Data Obfuscation

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
12 hours 57 minutes
Difficulty
Intermediate
CEU/CPE
13
Video Transcription
00:00
>> We've already talked about how encryption can be used
00:00
to completely render data
00:00
unreadable to those who don't have the encryption key
00:00
or because of their correct access to view data.
00:00
But what about use cases where we
00:00
want individuals to be able to see data,
00:00
but not see it completely if they don't need to?
00:00
Well, this is where data obfuscation comes in.
00:00
The learning objectives for this lesson are to
00:00
talk about data obfuscation techniques,
00:00
explain the security justification for obfuscation,
00:00
and then provide some use cases
00:00
for each of the obfuscation techniques.
00:00
Data obfuscation really refers
00:00
to any instance where we are trying to either
00:00
completely or partially render
00:00
information unreadable so
00:00
>> an individual can't see at all.
00:00
>> But that is different from it being
00:00
actually encrypted using some algorithm to do this.
00:00
There are a number of different ways to use this.
00:00
Now, why would you want
00:00
>> to use an obfuscation technique?
00:00
>> Well, sometimes it's required by
00:00
a regulation that certain kinds
00:00
of data is not completely visible.
00:00
Anytime you are entering
00:00
your credit card information
00:00
>> to pay for something online,
00:00
>> you'll notice that mainly the digits in
00:00
the credit card are not visible once you enter them.
00:00
That's actually regulatory requirement
00:00
in the payment card industry,
00:00
often referred to as PCI DSS.
00:00
Another reason you might want to use
00:00
data obfuscation is to enforce least privilege.
00:00
Maybe you have individuals who need access
00:00
to environments or applications or databases,
00:00
but you don't necessarily want them to see
00:00
the data because they
00:00
don't need to see the data completely.
00:00
Obfuscation techniques can be
00:00
implemented to really just render the person able to
00:00
see the data or understand it enough to do
00:00
whatever task is required for their role but no more.
00:00
Another use case for
00:00
data obfuscation is secure remote access.
00:00
Remember, we're going to have a lot of
00:00
potentially even third parties
00:00
accessing pieces of our environment in the Cloud,
00:00
whether you're usually vendors, things like that.
00:00
Obfuscation may be used to protect
00:00
your information and restrict vendors or
00:00
third parties or even people
00:00
within your organization from
00:00
seeing data beyond what they truly need.
00:00
Then there's the testing example.
00:00
In order for your application to run properly,
00:00
you're going to need to test it,
00:00
and using real data that's in
00:00
the production environment is probably
00:00
the closest data you're
00:00
going to need to know the things run well.
00:00
But you don't want to sacrifice
00:00
the privacy if people
00:00
are using your application for testing purposes.
00:00
So obfuscation and data anonymization is
00:00
often used to remove
00:00
the identifiable features of that data,
00:00
but still render it useful for actually doing testing.
00:00
Lets talk about the methods.
00:00
Randomization.
00:00
This is when you use either strings of numbers,
00:00
characters to randomly cover up
00:00
sensitive information and replace
00:00
it in the context of the data.
00:00
Then there's masking. Now we had talked about
00:00
masking in the context of the credit card example.
00:00
But you can see here it's when
00:00
the sensitive information is covered up
00:00
by characters or some symbol
00:00
to prevent it from being read.
00:00
Then another technique is hashing.
00:00
A hash is actually
00:00
part of the output of an encryption algorithm.
00:00
The hash is used to
00:00
preserve the integrity of the information.
00:00
The hash is unique for each thing
00:00
that's encrypted to ensure that the data
00:00
has not been tampered with.
00:00
Then there's tokenization.
00:00
We're going to be talking a lot more about
00:00
tokenization in its own right.
00:00
But for now, understand
00:00
that in the Cloud there
00:00
>> are various schemes of utilizing
00:00
>> authentication servers to
00:00
>> provide a secure token piece of
00:00
>> software information to an individual
00:00
that enables them to authenticate
00:00
to various programs by saying that
00:00
this person is who they say they are.
00:00
They have provided the correct credentials to access
00:00
this information and this token is used
00:00
to enable them to get access.
00:00
Then there's pseudonymization.
00:00
This is when data may relate to an individual,
00:00
but certain aspects of the data
00:00
are obscured or mixed up with
00:00
other records to prevent complete identification.
00:00
I use this image to symbolize that because most of
00:00
this woman's features are
00:00
evident to us except for her face,
00:00
which represents pseudonymization because
00:00
some aspect of her identity is obscured or incorrect,
00:00
which prevents us from identifying
00:00
her even though we can see some of her features.
00:00
This concept is applied
00:00
within the context of data as well.
00:00
Let's reflect a moment. How are
00:00
obfuscation method is used in your organization?
00:00
Do you have test environments
00:00
where obfuscation is required?
00:00
Do you have certain regulations that apply to you?
00:00
That brings us to the second piece.
00:00
If your organism is regulated,
00:00
what obfuscation techniques
00:00
>> are recommended or required?
00:00
>> That pseudonymization is often
00:00
a recommended technique when
00:00
the General Data Protection Requirement,
00:00
the GDPR, privacy and data
00:00
security legislation standard in Europe.
00:00
You should have often ask yourself,
00:00
what techniques are required within my organization?
00:00
In summary, we talked about
00:00
the reasons for using data obfuscation.
00:00
Namely where you may need to see pieces or
00:00
components of the data in order to do some function.
00:00
Then also the common methods
00:00
used and then also the regulatory requirements.
00:00
I'll see you in the next lesson.
Up Next