October 18, 2009, 10:14 PM — To better safeguard the personal data of its students, the University of California at Berkeley (UC Berkeley) has adopted a specialized data-masking technique in its application development work that effectively can hide data in plain sight by mixing it up.
10 of the Worst Moments in Network Security History
Data such as students' first and last names can be switched around to camouflage the real names, and sensitive information such as student identification numbers also undergoes a gentle jumbling so what appears to the eye is not the true number. It's done with a tool called datamasker from dataguise. Steve McCabe, associate director of information in UC Berkeley's residential and student services program, says the advantage in using the dataguise tool is it significantly reduces security risks around personal, sensitive data.
"Student IDs paired with names becomes restricted data here," says McCabe, describing some of the data-privacy rules that the university must follow. But the challenge has been how to enforce restrictions in a software-development environment where constant work by several developers is ongoing to support UC Berkeley's home-grown Web-based applications for SQL Server, such as the housing and assignment system.
McCabe says the data-masking approach, in which the dataguise tool mixes up names, sensitive numbers and other data prior to developers seeing it (dataguise calls it "de-identification"), has worked out well because the data columns maintain the necessary structure but the content is effectively concealed to the naked eye.
"We do a lot of application development and handling large volumes of student information, and we wanted a way to restrict that data," McCabe says. "So we randomize the IDs, and first name, last name, date of birth, and so forth."
While one main copy of a production database is preserved, with the genuine student information, developers can freely work on copies that have undergone the dataguise data-masking treatment in what McCabe calls a "sanitized version" without concern of a potential data breach.
"It maintains the relationship and updates with scrambled data," McCabe says. Though the actual production database has to be protected through other means, the risks associated with data exposed to developers and testers in the course of their work has been vastly reduced since UC Berkeley started using the tool about half a year ago.
UC Berkeley, like many universities, has suffered consequential data breaches. In May of this year, UC Berkeley acknowledged a data breach in which it said hackers broke into its health-services databases, compromising health-related information on about 160,000 individuals.
