Keith Bromley
Sr. Manager, Product Marketing at Ixia

Data Masking: The ABCs of Network Visibility

January 25, 2017 by Keith Bromley

When it comes to network security, full visibility isn’t always ideal. There are some things that should stay hidden. Most companies have data compliance requirements they must adhere to. HIPAA, PCI, and internal best-practice policies mean Personally Identifiable Information (PII) must be handled with care. Data masking helps organizations control who has access to this sensitive data.

What is data masking?

Data masking is different from restricting data access. Access restriction renders data invisible. Data masking replaces vulnerable, or sensitive, data with information that looks real. When data is masked, it’s altered so that the basic format remains the same, but the key values are changed. For example, a long card number could be masked in the following manner:

1234 5678 1234 5678   becomes   1234 XXXX XXXX 5678.

Data can be masked, or changed in a variety of ways:

  • Substitution – When external, unrelated, or randomly generated data is used to replace parts of the real data. E.g. a random list of names could be used to replace a real list of customer identities.
  • Shuffling – When data is swapped or shuffled within the database.
  • Encryption – When sensitive data is converted into code, using an algorithm. The data can only be decrypted with a key. 
  • Number / Date Variance – Where each number / date in the set is altered by a random percentage of its real value.
  • Masking Out – Where certain fields or parts of the data are replaced with a mask character (an X, for example).

Whichever method is used, the data must be altered in such a way that the original values cannot be obtained through reverse engineering.

Typical Use Cases

On the whole, data masking helps organizations comply with data protection requirements. Here are some specific situations in which data masking capabilities are particularly useful.

Testing / Outsourced Data – Companies may need to provide true-to-life datasets to develop relevant software. In less secure test environments such as this, realistic data is needed, but companies need not risk data security by using actual customer information. Since creating a ‘fake’, but realistic dataset from scratch is time-consuming, companies can use the real data they have, but alter it through data masking to protect customers. Similarly, if business IT operations are outsourced to another organization, data can be masked to prevent exposure of real data to more people than necessary.

Network Data – Organizations often need to record and monitor network data. But compliance requirements mean they must avoid storing PII. With data masking, companies can record network data while hiding sensitive data.

SSL Decryption – Secure Socket Layer (SSL) encryption is the standard technology used to send private information. For security purposes, organizations must decrypt and examine any SSL traffic on their networks. One of the dangers of SSL decryption is that it makes sensitive data available to anyone with access to network monitoring tools. Clever network tools can decrypt SSL data, while masking data that doesn’t need to be exposed.


According to research survey conducted by Enterprise Management Associates in 2016, data masking is one of the Top 5 most commonly used packet broker features. So, if you are considering a purchase for data masking equipment, here are some things to keep in mind:

Use of masked data – Make sure you understand how you intend to use the data before you make your purchase, as this can save you time and money. For instance, is the plan to simply distribute the data to a data loss prevention (DLP) device for analysis or do you plan to access the data natively for searches? If you plan to access the data natively, then your solution needs to support regular expression (Regex) search capability. Once the specific information, or type of information, is found that matches the search criteria, that data can be sent to a tool (like a DLP) for further processing. This search capability allows your monitoring tools to be more effective, as they have less data to sift through.

Easy access to the data – If you need access to the data for Regex searches, consider purchasing a network packet broker that supports data masking. This will allow you to easily collect the data, search through it, and then forward it to monitoring equipment (like a DLP) for advanced data searches, data storage equipment (like a SAN), or compliance and recording tools.

Distribution of masked data – Once the data is masked, how do you plan to distribute it to the appropriate monitoring tools? This is where a packet broker will come in handy for you to distribute the data to the device(s) that it needs to go to.

More Information on Data Masking

Data masking is a powerful capability that can help your regulatory compliance initiatives. When recording network data, it allows you hide sensitive information with ease.

Read more about Ixia’s ATI Processor data masking capabilities and network packet broker (NPB) solutions to see how simple and easy data masking can be.

Ixia’s entire series of blogs on visibility are available now in the e-book Visibility Architectures: The ABCs of Network Visibility