What’s the primary purpose of data masking?

A.  Data Encryption

B.  Data Integrity

C.  Data Obfuscation

D.  Data Reduction

Answer:  C

Explanation:

A. Data Encryption
Encryption is a cryptographic control that uses an algorithm and a key to transform data into an unreadable format.

The Distinction: Encryption is designed to be reversible for authorized users who possess the decryption key. Its goal is to protect data in transit or at rest.

Masking vs. Encryption: While encryption hides data from everyone without a key, data masking provides a functional version of the data that looks real but contains no sensitive values. Masking is often applied to specific fields (like replacing a real Social Security Number with a fake one) so that developers can test applications without ever seeing the "real" data.

B. Data Integrity
Data Integrity ensures that information is accurate, complete, and has not been modified by unauthorized parties.

The Conflict: Data masking actually violates the literal integrity of the original record by intentionally changing it.

The Goal: Integrity is usually maintained via hashing or digital signatures. Masking’s goal is Confidentiality (Privacy), not ensuring the data remains exactly as it was originally recorded.

C. Data Obfuscation
Obfuscation is the act of making something difficult to understand or perceive.

Why it's the Answer: Data masking is a form of obfuscation that creates a structurally valid but culturally "fake" version of a dataset.

Static vs. Dynamic:

Static Data Masking (SDM): Creates a permanent copy of the data with sensitive fields changed (used for sharing databases with third-party testers).

Dynamic Data Masking (DDM): Masks data in real-time as it is queried (e.g., a call center representative sees XXXX-XXXX-1234 while the database holds the full credit card number).

D. Data Reduction
Data reduction refers to techniques used to minimize the amount of storage space or bandwidth required for data.

Techniques: This includes Deduplication (removing redundant copies) and Compression (using algorithms to shrink file sizes).

The Distinction: Reducing the "size" of data does nothing to hide the "sensitivity" of the data. Masked data usually takes up the exact same amount of space as the original data to maintain database schema consistency.

Key Takeaway for the CISSP Exam
Privacy vs. Security:

• Data Masking is often a requirement for compliance with regulations like GDPR or HIPAA.
• It allows organizations to follow the Principle of Least Privilege by ensuring that developers, testers, and analysts only see the data necessary for their specific job function, rather than the raw sensitive production data.