Both protect data, but one makes information permanently useless.

Encryption or Masking: which is the better form of data protection? The only way to answer this question is to ask another one. Do users need the data exactly as it was when it’s no longer protected?

If the answer is yes, your choice is data encryption. The only thing encryption has in common with masking is that the data is useless to anyone who captures it. It’s what’s needed after data encryption or masking that determines which process you should use. You need to know the difference.

Two simple definitions

Encryption protects your data by transforming it into unreadable information that’s useless to anyone who steals it. They need the encryption solution to revert the data back to its original state. The real data is preserved within this unreadable format.

Masking protects your data by transforming it into a readable format that’s useless to anyone who steals it. The actual data is replaced by fictional information. There is no encryption solution to revert the data to its original state. The real data was replaced and is gone forever.

The names were changed to protect the innocent

You go online to your bank’s website and pay the electric bill. The data shared between you, your bank, and the electric company must be unreadable by anybody who intercepts it. It’s encrypted while in motion. The actual information is still there. But only you, your bank, and the electric company have the encryption key.

Your bank wants to bring you innovative product improvements. They’ve got employees or software development companies working on the next generation of banking apps. These developers must validate their code using data they know has actually been used to make successful transactions.

How could they check their work if they can’t read the information? Encryption in this development environment doesn’t work. So the bank masks this data. Real names, addresses, bank balances, and all other sensitive personal information is replaced with fictional data. It will simulate bank customers, but they could never be identified by it. The developers can use it to validate real-world scenarios.

No going back

That’s the most elemental way to look at the difference between encryption and masking. It also determines which data protection method should be used.

Data encryption protects information as it’s transferred between computers or networks. No matter how many times it travels or where it goes, it ultimately must be restored to the original state. Information with this requirement is often called production data.

Data masking doesn’t need any protection. It’s fake. There’s no need to restore it to the original state. The masking process of converting sensitive personal data is also called anonymization or de-identification. Information with this requirement is often called development data.

Unfair question?

Which data process offers the best protection? There’s an obvious answer. But it’s like comparing a Tesla to a Toyota and asking which vehicle gets better gas mileage. The criterion for comparison is irrelevant for one of these vehicles.

Masking is clearly more secure than encryption but it renders data useless. Masked data has no value for anyone who intercepts or steals it. This information cannot be used for anything other than to run tests on software in a development state. Hackers don’t want or care about masked development data. It gives them access to nothing valuable. They want production data. It’s a source of authentic, sensitive, and personal information. Unencrypted, please.