Database and Data Security: Data Masking Techniques and Implementation

Verified

Added on 2021/06/15

AI Summary

This report provides a comprehensive overview of database and data security, with a specific focus on data masking techniques. It begins by highlighting the increasing importance of data protection in organizations due to cyber threats and security breaches. The report then delves into data masking as a crucial method for safeguarding sensitive data by obscuring it while maintaining its utility for purposes like software testing and training. It differentiates between static and dynamic data masking and discusses how these techniques are employed by various vendors, including Cisco, MENTIS, and Oracle, to mitigate risks and meet data security compliance standards. The report emphasizes the benefits of data masking, such as protecting crucial data, encrypting sensitive information, and automating processes to ensure data privacy. It also underscores the importance of preventing the use of real data in testing and training environments to avoid security breaches, advocating for the generation of virtual data. The report concludes by illustrating the practical applications and advantages of data masking in different organizational contexts, showcasing its role in enhancing overall data security.

Running head: DATABASE AND DATA SECURITY
Database and Data Security
Name of the Student
Name of the Institution

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

DATABASE AND DATA SECURITY 2
PART A
Introduction
The advanced and the frequent use of information system has forced many organizations
to look for alternative sources in terms of securing their data and databases from third parties
(Lee, 2000). As a result, the need for data protection has become fundamental in order for the
organization to work effectively. Data and database security has become a key challenge for
many organizations due to cyber-attacks and security breaches. Many vendors have resorted to
various techniques for safeguarding the organization sensitive data and thus reducing the data
breaches significantly.
Data masking is one of the imperative techniques that vendors use in ensuring the privacy
and authorized access to sensitive data or databases (Radhakrishnan, Kharrazi, & Memon, 2005).
This is the process of hiding sensitive data and exposing data that mimics the original data with
the intention of encapsulating original data from third-party access. The exposed data is used to
serve diverse intended purposes while ensuring the integrity of the sensitive data is kept
untouched or unaltered. For instance, it can be used in software testing and training purposes.
Key to note, it is not recommendable to use the original copy of data from such organization due
to security attacks which could jeopardize organizational data and the entire database.
Nowadays the sensitive data has become an integral part of on every organization and
there is need to protect it from replication and usage in various activities and in different
environments for training and testing because the exposure of sensitive data exposes the
organization to cyber-related attacks (Gumpel, & Chaughule, 2010). It is therefore, essential for
the organization to mitigate risk by deploying some practices which ensure the exposure of the

DATABASE AND DATA SECURITY 3
sensitive data is null and the organizational data and database are impeded from unnecessary
access. Consequently, masking is used due to obfuscate the data and meet the compliance
standard set the security regulatory bodies regarding with data security and intruders.
Data masking involves the alteration of the real data and coming up with the data that
resemble the same data which serves for different usage in the organization like software testing
and training purposes (Ebrahimi, Hassan, Singh, Kuppuswamy, & Chidambaram, 2012). This
allows the sensitive data from alteration or access by different users and the integrity of the data
which serve as fundamental decision-making tool and organization is kept safe. Such exposures
are prevented from using various methods such as substitution of the data where applicable,
encryptions and reshuffling of data or the database. These methods are chosen and based on the
organization choice and preference. Data masking through these techniques denies any chance of
reverse engineering which may be used to reverse the existing data into its original form as a
way of trying to gain unauthorized access (Pomroy, Lake, & Dunn, 2011).
Use of real data in the testing environment poses many security breaches which many
organizations are naïve. Consequently, they end up being experiencing frequently attacks.
Gumpel & Chaughule (2010) reiterated that several business enterprises are constantly being
attacked due to such novice use and allowing the use of their sensitive data and databases in
testing and development phases of various softwares. The data used in this scenarios are totally
plain and attack-prone Data breaches sometimes take place in software testing processes and
takes different diverse forms which cannot be easily identified. Data breaches can be neglected
although they enable the third part terrorize the organization by manipulating their data
unknowingly. Computers and laptops handled by the third parties or the data or storage shared
with the third parties act as through pass point for intruders and the organization will not evade

DATABASE AND DATA SECURITY 4
from security attack on their data. This has suggested the data masking which allows the
simulation of data is mainly used for the testing process to avoid data breaches.
User training, on the other hand, involves the use of data as a training tool. Use of real
data while training staff and employees should be discouraged because research shows that most
of the attacks on data are caused by the use of the organization data in facilitating training
processes (Boukobza, 2014). Alternatively, the organization should embrace techniques of
generating virtual data which can serve the same purposes as the original data in order to
safeguard the organization from reckless attack. The simulation of data and the modification of
the existing can be precisely used in training sessions thus preventing third party intrusion. The
fictitious data is precisely advocated for use in training and testing processes because such data
have no close relationship with the organization data thus eradicates the third party access.
Data masking takes two forms- static and dynamic masking. The static data masking aims
at manipulating data that is in a stationary state while dynamic data masking, on the other hand,
is applied to change the data that is in the mobile state and keep the original data
unchanged (Fergusson, 2006). These forms of data masking has been of great significance in
combating data and database security breaches by denying unauthorized access of the data in the
database or the data that is shared in a communication situation. Both data security is essential
and many organization which have implemented the two have mitigated the vulnerabilities of the
data breaches.
The idea of the data masking has been recognized by the many organization as a form of
security of their data and the organization entire database. The technique has been imperative to
protecting the data using the methods and has boosted the security concerns of the organization.
Cisco, however, recognized this concept of data masking in order to protect their data and

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

DATABASE AND DATA SECURITY 5
databases from exponential attacks. In addition, they are also able to meet the standard
compliance of data security privacy laws and regulations.
Sensitive information in Cisco is protected and they are not used in occasions such as
training of the users and the software development practices which require some set of data. The
originality of the user data is altered through the deployed the techniques such as substitutions
and reshuffling to mitigate the risk of exposure of their data and ensuring that the data is safe
from third-party access (Fujiwara, Lochowitz, & Kehrer, 2003). Data masking technique has
enabled the organization to duplicate data which fit their use in different scenarios and meet their
expectation while keeping the original data safe and unchanged. The sensitive data which entails
customer information and their details are integrated into Oracle database and security features
are articulated for security purposes (Brodersen, Rothwein, Malden, Chen, & Annadata, 2004).
Before the use of the data masking technique, Cisco was facing many challenges in terms
of data security and the realization and deployment of this data privacy idea has enabled the
organization eradicate various security difficulties which impacted negatively the running of the
organization because the novice users within the organization was using the original data
performing various activities which were not the primary goal of the data in the databases of the
organization (Santos, Bernardino, & Vieira, 2011).
Data masking, therefore, has served many roles in the company. Some of the roles played
by the data masking include the prioritizing the crucial data in the organization, encryption of the
sensitive data, monitoring data using data masking software tools, the creation of the altering and
manipulation rules used in data masking (Youn, & Wong, 2013).
Benefits of data masking to the organization

DATABASE AND DATA SECURITY 6
Data masking has been fundamental and important to organizations in many ways. It has
aided organizations in protecting their sensitive data and databases which are prone to attacks.
The concept has also been used in automation of the processes which enable the privacy of the
data and increases assurance to the organization that their data and databases are safe from third-
party access (Gopinath, Sastry, Sethumadhavan, & Kizhakkel, 2011).
Another vendor which pioneered data masking is the MENTIS Software vendor. The
company was the first to implement the concept of data masking and it is one of the
manufacturing company which comprises of the huge database. Due to this amount of data they
have expertise in data masking to benefit in protecting their data at the same time they protect the
data for various client which they are naive on the masking as a way of preventing data breaches.
They provide the static data masking and dynamic data masking and the unstructured data
masking The organization has been in a position to mitigate data breaches thus enabling it to
focus on the business activities hence transforming their business due to reduced risk and the
idea of risk-taking is eliminated due to presence complete data security through data masking
and other security measures which augur well with the data masking (Johnson et al., 2004).
MENTIS data security mitigation techniques handle the security issues. For instance, the
masked data is used to substitute the original data and exposure of the backbone is inhibited
through various cycles which involves the static and dynamic masking. The software vendors is
also evolving and advancing with the aim of ensuring a high level of security is maintained and
data masking is stated to be one of the key points of focus. (Greenwood, & McGrath,
2001). Their masking techniques align with the static and dynamic data masking hence
protecting data in a rest state and in transit .respectively. Such protection helps in avoiding the
misuse of the sensitive data at the same time the originality of the data is also maintained.

DATABASE AND DATA SECURITY 7
MENTIS being the pioneer in data masking, it has advanced in its services in making
sure that the organization data is safe and control access to the data and the databases. Their
services have even expanded and they can also train the organizations on the data masking usage,
application and the importance of data security. Their platforms anticipate wholly protection and
mitigation of data breaches which comprises the mask and scramble of data. The solution is
applicable in diversified information technology environment- both productive and non-
productive and pre-productive environments. In addition, the organization is visionary on the
data masking technique which helps the company to expand and adopt the latest advancement in
technology and endorse such changes in dynamic and static data masking in order to combat the
evolving attack on data and the databases to the organization and their clients.
The third is the Oracle data masking. This is venture from the Oracle enterprise for
protecting any unauthorized access to its data. The sensitive data is replaced with the scramble
data. The data masking pack is used to aid the organization to meet the regulatory requirement
and comply with the privacy of the data. The usage of data, in this case, is testing purposes, for
instance, the developers need some data in testing the application developed. The data generated
for this purpose is innocuous but seems to be real and personally identifiable information is
hidden from any access. Data masking in Oracle is dedicated to serving two main purposes; they
are used to provide confidentiality of the data by denying data exposure and producing data
which resembles the real data (Rizvi, & Haritsa, 2002).
The Oracle has three types of masking. First, compound masking which ensures the
integrity of the columns when the database is masked (O'flaherty et al., 2001). The content of the
column relationship is maintained thus making the masked data function just like the original
data due to the enabled relationship.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

DATABASE AND DATA SECURITY 8
Second is the deterministic making. This takes care of repeated data in the columns and
database is repeated as they’re in the real database. Therefore, this ensures the values are
repeated based on the database values.
Key-based reversible masking is another type of data masking in Oracle. This is used
when there some data to be shared between the organization and the third party. Data is sent to a
third party in encrypted masked form. When data is received by the intended third party, it is
decrypted using the reversible (decryption) keys and then converted to its normal form (Ludwig
et al., 2004). This is possible when the organization needs their data to be analyzed for the
organizational decision-making process. When the third party is through with the analysis the
data is shared using the same technique.
In conclusion, data breaches are inexorable thus practices such a data masking which
boost security data and prevent the third part from interacting with the real data should be
embraced by the organization to improve their data security and comply with the security
standards. The three organization and others who have realized the importance of the data
masking have been able to protect their sensitive data and the data of their clients.

DATABASE AND DATA SECURITY 9
Part B
Encryption is a technique used in data security to enhance integrity and privacy of data
(Mao 2003). Data privacy and protection is a fundamental requirement due to advancements and
wide use of the technology. The data circulating within and even external sources should be
protected and encryption and cryptography has played a crucial role in protecting the data flow
processes.
Encryption entails encoding of the plain data into the ciphertext which cannot be
understood by a third party. Such data is encrypted using laid down algorithms. At the recipient’s
end, data is safe and is decoded to its original data using encryption keys. Therefore, the
encryption process is applicable in various organizational setups ranging from the profit and
nonprofit organizations, large and small enterprises and government agencies in order to protect
them from cyber-crimes and related attacks (Stallings, 2003).
Cryptography is a technique used to enhance the security of communicating data and
information (Hellman et al., 2000). Just like the encryption, cryptography is deployed to prevent
security breaches and ensure communication between the sender and recipient is secured.
Cryptography techniques are commonly used nowadays to aid in security and embracing
security. It is therefore indispensable for any organization in this era of intensified use of
technology to deploy the cryptographic methodologies as a way of combating security issues.
Having proper cryptographic technics is paramount in dealing with the data security (Tang,
2007).
Methods of cryptographic techniques

DATABASE AND DATA SECURITY 10
Various cryptographic techniques are applicable in different platforms though not all
enterprises require the same level of security since there are large disparities in data security
methodologies. These cryptographic methods vary depending on the complexity or simplicity of
each. Consequently, these methods are deployed depending on the complexity and the size of the
organization (Robling Denning, 2002). For instance, an organization that encompasses with
small and simple data use simple methods while organizations that handle huge data (and are
large in nature) require complex cryptographic methods to secure their data and database.
Substitution method
This is one of the simple methods which is commonly used by small companies or
organization that don’t hold much data. The method involves swapping of the alphabetical letters
to hide the true meaning of data. The method can also allow substituting of existing letters with
non-existing ones (Feistel, 2003). The only intention here is to encapsulate data by preventing
the third person from snatching and understanding data before reaching the recipient end.
Additionally, the data can be substituted with integers. For example, the first letter of the
alphabet can be replaced with one and others respectively. The main challenge of the substitution
method is that the encoded data can’t be cracked with ease by the third party.
Reciprocal Method
This is a more advanced method as compared to substitution method. It necessitates the
creation of the of the ciphertext using a machine that is dedicated to creating cryptographic data.
After the machine has converted the plain text, the text is substituted depending on the letter the
machine mapped the letters (Sharma, & Kumar, 2017). For instance, if letter A is replaced with
letter Z then the all the letter A in the plaintext is replaced with Z as per the machine generation.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

DATABASE AND DATA SECURITY 11
As compared with the substitution method, this is more secure and is recommendable for middle
size and small size business organization. When the ciphertext is inputted to the machine, the
text is transformed into the plain text.
Symmetric Method
This is more advanced method compared to the first two methods as described by
(Hosseinkhani, & Javadi, 2012). The method uses the same key for encryption and decryption
process. The encryption and decryption key is similar thus the ender and the recipient should
share the key so that when data reached has the recipient’s end, it is decrypted and reconverted to
the original format. The encryption/decryption key is shared only by the sender and recipient.
This technique is ideal for the middle size and large organization that is composed of a large
database. Banking institutions and business enterprises that transact online use this method and
the asymmetric method as well.
Asymmetric Method
This is the most advanced method compared with the three methods. This method
involves the use of the private and public keys. The private key is known by the individual users
and the public key is handed to the intended recipient. The asymmetrical method allows the
encryption of data or file using the received public key which will be readable only by the
intended recipient unless the person having the private key of the reception end (Rogaway, &
Coppersmith, 2003). This results in protection of the organization data and the entire database.
Open GPG is a true example of the asymmetric method. The method is used by

DATABASE AND DATA SECURITY 12
telecommunication companies and database organization like Oracle in order to keep the data
and database private and the request is genuine and disables the suspicious request and access.
Information Right Management (IRM)
Merkle (2000) defined Information Right Management (IRM) as Information Technology
security technique that is used for the protection of sensitive data that should not be exposed to
unauthorized persons. The main role played by the Information Right management is the
protection of sensitive data and encryption is such one way. Thus, encryption is beneficial to the
Information Right management in that it aids in keeping the privacy of the sensitive data.
In most cases, encryption techniques are applied in Information Right Management to
safeguard the privacy of the data from the unauthorized access. The encryption concept is
however beneficial to the information Right Management since it supplements privacy of data
they are trying to protect the public and unintentional access (Reaz et al., 2007).
Encryption is necessary for Information Right Management because it is a method that is
used to deny the copying manipulation sending and printing of prohibited files. The documents
and data may be stored in the form of a file for example excel or word document. Security of
such stored file is only enhanced through encryption in order to protect from any alteration.
However, encryption is pre-eminent in Information Right management in the protection of data
and data.
Software and Hardware Encryption
Encryption is crucial due to escalating attacks of data. And this fact has forced many
organizations to strengthen their security measures on the software and hardware components.