Data Obfuscation: Importance, Techniques and Best Practices

March 3, 2022

header image for Data Obfuscation: Importance, Techniques and Best Practices

Data obfuscation makes data ambiguous, rendering it complicated for cybercriminals to interpret and understand. The reason it’s gaining traction as an enhanced business security policy is the heightened emphasis on data security.

Reports of security breaches are becoming more prominent, and that’s where data hiding techniques like obfuscation can help.

Data obfuscation can help safeguard an organization’s confidential information by hiding sensitive information so that even when there’s a security breach, the information will be worthless.

This article will discuss data obfuscation and its importance, techniques, use cases, and best practices.

What is data obfuscation?

Data obfuscation is the technique of replacing personally identifiable information (PII) with data that looks to be authentic to keep confidential info safe.

According to the Institute of Electrical and Electronics Engineers:

“Data obfuscation thus lets users disseminate sensitive data in a degraded form that, for many applications, permits sufficient calculation accuracy, but hides the data’s most sensitive aspect.”

Data tampering during software testing or production is a significant issue with existing security strategies. Using data obfuscation, you can set up entirely accurate databases with no confidential information.

Let’s look at an example.

Anyone with credit card information — card number and security pin — can access your account details and look into transaction histories. That’s what Cardplanet — a marketplace for stolen credit card numbers — sold. As a result, hackers compromised over 150,000 payment cards and racked up $20 million in US credit cards purchases.

How could data obfuscation help in such a situation?

Obfuscation hides sensitive credit card details. Instead, you can use fictitious credit card information from a set of non-credit cards and use it to substitute actual credit card information.

Now you might wonder, how is that different from data masking?

While some use data obfuscation and data masking interchangeably, there’s a difference — data masking is an irreversible method of obfuscating data. It is safer and less expensive than encryption — also a data obfuscation technique.

We’ll explore the techniques in another section of this article. But first, let’s check out why obfuscating data is essential.

What is the importance of data obfuscation?

Many organizations use data obfuscation to protect personal data from exposure. Beyond data security, there are other advantages, such as:

  1. Compliance
  2. Safer data exchange
  3. The flexibility of obfuscating data

1. Compliance

Data protection laws ask organizations to secure sensitive data using encryption and other data obfuscation techniques. The General Data Protection Regulation (GDPR), for example, explicitly specifies using encryption for sensitive data about EU citizens.

So, you can safeguard private information by obfuscating it, lowering the risk of sanctions, and reducing the impact of data.

2. Safer data exchange

When data is manually exported and imported from one system to another, the components of the file can be vulnerable to exposure and other security threats. However, if the data is obfuscated, you can hide essential data by making it hard to read when it’s compromised.

This makes exchanging data across teams easier, safer, and more reliable, regardless of their geographies.

3. Flexibility

Data obfuscation has the added advantage of being fully configurable. So, you can choose which data fields to hide and how to select and format each replacement value.

For example, social security numbers in the United States are formatted as XXX-XX-XXXX, where X is an integer between 0 and 9.

Here’s how you can use obfuscation to protect social security numbers:

  1. Replace some digits with X
  2. Use random numbers to replace all nine digits

Now, let’s look at the various ways to obfuscate data.

What are the various data obfuscation techniques?

The most common data obfuscation techniques are:

  1. Data encryption
  2. Data tokenization
  3. Data masking
  4. Data randomization
  5. Data swapping
  6. Data anonymization
  7. Data scrambling

Let’s explore each of these techniques.

1. Data encryption

Data encryption converts plaintext data into an inaccessible, encoded representation known as ciphertext.

Decoding the ciphertext requires a specific decryption key. As a result, anyone without the key would see just a bunch of garbled characters that don’t make any sense. The more complicated the data encryption technique, the less vulnerable the data is to unwanted access.

Encryption is highly secure. However, it prevents you from working with or using the information while it is encoded.

2. Data tokenization

Datatokenization converts plaintext into a token value that hides confidential information.

The token is a random data string with no inherent value or significance. It's a one-of-a-kind identifier that saves all relevant data without affecting the data's integrity.

The actual data is linked to a token, but there is no way to interpret the token and expose the essential information. The actual data does not make it into your IT system. So, if there’s a breach, the attacker can gain access to your tokens, but as there’s no way to interpret it, your data is safe.

On the surface, tokenization sounds a lot like data encryption. Let’s look at the differences before exploring other ways of obfuscating data.

Data encryption vs. data tokenization: What’s the difference?

Besides your organization's data security standards, both obfuscation techniques help meet legal obligations under PCI DSS, HIPAA-HITECH, GLBA, ITAR, and the EU GDPR.

However, the difference lies in the way they obfuscate data. While encryption uses a unique key and algorithm to keep data obfuscated, tokenization creates a random mapping of the original data. Here’s an illustration to explain this difference.

Here’s a table highlighting the differences between data encryption and data tokenization.

Data EncryptionData Tokenization
Uses an encryption method and key to convert plain text to encrypted text mathematically.Creates a token value for plain text at random and saves the mapping in a database.
The scalability of encryption is good as it uses an encryption algorithm.This can lead to chaos as the percentage of authorized tokens grows.
Encryption secures data with algorithms, which takes less time.Because each data piece is replaced with an arbitrary character, tokenization takes longer.

3. Data masking

Datamasking replaces original data with realistic but bogus data to preserve confidentiality.

So, all data consumers with your organization, such as developers, marketers, and data scientists, can use the masked or disguised data for testing purposes without compromising the original data.

Data masking is also called by a variety of names — data scrambling, data blinding, or data shuffling. Whatever you call it, the underlying principle is the same — fake data takes the place of actual data.

The caveat — data masking is irreversible. So, once your data is masked, you cannot recover its original values, and there’s no algorithm for recovering masked data's fundamental values.

Just like with tokenization, it’s easy to confuse masking with encryption.

Data masking vs. data encryption

Let’s look at how data encryption and data masking are different.

Data EncryptionData Masking
Data encryption uses a key and an algorithm to obfuscate data temporarily. Those with the decryption key can interpret the encrypted information.Data masking replaces sensitive data with bogus data permanently.
Data encryption does not keep the appearance of the data the same while changing the data.Data masking keeps the appearance of the data the same while changing the information.
Data encryption is commonly used to protect data transmitted across computer systems.Those who need to test confidential data or use it for research frequently use data masking.

4. Data randomization

Data randomization shuffles the data values before sharing. This can be accomplished by anagramming data or randomly juggling columns so that each row holds inconsistent data values.

Data randomization primarily works on a subset of data blocks, columns, and entries to keep the database's evaluation metrics. Experts in data mining employ the randomization approach to create an effective aggregated database schema without using the accurate data from the dataset.

5. Data swapping

Dataswapping refers to shuffling or permutation that rearranges the data by switching the actual values. The origin row and the row containing the appraised value will never be the same, even if the origin and substitute values are the same.

So, you can prevent corrupting the data asset, as you cannot add values that weren’t in the original data.

Data swapping is similar to data randomization. However, randomization uses the same individual data column to shuffle in a randomized fashion.

6. Data anonymization

Data anonymization obscures data by eliminating anything that connects a data set to its owner. It's a method of modifying data by encoding (or encrypting) key identifiers to make identification more complex and data flow across systems safer.

Data anonymization vs. data encryption: What’s the difference?

Data anonymization is different from data encryption because the obscured data cannot be decrypted to its original form. Whereas in encryption, you can decrypt data using a key.

For example, when intending to transmit a user's daily deposits, a bank may use data anonymization to conceal the user's identity, location, and other biometric information. As a result, an attacker cannot link them to a specific person if they are exposed to the data collection.

7. Data scrambling

According to Oracle, data scrambling is a method of erasing critical information.

“The original data cannot be deduced from the scrambled data because this process is irreversible.”

Data scrambling is commonly used for cloning a database.

For example, when you’re building software or testing an app, you have to do volume testing or integration testing, for which you must clone a database. Scrambling these databases before cloning helps safeguard essential information on customers or payroll.

What are the properties of all data obfuscation techniques?

Regardless of the technique you choose, all data obfuscation techniques incorporate three properties:

  1. Reversibility: This refers to the difficulty in reverse-engineering obfuscated data. If you use an irreversible technique like scrambling, you must maintain the original data separately.
  2. Specification: This defines the obfuscation parameter.
  3. Shift: This defines the obfuscation mechanism.

Specification and shift depending on the technique you choose. For example, in data anonymization, specification and shift refer to the size of the interval. Meanwhile, in data swapping, they indicate the distance between the nearest neighbors for swap selection.

Next, let’s see how to get started with data obfuscation.

What is the best way to deploy data obfuscation effectively?

Before you adopt an obfuscation technique, you should start by:

  • Recognizing confidential or sensitive data
  • Evaluating the effects of various obfuscation approaches on your systems
  • Identifying use cases to establish quick wins
  • Assessing technologies to help simplify and even automate obfuscation

Before we conclude, let’s look at some data obfuscation best practices.

Data obfuscation best practices

1. Understand the regulations

Regulations like the GDPR mention how you should protect your data.

Since these regulations get updated regularly and differ across geographies, the first step should be trying to understand their requirements on data privacy and security. Then, pick a technique that follows these regulations.

2. Find a technique that can be scaled

Pick a technique that provides the same results when obfuscating the same original data. A technique isn't trustworthy if every obfuscation gives you a different result.

3. Prefer using irreversible data obfuscation techniques

Hiding information is pointless if the persons who seize it can reverse-engineer the process and decrypt it using a key or a tool. So, it’s best to adopt irreversible methods of data obfuscation like data masking or data anonymization.

4. Keep up with the new options

Even if you’ve deployed various data obfuscation strategies for each of your use cases effectively, it’s a good idea to stay in the loop regarding new developments in data obfuscation.

For instance, data masking tools couldn't process real-time data in the past. However, recent developments make dynamic data masking in real-time possible.

Another example is that of Google. It now offers differential privacy, where developers set up AI-powered systems to keep data safe. Here’s an insight from The Verge on differential privacy:

The mechanics of differential privacy are somewhat complex, but it is essentially a mathematical approach that means AI models trained on user data can’t encode personally identifiable information. It’s a common way to safeguard the personal information needed to create AI models: Apple introduced it for its AI services with iOS 10, and Google uses it for a number of its own AI features like Gmail’s Smart Reply.

5. Consider automating data obfuscation

Automating the data obfuscation process can save time and help you scale obfuscation by processing data in real-time.

Here are some of the most popular technologies available to automate obfuscation:

  • Oracle – Data Masking and Resampling
  • Microsoft SQL Anonymization
  • IBM Infosphere Optim Data Privacy

To know more about the best data obfuscation tools available, check out our article here.

Conclusion

Data obfuscation renders data unusable to hackers while preserving its functionality for data teams.

However, it comes with its share of challenges. The most difficult challenge is planning. For instance, even deciding which data should be obfuscated is time-consuming. Moreover, choosing irreversible techniques bolster the overall security as they cannot be reverse-engineered.

So, it's vital to assess your requirements, technical expertise, use cases, and available resources to make the entire planning process more straightforward. You should also ensure that your obfuscation process and tools comply with regulations.

Lastly, try to pick an obfuscation tool to automate the process to save time and resources.

Also read: Data Masking 101: Types, Techniques, Getting Started


Photo by Philipp Katzenberger on Unsplash

Free Guide: Find the Right Data Catalog in 5 Simple Steps.

This step-by-step guide shows how to navigate existing data cataloging solutions in the market. Compare features and capabilities, create customized evaluation criteria, and execute hands-on Proof of Concepts (POCs) that help your business see value. Download now!