2.11 Unauthorized User Access Part 6: Masking, Obfuscation, Anonymization and Tokenization

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with

Already have an account? Sign In »

12 hours 48 minutes
Video Transcription
All right. Next piece for protecting our data. We look at masking obfuscation, anonymous ation and token ization.
Where's her mouthful of terms? And a lot of times they'll go together. Now, the term masking masking could be used a couple of different ways. Um,
so I want to prepare you for either way, you might see it. Okay, So if you think about typing out your password and you get special characters like asterisks instead of what you're typing in, that often is considered to be masking.
I think how Bill use masking is in relation to testing instead of using real data. So ultimately, you know, if if we talk about now is this really isn't in the chart? I'm sorry in the slide,
but I think they'll talk about masking in terms of replacing real data with fake data
for the purposes of testing, meaning, Let's say I'm trying to manipulate an Excel spreadsheet, and I wanna work on some formulas and I want to have some functions. Well, I need added the work with, but I'm not gonna take payroll information and play around with it. That sensitive information I shouldn't see.
So instead of the actual information. They're gonna get me
bogus data test data, and they could also refer to that as masking.
Certainly if you see data
that's replacing live data or real data
with special characters for the purpose of testing that screams masking. Okay, alright, anonymous ation.
I only have to protect the information if it's sensitive.
So p I I may have a lot of information about you.
Doesn't mean I need all that information about you. And the more I keep, the more I have to protect.
Just your name is not P I I but your name and an address ISS. So if I'm collecting information that includes your name and address, maybe I don't need that address. Maybe I don't need the name. Maybe I'm just looking for purchases based on demographics,
and I want to see what the average person spends at the grocery store.
So maybe I take all that information from frequent shoppers. I combine it or assorted based on zip code just to get an idea. Well, now I no longer need all that sensitive information that p I I that's been collected. It's part of the process. And if I don't keep it.
I don't have to protect it. So anonymous ation is a good way
for me to scope worked. Tau limit what needs to be protected,
Um, obfuscation, obvious cation and is you know, encryption is obfuscation. It's rendering sensitive information or unreadable or inaccessible, so it's ultimately about hiding.
You know, again, encryption is just type of obfuscation. Masking is a type of obfuscation,
and then we have organization.
So the idea is users who need to be allowed to access their information from a public location from the public cloud, so to speak.
But we don't want sensitive information residing on the public cloud.
So what will happen is there will be a token or pointer
public on the public cloud that actually points to sensitive information that's stored and protected on the private cloud. It's just exactly like a shortcut. You double click on a shortcut on your desktop. That's not the real file. So if that file gets deleted or corrupt that it doesn't matter. It's just appointment. It's just a shortcut.
And that's a token. You see this a lot of times in the financial industries, you know, here, access this, but which really accessing is a pointer to the more meaningful information that's more difficult. Basically, what it means is the user has access to the pointer. But only that pointer, through a protected interface
has access to the actual data itself.
So I'm asking Obfuscation Anonymous, A Shinto colonization. They all kind of go together with the premise of
Let's not Keep what We Don't Need. Let's hide what needs to be protected even from internal users. When you call and say, you know I'm gonna access my account and they verify, give me the last three digits. Four digits of your social. They don't have the other digits of your social right,
because that could be used by internal employees.
So the idea is, keep everybody honest. Onley store, which have tohave only stored as long as you need to have it, then get rid of it if possible.
Up Next
Certified Cloud Security Professional (CCSP)

This Certified Cloud Security Professional (CCSP) certification course covers topics across six domains, to ensure the candidate has a wide range of competencies and is capable in the assessment and implementation of cloud service solutions.

Instructed By