Use Data Masking as a GRC Solution

IT Investment Banking

Data masking, sometimes called de-identification, obfuscation, or redaction, is data security technology that is an ideal fit into an overall Governance, Risk Management, and Compliance (GRC) strategy. It’s an economical method for creating an inauthentic but structurally similar version of business data for use in user training or software testing, thus reducing risk. The data masked version of the data is a completely functional substitute for corporate data and protects live production data.

Data security is a major element of many leading regulatory and compliance programs. Security breaches targeting customer data have made negative news headlines for Twitter (technology company), Central Hudson Gas & Electric (utility company), and Lucile Packard Children’s Hospital at Stanford in 2013. Data is increasingly being viewed as an asset, and data masking has become a strong tool for decision-making purposes and an emerging GRC solution.

The analyst firm Gartner began covering the data masking market in 2012 with a Magic Quadrant Analysis. They estimate the current size of the static data masking market to be $130 million (2012) with 50 percent of the target market adopting it by 2016. Regulations calling for the protection of sensitive financial and personal data include:

  • Health Insurance Portability and Accountability Act (HIPAA)
  • Gramm-Leach-Bliley
  • Sarbanes-Oxley
  • Various state privacy laws
  • Privacy laws outside the United States (a concern for multinational corporations)

Data Masking Techniques

Data masking as a security solution for GRC can take multiple approaches including static (masking production data in advance of its use) or dynamic (masking production data in real time).

While security controls are in place over production data residing in enterprise storage or in backend systems, data in use for operations can be less secure. This is doubly true if operations are outsourced to an offshore or onshore third party. A data masking solution de-identifies specific data elements:

  • Character substitution
  • Word substitution
  • Encryption
  • Secure lookup
  • Segmented mapping

Hackers cannot reverse-engineer changes made by a data masking solution to corporate data.

Typical Data Masking Solution Features

Data masking solutions are an emerging market right now. Here are some considerations when seeking a data masking solution for your company:

  • Automated identification of sensitive data
  • Automated creation of masked test data
  • Enables data sharing amongst partners and outside vendors
  • Support for rapid implementation
  • Scalability for the enterprise
  • Pre-populated profiles to get your data masking solution live within your enterprise quickly
  • Platform-agnostic technology such as Java and XML conforming to your data refresh processes
  • Integration with network security platforms such as LDAP, Microsoft Active Directory, Kerberos, and Siteminder

Support for your company’s data types means seeking a data masking solution that supports the major relational databases your company has in place (Oracle, DB2, Microsoft SQL Server, MySQL, and Teradata), binary files such as Excel spreadsheets, and ASCII files (fixed width, delimited, .csv).

Data Masking and the Cloud

With more companies seeking to cut infrastructure costs by moving more of their systems to the cloud, data masking technologies should be in place to mask confidential corporate data used for testing purposes in the cloud  because of the potential security risks involved in transferring  such data off the corporate enterprise network to the  public cloud.

Data Masking as Part of an Overall GRC Solution

Data masking technologies and the related expertise should become a requirement when selecting a GRC-specific consulting company to support your company’s compliance efforts.

The combination of a data masking technology and related consulting services means support through all aspects of designing and implementing data masking programs tailored to a client’s particular requirements. These include data masking solution integration with custom software, metadata applications, and Extract Transform Load (ETL) tools.


Data masking is an emerging technology that helps you enforce your data security on the information you classify as confidential corporate and financial data.

Manan K. Shah, a Focus Managing Partner and Government, Aerospace, and Defense Team Leader, has over eighteen years of consulting, management, and M&A advisory experience in the government, aerospace, defense, business process outsourcing, software, and information technology sectors. He can be reached at