09:26 AM

Data Masking Saves CIO Jobs And Makes IT Heroes

Halloween 3

Working at Delphix, a virtual technologies startup in the heart of Silicon Valley, I've been learning a lot about enterprise software and the challenges facing global corporations as business becomes ever more digital. 

Data security is critical and its importance was underscored by the recent RSA Conference in San Francisco -- the world's largest gathering of computer security experts. About 40,000 people -- a jump of nearly 20% compared with last year -- attended its awards ceremonies, hundreds of presentations, and demonstrations from thousands of vendors of data protection technologies.

But if you bought everything at RSA would your organization be completely secure? 

Likely not -- you will always need to buy something new. This is troubling, especially if your job security relies on effective data security.

Computer security and CIO job security

2015 study by Big Data company Actian found that 43 percent of CEOs said they would fire their Chief Information Officer or Chief Technology Officer (CIO/CTO) in the event of a significant security event.

But with so many high-profile data breaches lately, even those with large IT budgets haven't been able to spend enough, or choose the right technologies to protect their organization.

And current trends don't bode well for CIO job security because they increase the risk of a major data breach. For example, the rush by global enterprises to develop more applications is particularly troubling.

Application development teams require fresh copies of the production database for testing. Finding bugs early is vital and speeding up application delivery speeds up business initiatives. But every database copy multiplies the risk of sensitive data being exposed in some way.

Protecting 20 database copies is hard and it is easy to lose track of where they are being used.

If you don't know where your data is, then you don't know if it has been stolen. A recent survey by RSA and ISACA found that 24 % of computer security professionals had no way of knowing if they had suffered a data loss.

But there is a solution -- at least for the increasingly common user case of cloning the production database: data masking.

Data masking removes the sensitive data and replaces it with realistic looking social security numbers, credit card numbers, etc. Data replacement would be a more accurate term.

If hackers get access to a cloned production database that has been data masked then there is no danger of any sensitive data leaking out because it is not there. It is a 100% secure data protection. You cannot steal something that isn't there. 

Encryption is vulnerable to decryption but data masking is irreversible. 

So why is data masking such a poorly understood security technology? Why were there only four companies out of hundreds at RSA, offering data masking? 

Why isn't data masking more widely used to deal with the security issues caused by the epidemic of proliferating database copies? 

I don't have the answers. One answer is that data masking can be hard and labor intensive.  And you have to do it again and again for each copy. The shortcut quickly becomes: skip it. As a CIO it can be a shortcut to losing your job but the pressure to support key business initiatives is high. 

Data protection is often juxtaposed against business innovation.

Gartner warns,

Is your information security program a roadblock to business progress?...You must protect enterprise data from compromise and drive innovation at the same time.

CIO Magazine's "State of the CIO 2016" states

...you [the CIO] are expected to be the driver of enterprise digital transformations. However... you face a wide range of tactical challenges -- from defending against increasingly sophisticated and potentially damaging cybersecurity threats to managing mass cloud migrations to leading agile development projects. 

Data protection and driving business goals are not in opposition if you choose the right approach.

Mask Once -- Copy Many

By combining data masking with data virtualization you only need to mask one database copy-- then you can create unlimited virtual copies  -- or let the app dev teams do it themselves with the self-service user interface.

That's the unique Delphix approach: mask once - copy as many times as you want while keeping data fresh. It's a true Data as a Service technology - data where it's needed on demand.

By allowing developers to self-service their test environments in minutes compared with hours or days,  application delivery can be accelerated by as much as a factor of ten. Data security with faster app delivery is a killer combination.

Data masking with data virtualization not only saves CIO jobs but also makes them look like IT heroes.