionalize it and ensure access appropriate to role is enforced.

Axis DMsuite™ enables standardization on a single toolset as an important step in process improvement:

• the suite can manage data on any platform
• the tools are designed to support your data masking policy process not force your policy to follow the tool

Entitlements, Encryption, Third Parties, Transmissions and Developer Access

A complete data masking policy needs to cover all the areas where data is shared. Consistent policies need to be designed and enforced in an efficient manner. A determination needs to be made about what data a person needs to do their job. The default approach should be that a person does not have access to data or systems without explicitly being granted access. Tools already exist to manage access to the resources mentioned here, however the data masking policy needs to clearly state how and when these tools should be used.

• The data masking policy must be clear, unambiguous and address both external and internal risks
• A process to identify and mask sensitive data data needs to be defined
• The data masking process needs to be supported by the use of efficient tools like Axis DMsuite™
• Unguarded entry points between lines of business need to be secured
• Encryption is not enough!
• Users should only have access to the data they need to do their jobs
• A process to handle exceptions should be defined

Conclusion

• A process approach to data masking leads to improved efficiency through consolidation and integration
• Axis DMsuite™ provides the tools needed in growing and maturing the PHI, PII data security program