Fun with Home Grown Masking Solutions
Recently we were at the HIMSS13 conference, which was great by the way, and we heard a number of folks say "... we have something we do internally that masks the data...". Now while in some simple situations this might work out just fine, but we find most of the time it does not- and often failure is found during a catastrophe like a breach. Home grown solutions tend to be more of a bandaid solution to a longer term issue. They may work for a while for a small set of situations, but they rarely can be used on different applications or data sources. Much like the encryption paradox where weak encryption is generally worse than none at all, weak masking is a real problem in these situations. Writing a script or using an application vendor tool encourages people to mistakenly believe their data is secure, but many times it is not. Some questions you should ask: - Is the script/tool updated every time the database is? - Does the script/tool cover files as well as databases? - Does the script/tool mask data in unstructured formats like CLOBs and BLOBs? - Does the script/tool mask output files like statements, claim forms and the like? - Does the script/tool mask input data coming from other databases or files? - Who runs the script and how often? - Does unmasked data ever land in the non-production environment, for how long? - Does the script/tool mask data consistently regardless of where it is stored? Hopefully you get the idea. Vendors understand their products pretty well, but the "free" tools they provide do not mask all your data.