Considerations for Using Tokenization to Mask Your Sensitive Data

By Linda Musthaler
0 0

When companies think of protecting sensitive data, either in their own data center or in the cloud, they are most likely to think of encryption as the means to obfuscate the real data. Tokenization is another means to protect data, and this process has unique properties that may help companies fulfill requirements that encryption doesnt address. Tokenization can be a good alternative to encryption in some cases, or it can be a complementary solution that works with encryption to provide a very high level of data protection. Tokenization is the process of replacing real data (such as a credit card number or a social security number with random substitute data called a token. !nlike encryption, there is no algorithm that methodically generates tokens" instead, tokens are random characters that have no meaning and that cannot be converted back to the real data values by any mathematical means. #n most cases, the process uses an inde$ table called a vault to keep track of the relationship between a real value and its corresponding token. %nce a token is generated, it can be used in many types of applications as a substitute for real data. #f the real value is needed, an authorized application can reach into the vault and retrieve the data value by presenting the token.

Uses for Tokenization To date, the most common use for tokenization has been in the electronic payments industry, to protect credit and debit primary account numbers (&'(s after payments have been authorized. &)# *++ requires that this data be safeguarded, and tokenization is the ideal method to desensitize transaction data so that merchants can analyze customers purchasing histories. (ow, tokenization is an up,and,coming technology for enterprise applications, especially those that store data in the cloud. #n many cases, a key driver for tokenizing rather than encrypting data is to meet data residency requirements. +ome governmental entities (for e$ample, -ermany and +witzerland require that data pertaining to residents of those .urisdictions remain within the physical borders of the region. /ncryption often doesnt meet this requirement but tokenization does if the token vault is physically located in the required region. 0eal data can be tokenized and stored locally while the tokens go into the cloud applications. /nterprises are increasingly looking at tokenization as an option for protecting personally identifiable

information (&## , protected health information (&1# , and sensitive customer account information. Tokenization Solutions 's a technology, tokenization is relatively new2only about five years old. (evertheless, there are numerous solutions on the market today, and the technology is evolving rapidly to address issues such as preserving data formats and application functions. 3ore about that in a moment. Tokenization solutions typically come in the form of hardware or software appliances or gateways in the cloud. ' solution can be hosted in,house in a companys data center or by a third party vendor or cloud provider. 3ost (but not all solutions use a secure vault to store the data. ('t least one vaultless tokenization solution is now on the market. #f a company chooses to host the tokenization solution in,house, it must answer a few key questions4 5 1ow will we secure the vault, since it holds all the sensitive data6 5 #f we encrypt the real data in the vault (which is typical , what is our key management strategy6 5 Which people and7or applications will have access to the vault to store and retrieve tokens, and how will we track their activities6 There are similar considerations if the company allows a third party to host the tokenization solution4 5 1ow does our vendor secure the vault6 5 *oes the vendor have access to the real data in the clear6 5 Where is the real data physically stored, including all backups and replication instances6 #t may be necessary to have thorough answers to these questions to satisfy internal and e$ternal policies and compliance requirements. Use of Tokens in Applications There are numerous considerations about how tokens can and should be used in enterprise applications. +ome tokenization solutions are already pre,integrated to work with various applications, especially +alesforce.com, +'& and other )03 applications. *epending on the tokenization solution chosen, integration with an application may be required. +ome solutions are application,agnostic and will work with any enterprise application. #ts best to limit the number of fields in an application that are tokenized. -enerally, the more fields that contain token data, the slower the application performance will be if tokens need to be reconverted to real data for any reason. #ts possible to tokenize one or two fields and encrypt others within the same application. 3any tokenization solutions have the ability to generate format,preserving tokens to aid in various aspects of an application. 8or e$ample, when tokenizing credit card &'(s, the token value should

have the same number of digits as a real card number. This ensures that tokens can easily replace real card numbers in ancillary post authorization applications, such as business analytics or loyalty marketing, without requiring e$tensive modification of the applications. 3any enterprise applications need to perform critical functions such as sort and search on fields that a company might like to tokenize2say, for e$ample, patients social security numbers. 9y definition, tokens are random values, which renders sort and search functions useless. +ome tokenization vendors have found ways around this dilemma, so its important to ask how the solution preserves application features and functionality, and whether or not the workaround weakens the obfuscation technique in any way. !nlike encryption, there are no globally accepted standards for tokenization processes, so its very important to ask vendors to thoroughly e$plain how their solutions work. Tokenization or ncryption! or Both" Though they perform similar functions, tokenization and encryption arent competing technologies. #n many cases, they are complementary in helping a company achieve many data obfuscation ob.ectives. 8or e$ample, tokenization may help with data residency requirements, while encryption helps meet data privacy requirements. )ompanies should discuss all requirements with prospective solution vendors and choose the obfuscation technique(s that best match their business needs.

A#out the Author :inda 3usthaler is a principal analyst with /ssential +olutions )orp. +he writes about the practical value of information technology, and how it can make individual workers and entire organizations more productive.