How Data Masking Protects Sensitive Information: Techniques & Best Practices

After receiving suspicious calls that suggested personal data had been sold, the author highlights the importance of preventing privacy leaks and introduces data masking (data desensitization) as a key defense for developers.

What Is Data Masking

Data masking, also called data de‑identification, transforms sensitive fields such as 手机号 (phone number) and 银行卡号 (bank card number) according to predefined rules, preventing direct use of raw data in insecure environments.

Government, healthcare, finance, and telecom sectors adopt masking early because they handle highly confidential user data.

In everyday life, e‑commerce platforms mask merchant information with * to protect privacy.

Static Data Masking (SDM)

Static masking is used when data is extracted from production, desensitized, and then distributed to testing, development, training, or analytics environments.

For example, copying production data to a test database requires removing or obfuscating personal details so that sensitive information never resides in non‑production systems.

The masked data remains isolated from production while still supporting business needs.

Dynamic Data Masking (DDM)

Dynamic masking operates in production, masking data in real time based on context such as user role or permission, allowing different masking levels for the same data.

Note: While removing sensitive content, the masked data must retain its original characteristics, business rules, and relationships to ensure development, testing, and analytics remain effective.

Data Masking Techniques

Masking solutions can be customized per business scenario, applying various methods to specific fields.

1. Invalidation

Invalidation replaces or truncates field values using characters like *, encryption, or hiding, rendering the data unusable for malicious purposes.

2. Random Values

Randomization substitutes characters with random letters or numbers, preserving the original format while obscuring the true value.

3. Data Replacement

Replacement swaps sensitive values with a predefined dummy value, e.g., setting all phone numbers to "13651300000".

4. Symmetric Encryption

Symmetric encryption encrypts sensitive data with a key, producing ciphertext that follows the original data’s logical format; decryption restores the original value, requiring secure key management.

5. Averaging

For numeric fields, the average value is computed and each masked value is randomly distributed around that average, keeping the total sum unchanged.

6. Offset and Rounding

This method shifts numeric data by a random offset and rounds it, preserving approximate ranges while enhancing realism, useful in large‑scale data analysis.

In practice, multiple masking techniques are often combined to achieve higher security levels.

Conclusion

Both static and dynamic masking aim to prevent internal misuse and unauthorized leakage of private data; for programmers, protecting data is a fundamental responsibility.