Tokenization versus Encryption vs Data Masking

This entry is part 6 of 6 in the series PKI

PKI

Why do we need certificates at all in PKI?
Diffie Helman, Symmetric and Asymmetric Encryption
Group Encryption Keys
Brute Force Breaking of Encryption – Solution Scheme
Encryption and Signing – Same Key Pair – or different key pairs?
Tokenization versus Encryption vs Data Masking

Tokens are pointers to data – and substitute data (not transform it)

Tokenization Pros

Use Cases – PCI Data – Credit Card info etc.

Tokenization reduces the in-house responsibility of managing sensitive data.
Tokenization software allows you to store data in a third-party database.
As a result, your organization isn’t required to maintain the staff and resources needed to manage sensitive data.
Though tokenization doesn’t eliminate PCI-DSS and other compliance requirements, storing tokens instead of vulnerable data can reduce your team’s efforts to remain compliant

Tokenization Cons – Not all payment processors may support tokenization

You may find that your preferred payment processor does not support tokenization.

Tokenization is still only supported by a limited number of payment processors, so you may have to go with a payment processing tool that may not be your first choice.

Data Masking

Use Case – PCI and other highly sensitive data

Masking is beneficial for data that is continually used (e.g. for analytical queries or as test data).

When data is continually used for business purposes such as testing and development, encryption or tokenization becomes a lengthier process.

The user needs to use a key to decrypt the ciphertext or use the token value to retrieve the real data many times to not risk disclosure of sensitive information.

Masking addresses this issue wherein the masked data retains the characteristics of the original data, meaning it resembles the original data but is still fictitious.

Sophisticated Data Masking Approach

A slightly sophisticated approach would be to mask the data in a way that retains the identity of the original data to preserve its analytical value. This approach ensures the efficient use of masked data for analysis without the fear of leaking private information.

Broadly speaking, there are two types of masking methods. Permanent scrambling of data which cannot be retrieved once masked is called Static Data Masking (SDM).
Masking can also be used to control access to sensitive data based on who the user is.
This method, known as Dynamic Data Masking (DDM), allows only authorized users to view the original data, whereas the masked data is shown to unauthorized users.
Masking is used to secure non-production and production environments to allow for testing or quality assurance requirements and user-based access without the risk of sensitive data disclosure.

Anuj holds professional certifications in Google Cloud, AWS as well as certifications in Docker and App Performance Tools such as New Relic. He specializes in Cloud Security, Data Encryption and Container Technologies.

Initial Consultation

Anuj Varma – who has written 1210 posts on Anuj Varma, Hands-On Technology Architect, Clean Air Activist.