Omar Alvi (Dubai) - Data masking: Safeguard against Internal Threats

Organizations spend millions securing their IT infrastructure; be it from unplanned circumstances by using disaster recovery methods or bringing up numerous firewalls to secure the infrastructure from external attacks. In a race to ensure that security cannot be breached, the focus rarely shifts to what can harm them from the inside.

Having sensitive data within an organization is a norm. Whether it is trade secrets, intellectual property, critical business information, business partners' information, customer information, it is critical and can be used for individual gains. ‘Data leakage' is inevitable if people within the company, across multiple departments have access to all the information. Also - because operational savings are the best way to influence spending - everything from a small web application to an entire department is being outsourced. This makes data even more vulnerable.

There are two important changes that have taken place in the Middle East because of the financial crunch:

  1. Many local and international organizations have taken new initiatives to start using data residing in their systems, to be better prepared for future issues
  2. Companies are now looking to save money by outsourcing whatever possible

As companies embrace the importance of using tangible information, access to that information is necessary to achieve the necessary business agility. Which means, people need critical information like, customer mobile call details, account details that can range from retail customer's minimal transactions to a multimillion dollar corporate spending, credit card, addresses, contacts etc. This data, in its entirety, has to be shared, not just with the business but also with the in-house development team or the outsourced testing team. These teams/departments play the crucial role of ensuring applications are managed and upgraded as per business requirements and needs which is why they must know exactly what to change, and how to change it. To share data, in its true form, is important to support continuous business. But does this data have to be the 'actual' production data or can it be ‘disguised' to hide 'true' values?

Data in an HR application contains critical employee information like salary, commission, compensation, details of their banks accounts; passport numbers, National ID details etc. It is extremely crucial that this information is not shared across the company unless absolutely necessary. It is in situations like these that the true value of 'masking' data can be understood. Imagine the horror managers would have to go through if all their employees knew one another's pay packages.

I have worked as a developer for a financial institution and getting access to production data was easy and open until a governance layer was put in place to restrict open access. That however, did not make much of a difference because whatever data trickled down to be used for development and testing was exactly the same as production. Information was easy to access which was great because a long hierarchy of approvals can be cumbersome and time consuming. However, data must be protected as per company policy, regulatory requirements, and industry standards. There should be set procedures that include creating a comprehensive set of policies to classify datatypes that need to be protected and making sure that these policies are integrated into day-to-day business processes. Also, a proven commercial solution should be used for ‘masking' sensitive data in all nonproduction environments, and integrating these privacy processes and technology when developing in-house or outsourcing.

In a market like the Middle East where organizations are consuming data-related technology to better serve business, masking data is vital. That being said, the fundamentals of data governance and a complete application integration platform are the backbone and essential elements for success. Without them, data cannot be managed, let alone masked.

Omar Alvi and I am the Pre-Sales manager in Dubai, covering the MENA region for Informatica.


« Sid Probstein (USA) - Unified Information Access (UIA) - Connecting Dots In The Enterprise


Denis Zenkin (Russia) - Intranet Security: Tears in Rain »


Do you think your smartphone is making you a workaholic?