Build-Your-Own Data Masking. Yes or No?
Category : Imperva
A lot of organizations are taking great strides to protect their sensitive data with a multi-layered strategy—one that includes data masking. We’ve even seen many tackling this critical data security component in DIY fashion, often tasking one resource with developing and implementing scripts to ensure the box gets “checked” on this key data protection layer.
You might be thinking, if it’s that simple, then why invest in a purpose-built data masking solution? In fact, a lot of customers have tried their hand at DIY-data masking, usually for a one-off project…which invariably explodes into a full-time job (or jobs). That’s where we begin to see the crux of the build versus buy issue. What starts out seemingly simple can quickly become complex.
The DIY Approach
When evaluating the DIY approach, certain risks, challenges and opportunities must be factored into the build-your-own data masking cost/benefit analysis, including:
- The typical nature of DIY data masking — i.e., largely simplistic and unsecure masking techniques.
- The lack of data consistency, and the growing size and complexity of data being maintained relative to the DIY capabilities for masking.
- The fact that DIY data masking is typically poorly documented and difficult to maintain in the face of growing data sets, evolving requirements and changing personnel.
- The need to manually discover sensitive data limits the effectiveness of DIY scripts from the outset.
- The opportunity costs associated with tying up resources on a critical, but non-core business function like data masking when less expensive, more effective technology options are available.
The Case for Purpose-Built Data Masking Software
The case for commercial-off-the-shelf (COTS) software is straightforward. As with any purpose-built software, COTS data masking offers numerous advantages over the homegrown approach, including an expert, repeatable, consistent data masking application with high-quality data transformation algorithms that are non-reversible and secure.
Consistent Masking. Everywhere.
A few homegrown scripts may offer similar levels of security, but most use simplistic masking techniques that are much less secure. Homegrown scripts sometimes provide the ability to maintain referential integrity within the target database, but very few allow consistent masking across different databases, and over time, so that the same data is masked consistently everywhere. This is industry standard functionality that comes out-of-the-box in commercial offerings.
Easy Configuration and Maintenance
Data masking should be easy to configure and maintain, with good documentation and support. Homegrown scripts, on the other hand, are usually poorly documented and difficult to maintain. Typically there is only one person within the organization who understands how the masking works, so scripts aren’t often maintained and new sensitive data doesn’t get masked. The effort involved in writing new scripts suggests that many databases would not be masked because it’s too difficult to set up masking for them. COTS data masking makes it easy to configure and to see what data you’re masking, as well as how you’re masking it.
Best practice is built into commercial data masking software, including the implementation of automated sensitive data discovery as a lead-in to masking, and a consistent interface across all supported database platforms. The masking engine is optimized for performance and every data masking run benefits from those optimizations. Homegrown scripts must be optimized manually, with every column or table optimized individually. And more often than not, this does not occur on a timely basis as the one person who knows how it works could be off on another project, sick, or on vacation. COTS applications don’t take a week off to hit the beach in Mexico!
DIY Can Cost
In summary, DIY scripts may be better than doing nothing, but as outlined above, your team resources could be put to greater use. You can better protect your critical data and potentially save valuable budget using purpose-built data masking software.
Author: Steve Pomroy