Gartner Data Masking MQ: Masking is a Must
Gartner released their Data Masking MQ in December 2015. Informatica is positioned as a Leader for the fourth consecutive year; Informatica advanced upward on the axis for “ability to execute” and is again farthest to the right on the axis for “completeness of vision” in the 2015 report. This is a proud achievement for Informatica, but the report highlights that data masking is not an option; it is a requirement for any organization that seeks to achieve complete and effective data security.
While traditional security controls have mind share and visibility in security communities, data masking is often seen as optional, evidenced by its absence in traditional training programs and in sessions at security conferences. This is slowly changing though as organizations such as Gartner focus on the growing importance of masking and more and more organizations adopt data masking to handle use cases that traditional security controls do not, or provide only partial protection.
What are the use cases that are driving data masking? First, data masking allows organizations to neutralize sensitive data, permanently. Second, data masking allows organization to neutralize sensitive viewed by application users, on-demand, by role, location and time.
The need to neutralize sensitive data has several sub use cases. First, data masking emerged as the method to provided testers ‘real’ data from operational databases so that application testing could produce reliable results. The sensitive elements of the database where masked; a national ID or medical diagnostic code would have the correct format, but would be randomized so that the data did not allow the identity, health or financial information of individuals or groups to be exposed. The same methodology is used for other use cases where neutralizing sensitive data is required; when information is shared with outsourcers or partners or when information is shared in analytical and reporting repositories.
The ability to neutralize sensitive data on-demand allows organizations to tightly control data viewed by application users. Users have various roles and by roles, all, some or none of the sensitive data may be viewed by users, consistent with the usage and privacy policies of the organization. So support staff in New York City may be able to view some sensitive data of US citizens, but none of the sensitive data of customers in Germany. In contrast, supports staff in Germany would be able to view the sensitive information of their German customers, but none of the USA. In addition, their access can be tied to their location and time of day. This granular control allows organization to institute “need to know” or “least privilege” policies for regulatory compliance and audits.
What may be encountered when discussing data masking and its power to secure/control sensitive data is the errant perception of “but I already have encryption and I don’t need masking.” Here another example of how many security professionals do not understand the context of data masking; while encryption is an excellent control for stored data or data being sent from point a to point b, it does not cover the context of ‘data in use.’ Data in use is data being consumed by humans, or applications, who cannot process encrypted data. When data is used, it is decrypted; this is when data masking is relevant and is essential to ensure that sensitive data is not accidentally or purposely compromised. I believe in the next few years, virtually all organization will use data masking software to have dependable neutralization of sensitive data for ALL use case.
To view the entire 2015 Gartner Magic Quadrant for Data Masking Technology, click HERE.