The Dev Ops Center open on a desktop with a new notification object and an Einstein sidebar

What Is Data Masking? 4 Best Practices to Get Started

Learn about data masking, the process of securing sensitive information by making copies of data that look real but are actually fake.

Prashant Choudhary

In 2022, over 422 millionOpens in a new window people were impacted by data breaches in the U.S. alone. Phishing, ransomware, and denial of service (DOS) attacks are some of the common ways cybercriminals lure and attack their victims, and are all top concernsOpens in a new window for IT executives. Data masking tools can help protect you and your customers against cybersecurity threats. Let’s find out how.

Title slide of the State of IT report, showcasing Salesforce mascot, Astro.

Read the 3rd edition State of IT Report with insights and trends from over 4,000 IT leaders worldwide.

What is data masking?

Data masking is a process that modifies sensitive data and renders it useless to potential intruders. Your data remains usable to you and your company and can be transmitted between systems and used inside and outside your production environments. It keeps confidential information safe and gives you a way to share information with your partners and others outside your organisation without compromising sensitive information.

Astro wearing a Salesforce t-shirt, standing in front of the Gartner logo, jumping in celebration. Confetti overhead. A bush with flowers in the foreground.

Salesforce named a leader in the Gartner® Magic Quadrant™ for Enterprise Low-Code Application Platforms.

What types of data should be masked?

Whether you’re just starting out or evaluating your data, consider the following types of data. Some are obvious, such as health information and credit card numbers, while others, such as inventions, are less so. Here are four top candidates for data masking:

  1. Personally identifiable information, such as addresses and social security numbers.
  2. Protected health information, such as insurance data, lab results, health conditions, and medical histories.
  3. Financial information, such as credit card details, bank account information, and passwords
  4. Intellectual property, which includes patents, copyrighted materials, designs, and specifications.
Salesforce mascot Astro standing on a tree log while presenting a slide.

Stay up to date on all things security and privacy.

Sign up for our monthly newsletter to get the latest research, industry insights, and product news delivered straight to your inbox.

3 types of data masking

Once you’ve identified the data across your organisation that needs to be masked, consider which of these data masking approaches to use.

  • Static data masking creates a duplicate copy of a production database with masked data. You can then use the masked database copy for software development, testing or to train others outside your organisation without risking data breachesOpens in a new window.
  • Dynamic data masking changes information coming from the source database as a user accesses it. The masking happens in real time, but only as the data is delivered to the user (e.g. while viewing medical records). When using this approach, masked data is never stored in a new database, and the original data is unchanged.
  • On-the-fly data masking modifies source data in real time as the data is moved to a new location, such as a testing or development system. This enables companies to mask data that is continuously streamed from a production environment to a secondary environment. This type of data masking is ideal if your business continuously deploys new software and has heavy integrations.

Top data masking techniques

The next step in masking your data is deciding which technique you’ll use to obscure sensitive data. For example, you may want to replace identifiable details with symbols or characters, reorder or randomise sensitive data, scramble data, or delete sensitive values.

Because masked data is typically used for testing or sharing, it doesn’t matter that the original data is obscured or changed. Data masking is typically a one-way process. Masked data has no value to hackers, and unlike encrypted data, which needs to be decrypted, doesn’t need to return to its original form.

There are a variety of algorithms for data masking. Here are some of the most common:

  • Anonymisation, which scrambles a field’s contents into unreadable results,
  • Data substitution, in which new values are substituted for the actual ones, and
  • Scrambling, in which random characters obscure the original content.

Data masking best practices

Data masking is an ongoing process that requires careful planning, analysis, and refining. Let’s take a look at these data masking best practices.

1. Determine your project scope

Start by deciding what data needs to be masked: credit card information, health information, intellectual property, or personally identifiable information. Identify the fields in your database or system that need to be masked.

2. Choose your preferred techniques

Decide on data masking techniques for each type of data by considering where it’s stored, how it’s used, and how sensitive it is. A large organisation will need various masking tools for different data types. Don’t forget to make sure you understand how this data is used, what it’s linked to, and who has access to it.

3. Run data masking and test your results

Test the result of data masking to ensure you’re achieving the expected outcome. Then examine your masked data to make sure it can’t be reverse-engineered. Start with smaller test datasets to verify your processes.

4. Create an ongoing data governance strategy

Once you have a data masking process in place, create an audit process to make sure data masking continues to function as expected. You’ll also want to develop a policy that defines how data masking should be used, where it should be applied, and who has access to your algorithms. Lastly, train your employees on the importance of data masking and the importance of protecting your company’s and your customers’ data.

Data masking considerations

Data masking is a balance between altering data enough so that it’s secure while retaining its characteristics so it’s useful. It shouldn’t be daunting, but you may come up against constraints when you try to create a usable masked copy of your production data. This is why it’s important to understand the source data and how the masked data will be used.

To decide the appropriate level of data masking, consider these data masking constraints:

  • Preserving the format: It may be important to maintain the format of some data fields, such as dates or other fields with specific structures.
  • Gender identification: If the dataset to be masked includes gender information, you may want to consider identifying and classifying male, female, and non-binary names, so you can replace them with alternatives that preserve the original gender distribution.
  • Semantic integrity: When masking data, it’s important that the masked data always falls into the range of permitted values. For example, you want to make sure that phone number fields only contain numbers.
  • Uniqueness: Data is unique and should stay that way after masking. Depending on how it will be used, make sure the masked data keeps the same average value as the original data, or that the distribution of the data values is similar to that of the original.

Choosing the best data masking solution

The right data masking software will help you easily secure your data against theft and uphold any corporate or regulatory requirements for data privacy. When selecting a data masking solution, look for one that:

  • Provides consistency across databases and data environments. Support for referential integrity is important when working with multiple databases. For example, if you’re masking a social security number that is linked across multiple datasets, the original SSN will need to be changed to the same masked number in each dataset.
  • Generates invented (not real), but realistic data. This ensures that data is usable in testing but is of no value to thieves.
  • Secures your data by using irreversible data masking techniques and keeping those techniques separate from the masked data.
  • Is flexible, scalable, and repeatable. In many cases, data masking is done repeatedly, over time, as corporate data changes and new sets of updated masked data are needed.

Data masking is ideal when you need to use or share data but must protect it for privacy and security reasons. It can reduce risk in both on-premises and cloud environmentsOpens in a new window, and it is one of the most important tools that helps keep your data secure — building trust with your customers and partners.