Sensitive Data Masking in API Security

Digital transformation and the proliferation of APIs has made it easier to share data of all kinds internally and externally, including sensitive data. As more and more applications communicate with each other, organizations need a reliable way to protect sensitive data between environments of varying security and trust levels without disrupting business processes. Whether data needs to be protected for regulatory or compliance requirements, internal privacy guidelines, or enhanced data security, data masking is a crucial capability for protecting sensitive organization and customer data.

What is Sensitive Data Masking?

Sensitive data masking is the process of obscuring information that is sensitive or confidential by modifying the data such that it is protected from those without appropriate permissions to view the data. Different applications and APIs should have access to some types of data but not others, and properly masking the data will improve overall data security. Data that should be masked may include personally identifiable information (PII), protected health information (PHI), internal financials, or customer data. There may be regulations such as PCI DSS, GDPR, HIPAA, or internal rules and guidelines that govern what data should be masked and when. Properly masked data cannot be reverse engineered to reveal the original values.

Data Masking Use Cases

There are various situations in which organizations may want people to access certain datasets without seeing the sensitive data within those datasets. Some of these use cases include:

• Health information – data masking is critical to healthcare providers when storing or sharing sensitive data.
• Financial services – sensitive customer information such as bank account details should be masked in certain situations to comply with regulations such as PCI DSS.
• Retail – payment information, addresses, and other customer information should be masked for analysis and processing.
• Data sharing with third parties – third parties such as security vendors or data processors often need real-world or live data, but don’t require visibility into what the sensitive data contains.
• Software development and testing – data masking enables developers and QA engineers to work with realistic data that doesn’t expose sensitive information.
• Internal security – data masking can limit the impact of a data breach; if sensitive data is properly masked in appropriate situations, it’s much more difficult for attackers to access.

Data Masking Key Capabilities

Data masking isn’t a “check box” feature; it’s critical that it’s implemented correctly in the product performing the masking, and that it works the way the user expects it to. There are several key capabilities for properly masking data:

• Data masking should be irreversible. This ensures that the data is obfuscated from people or technology that shouldn’t have access to it.
• Data masking should be repeatable and predictable. For example, if the same data value is masked 10 times, the output should always be the same. This ensures consistency and reliability in situations where data integrity and verification are necessary.
• Data masking can occur without the masking product seeing the data first. This may seem obvious, but some products require data to be ingested, the customer to identify data to be masked, and then future data that matches will be masked. In this scenario, the product performing the masking will have already seen at least some sensitive data, which is far from ideal.
• Data masking should not adversely affect capabilities of other products and processes. For example, development teams should be able to use masked data as if it were unmasked to test software quality, and security solutions should remain effective whether data is masked or not.

Sensitive Data Masking with Cequence

Cequence provides data masking capabilities to protect sensitive data before it is routed to the Cequence deployment. Data masking is supported in all deployment types – SaaS, on-premises, and hybrid – however, masking is not usually needed in on-premises deployments since the data never leaves customer-managed environments.

Cequence has predefined expressions such as credit card numbers and social security numbers, and customers can configure custom regular expressions for values to be masked specific to their business. The combination of predefined and custom expressions enables Cequence to mask data before it’s “seen” in the clear, providing a high level of data protection.

The data to be masked can include or exclude fields for specific parameter names within the API payload. Cequence performs filtering and masking on a per-host, per-URI, per-method basis, enabling filtering or masking behavior configuration for specific endpoints. Masked data is semantically similar to the original values, ensuring product functionality such as API specification generation or sensitive data detection is not affected by the masking process.

Cequence Sensitive Data Masking Implementation Details

Cequence masks sensitive data with format-preserving encryption (FPE) as described in NIST standard SP 800-38G, which replaces data values with alternative values that are of the same length and type. For example, 16-digit integer values will get masked with different 16-digit integer values. Similarly, a 50-character string will be masked with a 50-character string that does not match the original string. Format-preserving encryption ensures the original values cannot be reconstructed or reverse-engineered from the masked values, preventing attackers from reconstructing the original values without the original data set. Role-based access controls (RBAC) are also implemented in the Cequence platform, preventing users from inspecting original values in the Cequence user interface.

Want to learn more and discuss your business-specific needs? Contact us or schedule a personalized demo today.