DataSunrise is sponsoring AWS re:Invent 2024 in Las Vegas, please visit us in DataSunrise's booth #2158

Format-Preserving Encryption (FPE) in Data Masking

Format-Preserving Encryption (FPE) in Data Masking

Everyday companies face different tasks with sensitive data. They can vary from how to protect data at rest to how to secure the exchange of sensitive data with third parties. Different types of sensitive data demand different types of protection. And it may become a serious problem for a company. When companies need to protect sensitive data a suitable method is required. The choice of the appropriate method can be very challenging. Usually, companies choose between three common ways of data protection: encryption, masking, tokenization.

What will you choose depends on the needs of the company, its resources, the type of information, and the reason why it should be protected. Masking can be very useful when you need to provide data for testers and mask sensitive information. Tokenization may be used when you use data in payment processing systems. Encryption can be used for protecting structured and unstructured data at rest or when you share it with a third party.

You already know about our data masking (if not, read about it here). In this article, you will learn about our new capability at data protection called Format-Preserving Encryption (FPE).

What Is FPE?

Encryption is one of the most popular methods of protecting sensitive data. It can be used in different cases from data at rest encryption to secure data exchange. Format-Preserving Encryption is made to save the original format of the encrypted sensitive data. It means that FPE takes plain text and changes it to cypher text of the same format. It allows keeping the format of such data as emails, SSNs, or credit card numbers.

Why do sometimes companies need to save the format and length of encrypted sensitive data? Some legacy systems and applications require a certain format of data. These infrastructures are spread in such industries as finance, healthcare, and government. These applications and systems have predefined formats and lengths for some type of data. It means that if the format changes during the process of obfuscation these systems and applications will not be able to work with such data. Further actions will be unavailable. In these cases changes of masked data are necessary. Companies may spend a lot of time, money, and resources to make everything right if it has not been done from the beginning. But if you use FPE you can save your time and be sure that no matter the format is preserved your sensitive information is secure and can be used in different applications and systems.

One more advantage of FPE is that no matter the fact that data is encrypted you still can recognize it because the format is preserved. It can be useful, especially when you work with credit cards or social security numbers. It gives you the possibility of processing the encrypted data even though it is cyphered. So if you need sensitive data for some statistical researches, FPE will be helpful in such cases.

Moreover, with encryption technology you can decrypt the ciphered data at any time you need it. For example, when you need to provide real data for audit or in situations when real data is required.

How FPE Works in DataSunrise

In DataSunrise FPE replaces masked characters with random characters using AES (Advanced Encryption Standard) encryption algorithm. This algorithm uses encryption UniqueMaskingKey which is generated when you first install DataSunrise. FPE is a more secure method of obfuscation than FPT (Format-Preserving Tokenization). But you should take into account that FPE takes its time to encrypt sensitive data, so it is a bit slower than any other type of encryption.

Now let’s see how FPE works in DataSunrise. For now, FPE works for emails, SSNs, credit card numbers, and STRING type values. We have a table with the following data such as name, email, gender, IP address, and credit card.

SELECT id, first_name, last_name, email, gender, ip_address, credit_card, ssn FROM mock_data;
----+------------+-----------+----------------------------+--------+-----------------+------------------+-------------
  1 | Lebbie     | Beevors   | [email protected] | Male   | 123.49.80.88    | 5018715045943588 | 625-35-0313
  2 | Celestyn   | Wyne      | [email protected]           | Female | 177.250.185.201 | 5602244144668261 | 132-88-3239
  3 | Carley     | Mapstone  | [email protected]       | Female | 180.241.252.227 | 5438561696462060 | 722-63-7340
(3 rows)

First of all, we need to go to Masking and choose Dynamic Masking. After that, you need to indicate basic settings in the main section such as name, Database type, Instance, whether it will be audited or not.

After that, you need to create a new Masking Rule. Here you need to choose the table and column where sensitive data resides. And after you will be able to choose the method of obfuscation. After that, just click Save Rule and that is all. Later you can apply it whenever you need it.

As we said before, there are email, credit card number, SSN, and STRING for FPE.

When you apply this masking rule as the result you will get the following. As we see the column with email has been masked, but the format of the email is preserved. Also, the same we can do for other columns.

SELECT id, first_name, last_name, email, gender, ip_address, credit_card, ssn FROM mock_data;
----+------------+-----------+----------------------------+--------+-----------------+------------------+-------------
  1 | Lebbie     | Beevors   | [email protected] | Male   | <OS4>D=4g=0f    | 5018002067318837 | 625-99-0299
  2 | Celestyn   | Wyne      | [email protected]           | Female | bx6Xs`>`4r<R6J@ | 5695806123157009 | 132-78-9581
  3 | Carley     | Mapstone  | [email protected]       | Female | *s-(SQA4m?.{{WR | 5453633041298935 | 722-88-4460
(3 rows)

Thanks to Format-Preserving Encryption you can save the structure of your databases and applications. Even if it looks like something very difficult, with DataSunrise you can be sure that there is nothing to do at all. Just a few clicks and sensitive data that you have is protected. After that, you do not need to worry that someone without access can see something important.

In DataSunrise FPE has one more advantage. Format-Preserving Encryption can be useful when you need to obfuscate the primary and foreign keys in databases. The most important thing in such cases is to save the referential integrity. Without it, data can be returned incomplete. If you use ordinary obfuscating methods the referential integrity will be lost, because of the different values of primary and foreign keys. With DataSunrise you can encrypt these keys without the loss of referential integrity. The logic is simple. When you are encrypting the foreign and primary keys their values stay the same. It is possible because when you are using FPE for key encryption, the masking results depend on the source value. If the source values are alike, it means that the encrypted values also will remain the same. You can use them without any risk of loss of information.

Reduce time and efforts to secure sensitive data with DataSunrise and the protection of your data becomes easier and faster.

Next

Transaction Isolation Levels

Transaction Isolation Levels

Learn More

Need Our Support Team Help?

Our experts will be glad to answer your questions.

General information:
[email protected]
Customer Service and Technical Support:
support.datasunrise.com
Partnership and Alliance Inquiries:
[email protected]