Skip to content

Masking Schemes

Masking schemes are a type of scheme that permanently transforms data in a one-way manner. Unlike encryption schemes that allow for decryption, masking schemes apply irreversible transformations to sensitive data.

What Are Masking Schemes?

Masking schemes operate by: - Permanently transforming sensitive data. - Making the original data unrecoverable. - Applying techniques like hashing, tokenization, or value replacement.

These schemes are particularly useful when you need to: - Completely anonymize data. - Create test datasets from production data. - Permanently redact sensitive information.

Common Masking Techniques

Hashing

Hashing uses mathematical algorithms (like SHA-256 or SHA-512) to transform data into a fixed-length string of characters that cannot be reversed to reveal the original input.

Example:

Text Only
1
2
Input: "john.doe@example.com"
SHA-256 Hash: "8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918"

Partial Masking

Note

  • Partial Mask - Hide First and Partial Mask - Hide First features are available from Privacera Self Managed release version 9.2.10.1 onwards.

Partial masking is a technique that allows selective masking of characters within data while preserving some portion of the original value. This approach is particularly useful when you need to maintain some data visibility while protecting sensitive portions.

Types of Partial Masking

  1. Partial Mask - Show First: Shows only the first N characters of the data while masking the rest.

    Text Only
    1
2
    Input: "john.doe@example.com"
Show First 4: "john****************"

  2. Partial Mask - Show Last: Shows only the last N characters of the data while masking the rest.

    Text Only
    1
2
    Input: "john.doe@example.com"
Show Last 4: "****************.com"

  3. Partial Mask - Hide First: Masks the first N characters while showing the rest of the data.

    Text Only
    1
2
3
    Input: "john.doe@example.com"
Hide First 4: "****.doe@example.com"
Hide First 12: "************mple.com"

  4. Partial Mask - Hide Last: Masks the last N characters while showing the beginning of the data.

    Text Only
    1
2
3
    Input: "john.doe@example.com"
Hide Last 4: "john.doe@example****"
Hide Last 12: "john.doe************"

Tokenization

Tokenization replaces sensitive data with non-sensitive substitute values (tokens) that have no mathematical relationship to the original data. The mapping between original values and tokens is stored in a secure lookup table.

Literal Replacement

The LITERAL replacement is a special type of one-way transformation that provides a simple but effective method for permanently masking sensitive data.

What is LITERAL Replacement?

LITERAL replacement is a masking technique that replaces the specified data with the name of the tag associated with the data. For example, if a database field is tagged as PERSON_NAME, when an encryption transform is applied as LITERAL, the field's value is replaced with PERSON_NAME.

This means that regardless of the original data content, the transformed value will always be the tag name itself.

Key Characteristics

  • Irreversible transformation: Using LITERAL means that the original data cannot be recovered.
  • Consistent replacement: All values in a tagged field will be replaced with the same literal tag name.
  • Simplicity: The approach is straightforward and requires minimal configuration.

Example

Original Data:

Text Only
1
2
3
4
FirstName: John
LastName: Doe
Email: john.doe@example.com
SSN: 123-45-6789

After LITERAL Transformation:

Text Only
1
2
3
4
FirstName: PERSON_NAME
LastName: PERSON_NAME
Email: EMAIL_ADDRESS
SSN: SOCIAL_SECURITY_NUMBER

Use Cases

LITERAL replacement is particularly useful for:

  1. Development and Testing Environments: When you need to replace sensitive data with meaningful placeholders.
  2. Training Data: When you want to maintain the semantic meaning of fields without exposing actual values.
  3. Data Exports: When sharing data externally and you need to completely redact sensitive information.
  4. Data Anonymization: When you need a simple approach to anonymize data while preserving field context.

Considerations

  • Since LITERAL replacement is one-way, it should only be used on data that does not need to be recovered in its original form.
  • The transformed data loses statistical properties and variability of the original data.
  • The transformation does not preserve referential integrity across tables or datasets.

Data Masking Techniques

The following table lists commonly used data masking techniques along with their descriptions and examples:

Technique Description Example
Nullify Completely removes the original string. Useful when the data is not required for processing or analysis. somebody@BigCo.com(null)
Redaction Overwrites the original string with a masking character (default: x). Can be applied in two ways:
- Without maintaining format/length
- With maintaining format/length		 Without maintaining format:
somebody@BigCo.comxxxxx
With maintaining format:
somebody@BigCo.comxxxxxxxx@xxxxx.xxx
Hash Converts the original data into a fixed-size non-reversible string using the SHA256 hashing algorithm. somebody@BigCo.com[hashed_value]
Partial Mask – Show First Masks part of a string while revealing the initial few characters. The number of visible characters can be configured. Show first 2 characters:
somebody@BigCo.comsoxxxxxxxx@xxxxx.xxx
Partial Mask – Show Last Masks part of a string while revealing the last few characters. The number of visible characters can be configured. Show last 4 characters:
somebody@BigCo.comxxxxxxxxxx@xxxxo.com

Creating Masking Schemes

To create a masking scheme in the Privacera Portal:

  1. From the navigation menu, select Encryption & Masking > Schemes.
  2. Click ADD SCHEME.
  3. In the Scheme Type drop-down, select Masking.

  4. Enter the following details:

    • Name: Provide a name for the scheme.
    • Description(optional): Add a description for the scheme.
    • Format type: Choose the masking format type. Refer to Supported Formats and Algorithms.

    • Choose Masking Technique: Select a technique from Data Masking Techniques.

      • If you select Redaction, configure the following in Redaction Settings:

        • Masking Character: Enter a masking character or use the default x.
        • Maintain original formatting and length: Enable this option to preserve the format and length.

      • If you select Partial Mask - Show First/Last, configure the following in PARTIAL MASK SETTINGS:

        • Show First Character Length or Show Last Character Length: Specify the number of characters to reveal.

  5. Click SAVE.

Use Cases for Masking

Requirement Masking Approach
Development/Testing Replace production data with masked versions while maintaining referential integrity.
Data Analytics Hash personally identifiable information while preserving data relationships.
Data Sharing Share data with third parties with sensitive fields permanently masked.
Compliance Permanently transform data that should never be viewable in its original form.