3.3.4 Methods to Secure Data
Encryption, hashing, masking, tokenization.
Methods to secure data encompass a variety of technical and administrative controls designed to ensure the confidentiality, integrity, and availability of sensitive information throughout its lifecycle.
Encryption Encryption is a reversible process of converting plaintext into ciphertext using a mathematical algorithm and a secret key. - Confidentiality: Its primary goal is to ensure that even if data is intercepted, it remains unreadable to unauthorized parties. - Decryption: The process of returning ciphertext back to its original readable state using a specific key. - At Rest vs. In Transit: Encryption must be applied to data residing on storage media (at rest) and data moving across networks (in transit).
Hashing Hashing is a one-way mathematical function that produces a unique fixed-length string (a "digest" or "checksum") from an input. - Integrity: It serves as a digital "measurement" of data. If even a single bit changes, the resulting hash will be completely different. - Non-Reversible: Unlike encryption, hashing is not designed to be "decrypted" or reversed back to the original plaintext. - Verification: Used to verify that files or messages have not been altered during transmission or storage.
Data Masking and Tokenization These methods protect data by hiding sensitive elements or replacing them with non-sensitive substitutes. - Masking: Obscuring specific data points (e.g., showing only the last four digits of a credit card) so that the full data set is not exposed to unauthorized users. - Tokenization: Replacing sensitive data with a non-sensitive equivalent called a token. The original data is stored in a secure vault, and the token has no value if stolen. This is common in payment processing to reduce compliance scope.
Protection Roles and Regulations Securing data requires clearly defined organizational roles, often mandated by frameworks like GDPR. - Data Owner: Typically the organization itself; holds legal rights and high-level responsibility for the data. - Data Controller: Manages how and why data is processed; ensures compliance with privacy regulations regarding PII. - Data Processor: Handles data on behalf of the controller; performs the actual processing under the controller's guidance. - Data Custodian: Manages the technical aspects of data, such as backups, storage, and security configurations.
Quick recall - Encryption: Reversible; provides Confidentiality. - Hashing: One-way; provides Integrity. - GDPR: EU regulation governing PII and data privacy. - Tokenization: Replaces data with a placeholder; original data stays in a vault. - Masking: Hides parts of the data (e.g., XXX-XX-1234).