Masking Schemes¶

Masking schemes are a type of scheme that permanently transforms data in a one-way manner. Unlike encryption schemes that allow for decryption, masking schemes apply irreversible transformations to sensitive data.

What Are Masking Schemes?¶

Masking schemes operate by: - Permanently transforming sensitive data. - Making the original data unrecoverable. - Applying techniques like hashing, tokenization, or value replacement.

These schemes are particularly useful when you need to: - Completely anonymize data. - Create test datasets from production data. - Permanently redact sensitive information.

Common Masking Techniques¶

Hashing¶

Hashing uses mathematical algorithms (like SHA-256 or SHA-512) to transform data into a fixed-length string of characters that cannot be reversed to reveal the original input.

Example:

1
2

Input: "john.doe@example.com"
SHA-256 Hash: "8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918"

Tokenization¶

Tokenization replaces sensitive data with non-sensitive substitute values (tokens) that have no mathematical relationship to the original data. The mapping between original values and tokens is stored in a secure lookup table.

Literal Replacement¶

The LITERAL replacement is a special type of one-way transformation that provides a simple but effective method for permanently masking sensitive data.

What is LITERAL Replacement?¶

LITERAL replacement is a masking technique that replaces the specified data with the name of the tag associated with the data. For example, if a database field is tagged as PERSON_NAME, when an encryption transform is applied as LITERAL, the field's value is replaced with PERSON_NAME.

This means that regardless of the original data content, the transformed value will always be the tag name itself.

Key Characteristics¶

• Irreversible transformation: Using LITERAL means that the original data cannot be recovered.
• Consistent replacement: All values in a tagged field will be replaced with the same literal tag name.
• Simplicity: The approach is straightforward and requires minimal configuration.

Example¶

Original Data:

1
2
3
4

FirstName: John
LastName: Doe
Email: john.doe@example.com
SSN: 123-45-6789

After LITERAL Transformation:

1
2
3
4

FirstName: PERSON_NAME
LastName: PERSON_NAME
Email: EMAIL_ADDRESS
SSN: SOCIAL_SECURITY_NUMBER

Use Cases¶

LITERAL replacement is particularly useful for:

1. Development and Testing Environments: When you need to replace sensitive data with meaningful placeholders.
2. Training Data: When you want to maintain the semantic meaning of fields without exposing actual values.
3. Data Exports: When sharing data externally and you need to completely redact sensitive information.
4. Data Anonymization: When you need a simple approach to anonymize data while preserving field context.

Considerations¶

• Since LITERAL replacement is one-way, it should only be used on data that does not need to be recovered in its original form.
• The transformed data loses statistical properties and variability of the original data.
• The transformation does not preserve referential integrity across tables or datasets.

Creating Masking Schemes¶

To create masking schemes in the Privacera Portal:

1. From the navigation menu, select Encryption & Masking > Encryption & Masking.
2. Click ADD SCHEME to add a new scheme.
3. Enter the following details:
4. Name: Name of the scheme.
5. Description: A description of the scheme.
6. Encryption API: PRIVACERA (default) or BOUNCY_CASTLE.
7. Format type: Masking format type.
8. Scope: All (recommended).
9. Algorithm: Choose a one-way algorithm like Hash, SHA_256 Hash, SHA_512 Hash, or LITERAL.
10. Data Validation: Toggle to enable custom error handling.
11. Click Save.

Use Cases for Masking¶

Comments