How Salesforce Data Masking Ensures Compliance

Companies need to constantly improve functionality in existing applications. This requires developers to be able to test in an environment that mimics their production org to ensure the existing functions of the applications don’t break. Many organizations routinely copy millions of sensitive records from their production environment into their non-production environments and most don’t do anything to protect this data. The fallout from this is that data in non-production environments can be lost or stolen by cybercriminals. Data breaches from threats like ransomware can cost millions of dollars to repair and cause severe harm to the organization’s brand and reputation. 

Keeping information secure in non-production environments is now one of the most critical tasks for companies. Companies are actively looking for solutions and taking the threat of stolen and lost information seriously. 

Identifying Sensitive Information

The easiest solution seems like removing the sensitive information from the non-production environment — but that would pose serious problems with testing. There are a few reasons for this… 

First, you have to define your organization’s approach to sensitive data governance; this includes figuring out where sensitive data is and how is it referenced. Organizations are very complex with various objects that are related, and in order to have quality test data, those relationships need to be maintained. Maintaining application integrity should be of the utmost importance when creating testing environments. Furthermore, auditing must be considered when trying to remove sensitive data — knowing who changed what, creating role-based permissions, and having the ability to report on changes.

Compliance Requirements with Sensitive Data

Almost every industry has certain compliance requirements regarding sensitive data — these include country-specific requirements on personal data protection, health and credit card regulations, and the protection of sensitive information like national identification numbers (i.e. SSNs in the U.S.).

  • The Health Insurance Portability and Accountability Act (HIPAA) requires the protection and confidential handling of health-related information. 
  • The Payment Card Industry (PCI) requires cardholder data security as part of the Data Security Standard (DSS) enforced by Visa and MasterCard. 
  • The Data Protection Act (DPA) is one of the most wide-scoped security mandates in history. It requires all public and private organizations that do business in the UK to protect personal data in databases, applications, and endpoint devices. 
  • Personally Identifiable Information (PII), such as National Insurance numbers and Social Security, must be protected by almost all U.S. states, the UK, and the EU. 
  • The General Data Protection Regulation (GDPR) is a regulation law the EU put in place that requires data protection and privacy for all individuals within the European Union. It also applies to personal data outside the EU.

Which Data Should You Mask?

All data can be masked, but masking data should be reserved for sensitive information, which will usually be a small percentage of the total information. The organization must first determine which information they manage is sensitive, and weigh this against relevant compliance requirements. In general, these are the three main types of data that should be masked:

Personal Information

Companies need to protect customer information from hackers and also from their own employees that shouldn’t be privy to that information. This is not only for safety but also required by regulatory compliance. 

Financial Data

Companies have financial information of customers, employees, and also the company’s own financial information. Protecting this is crucial because it puts the company at major risk as it can affect the company’s reputation if customer financial information is stolen. It can also affect business if their own financial information is leaked.

Company Data

This includes sensitive company information such as employee salaries, blueprints to company technologies, sensitive data discovery, and classification.

How Data Masking Reduces Risks

Every organization has massive amounts of sensitive data as we live in an age where data and e-commerce are at an all-time high. Databases are huge and the need for frequent non-production environments to be available has increased exponentially over the last few years. 

Three Types of Data Masking

Compound Masking

This method makes sure that a set of related fields is masked as a group to ensure that the related fields maintain the same relationships — i.e. city, state, and zip values must be consistent after masking.

Deterministic Masking

This method allows repeatable masked values after the initial data mask. Companies may use this method to ensure that specific values (i.e. customer IDs) get masked to the same value from the source to the destination. 

Condition-Based Masking

This method allows different mask formats of the same set of data depending on the fields that match the conditions.

Choosing the Ideal Data Masking Solution

With companies continuously needing to develop and data security representing such a crucial part of that, there has to be a solution. With Druva’s Salesforce data protection solution, we offer the best answer to the question of how to best data mask for compliance. Druva is certified for or compliant with important regulations and frameworks including SOC 2 Type II, HIPAA, FIPS 140-2, and FedRAMP ATO, among other audits and attestations. In addition, Druva delivers the most sophisticated data masking tool on the market, included natively in its 100% SaaS-based app. This allows organizations to mask their sensitive data and populate sandboxes without ever leaving the Salesforce platform.

How Druva Delivers Compliance with Salesforce Data Masking

Druva meets today’s leading compliance requirements and standards by providing a data masking feature that can protect all sensitive information while maintaining the integrity of the testing environment. The tool keeps formats of sensitive data consistent as well as relationships and fields to ensure the highest quality test environment for organizations. 

Visit the Salesforce page of the Druva site to learn more about our complete data protection platform, including automated sandbox seeding and low-cost archiving. Customers automate test data and achieve cost savings up to 20X compared to full sandboxes, and reduce costs further by archiving old data to low-cost storage — download our solution brief below to get the details.