What is the difference between encryption, tokenisation, and masking?

There are many ways to protect data; these are tools that can (and should) be used to complement each other

Apr 25, 2022

Data privacy is one of the most urgent concerns for all companies, but especially for those in, for example, banking, insurance, retail, and technology, as they deal with highly sensitive data of their consumers. A leak could be dangerous not just for the company but for millions of people that might be affected. 

As more and more companies from different industries collect more data from their consumers, privacy concerns grow exponentially. Also, as citizens, the understanding that data privacy is just as crucial as any fundamental human right has been growing. 

At the same time, this understanding has also led criminals to search for data. After all, it is just as valuable, if not more, as any tangible assets a company or person may have. This is why companies need to keep using the best available tools to protect information.

We've recently talked about the differences in encryption, salting and hashing, and many types of tools and techniques that can be used to keep data safe. 

Encryption certainly is one of the best tools to protect data from being used maliciously. This is because it converts it from an "understandable" form, such as plain text, for example, into another incomprehensible format utilising an encryption key created specifically to scramble and unscramble data. 

The process is done to hide information and then prevent those without the decryption key from accessing it. In its encrypted form, any (malicious or not) user would find the data unintelligible. In other words, encrypted data is useless to criminals. 

 

So what is tokenisation, and what does it have to do with data protection?

Tokenisation involves replacing original sensitive information with non-sensitive placeholders known as tokens. It is a very old technique first used in the credit card industry, and it is still widespread in the financial sector. 

It used to be directly connected to a database so that the data can be retrieved through this stored relationship. However, unlike encryption, tokenisation cannon scale well because the token database grows in size. 

Currently, tokenisation solutions use vaultless tokenisation, meaning they no longer require databases. Still, they continue to be up to 11 times slower than AES (using F11 algorithm), according to a Fortanix analysis. 

A token is just a placeholder for sensitive information. It can be matched back using a database; but masking hides the original data and is sometimes referred to as "permanent tokenisation".

 

READ ALSO: ASM: what is it, where to use it, and how can it prevent cyber attacks?

 

What about masking, then?

Masking is another well-known solution for protecting data. It also works as a concept that replaces or "masks'' sensitive data using random characters or non-sensitive information. In that way, it is very similar to tokenisation.

However, they differ in their usage. While tokenisation is most commonly used to protect stored data, masking is better for the protection of the data that is being used.

While tokenisation is perfect for protecting information often used like credit card numbers, masking is ideal for database backups and data mining. This is because it anonymises data; the data retains its functionality and can be used in several ways without you actually reading it and connecting it to a person - it retains characteristics of the original data but remains fictitious.

 

Which one should you use?

In a world where cybersecurity is one of the most severe problems for all companies, government agencies, and individuals, all three of these processes serve specific purposes but with one goal: keep your data safe. 

Each works better with different case uses, information, data size, and processing needs. And they should all be considered part of a security solution for any company.