Encryption, Tokenization, Masking, and Redaction: Choosing the Right Approach

What's the best way to protect sensitive data?

The answer, of course, is "it depends." Organizations have too many different types of sensitive information, and too many ways to store and share it, to allow for a one-size-fits-all approach. Each of the common methods of protecting data—encryption, tokenization, masking, and redaction—might be the right solution for a given use case.

Encryption

Typical uses: Secure data exchange; protecting data at rest; structured and unstructured data

Encryption is the strongest and most commonly-used method for protecting sensitive data. When properly implemented, encryption cannot be defeated by any known technology.

Encryption uses complex algorithms to convert the original data (plaintext) into unreadable blocks of text (ciphertext) that can't be converted back into readable form without the appropriate decryption key.

Encryption can be implemented in many different ways, each of which is suited to different use cases. Network encryption protects data as it travels, leaving data in the clear on either end of a transmission. Transparent encryption protects data at rest, decrypting the data before it's accessed by authorized users. Persistent encryption protects data regardless of where it's stored or copied, providing maximum protection against inappropriate use.

Tokenization

Typical uses: Payment processing systems; structured data

Tokenization, like encryption, is a reversible process that replaces sensitive data with data that can't be used by unauthorized parties. While encryption uses algorithms to generate ciphertext from plaintext, tokenization replaces the original data with randomly-generated characters in the same format (token values). Relationships between the original values and token values are stored on a token server. When a user or application needs the correct data, the tokenization system looks up the token value and retrieves the original value.

Tokenization is often used to protect credit card numbers or other sensitive information in payment processing systems, customer service databases, and other structured data environments. However, length-and-format-preserving encryption can address the same use cases, often with less complexity.

Masking

Typical uses: Test environments; structured data

Masking is essentially permanent tokenization. Sensitive information is replaced by random characters in the same format as the original data, without a mechanism for retrieving the original values. This is a common practice in test environments, which require realistic-looking data but cannot be populated with actual customer or employee data.

Masking can also be used to control access to sensitive data based on entitlements. This approach, known as dynamic data masking, allows authorized users and applications to retrieve unmasked data from a database, while providing masked data to users who are not authorized to view the sensitive information.

Redaction

Typical uses: Unstructured data; legacy data

Redaction is the permanent removal of sensitive data—the digital equivalent of "blacking out" text in printed material. Redaction can be accomplished by simply deleting characters from a file or database record, or by replacing characters with asterisks or other placeholders.

Automated data redaction is an effective method of eliminating sensitive data from documents, spreadsheets, and other files, without altering the remaining file contents. Organizations often adopt this approach to prevent the spread of sensitive information that has been extracted from a database and saved on file servers, laptops, or desktops.

Choosing a solution

For use cases that involve sharing sensitive information between users, teams, or organizations, persistent encryption is the most effective option. No other technology provides adequate protection against misuse, while allowing access by authorized parties. A detailed strategy for encryption key management, including key creation, storage, exchange, and rotation, is essential for maintaining the security of an encryption system.

For other use cases, the choice between encryption, tokenization, masking, and redaction should be based on your organization's data profile and compliance goals. In some cases, a combination of technologies may be the best approach.

PKWARE can help can help your organization design and implement a data security strategy that automatically protects data at the moment of creation, and keeps it safe no matter where files are copied or shared. Contact us today to find out Smartcrypt can help you meet your data protection and compliance goals.