When Robyn Ready and her team at American Student Assistance set out to deploy data masking technology to protect sensitive information in ASA's development and testing environment, they faced a lot of doubters.
"We had some resistance internally about whether this would work," said Ready, data security project manager at ASA, a Boston-based nonprofit student loan guarantor with about 700 employees.
But after implementing a data masking tool from Axis Technology LLC, her team won over the skeptics. The tool replaces sensitive production data with fictitious but usable data for application development and testing purposes. "The folks who were our most vocal critics ended up being very enthusiastic during the course of the project," Ready said.
ASA embarked on its data masking project in order to provide an extra level of security for its sensitive customer information. "We take a lot of security precautions," Ready said. "This was just one more level we could add."
The organization looked at three data masking products before choosing Boston-based Axis Technology's DMsuite. Other products appeared to be designed for larger organizations with more structured environments, Ready said.
"We have a very large in-house developed application, which has lots of feed files that come in from all over the place into the applications," she said. "Most of the products we looked at would ask you to put in your file structure [in order] to cascade a value throughout. We said, 'That's not going to work. We don't have a file structure. These things are all over the map.'"
While other vendors were perplexed by ASA's environment, Axis wasn't, Ready said. DMsuite allows ASA's data to be masked the same way every single time, based on what the data is, she said. "So our key structure based on Social Security numbers and other data always remains the same. We don't have to know those [parent-child] relationships because our software knows them based on those values."
The methodology also allows the organization "to compare apples to apples" and ensure data integrity for testing purposes, Ready said. For example, she can compare a database masked last week with one masked this week. "Any test results that I generated based on last week's pull from production would match whatever results I pulled based on this week's pull of production," she said.
ASA deployed DMsuite on virtual servers and tapped Axis engineers for the bulk of the installation because the company wanted it done quickly. "We had 1.5 terabytes of data that had to be masked. It's not a huge amount compared to other companies, but for us, it's quite significant," she said.
The end result with data masking, Ready said, is that the information "becomes useful for testing purposes but useless if exposed."
Noel Yuhanna, a principal analyst at Forrester Research Inc., said regulations such as HIPAA and the PCI Data Security Standard are driving increased interest in data masking, particularly in the healthcare, financial and retail industries. However, securing non-production environments is less of a priority for organizations, which are focused on securing their production systems.
"There's always been interest in securing the non-production environments, but awareness has not always been so broad. The reason is that enterprises haven't done a good job in securing the production environments," he said. Despite their lower priority when it comes to security, testing and development environments carry plenty or risk because they tend to be copies of sensitive production data, Yuhanna said. Plus, the insider threat looms large.
"That's why you have to nail them down," he said.
IBM Security Systems leads the data masking market through its Princeton Softech acquisition, he said. Another leader in the space is Oracle Corp., which offers a data masking option for its database products, he added. Other vendors include Applimation, which was acquired last month by Informatica Corp., Camouflage, and Direct Computer Resources Inc.'s DataVantage.
Data masking is fairly simple to do but requires an organization to understand where its sensitive data is, which can get tricky with legacy environments, Yuhanna said.
ASA does all its development in-house, so it doesn't have the added risk of sending data to outside or offshore developers, but still wanted the increased security data masking provides, Ready said. "Our risk level was low, but we wanted it even lower."
"You want the best reduction of risk for the least amount of cost. This was just one more place we could do that," she added.