Blogger: Ramon Krikken
I recently finished a set of documents on what we now call data aliasing. If nothing else, the issue of terminology proved to be a challenge, with different industries having their own terms to describe this process of reversibly transforming confidential data into an alias that maintains, or is similar to, the original data format. In health informatics this transform is called pseudonymization, which allows private health information (PHI) to be de-identified for certain uses. In the world of payment systems it is called tokenization, and applies – perhaps obviously – to reduce the amount of sensitive card information subject to PCI-DSS regulation. To use a generalized term, data aliasing (as subset of data masking) it is.
At the surface the concept is simple, but the devil – as usual – is in the details. There are different aliasing algorithms (randomization versus encryption), aliasing service architectures (interfacing, and location of databases), and application architectures (where is the aliasing performed). The choice of what to use, in today’s environment where product choices are limited, is not trivial. Luckily, as products mature we should see more flexible solutions that are conducive to supporting many of these options, and proper architectural planning can go a long way.
However, the enterprise should not jump on the product bandwagon without considering the big picture. The business and IT should work together to decide on whether to suppress, redact, anonymize, or alias information in order to protect it (and consider not only the security pros and cons, but also those related to usability, availability, etc.) As I discussed in “Will 2010 be "the year of the data?" an information-centric security strategy is vital … perhaps we can use the current buzz around data aliasing, mostly in the form of data tokenization for PCI-DSS, as a way to focus on information as being the core asset.
This is only the beginning of an ongoing thread on data management and data security. Joe Bugajski from out Data Management Strategies team and I will lead off the information-centric security track of our Catalyst Europe conference, discussing how trends in data management and security interact and drive the needs and solutions in the enterprise. And at the RSA 2010 conference I will be on a panel to discuss tokenization in the payment industry. Hope to see you at these conferences, and stay tuned for more.