A development team suggests that using data masking on all personally identifiable information (PII) is a sufficient replacement for encryption when transmitting that data between internal servers. Which of the following statements represents the most significant security flaw in this data handling strategy?
Regulatory standards, such as GDPR and CCPA, explicitly forbid the use of data masking for any type of PII.
Masked data is designed to be easily reversible, allowing an attacker to recover the original PII.
Encryption in transit is only required for data crossing public networks, not for internal server-to-server communication.
Data masking does not protect the communication channel from interception; therefore, encryption in transit is necessary to ensure confidentiality.
Data masking and encryption in transit are distinct security controls that address different risks. Data masking replaces sensitive data with non-sensitive placeholders, which is useful for development or testing environments. However, it does not protect the data from being intercepted and read during network transmission. Encryption in transit, typically implemented with protocols like TLS, is the standard control for ensuring the confidentiality and integrity of data as it moves across a network. Relying solely on data masking for data in transit is an insecure design that fails to protect against eavesdropping or man-in-the-middle attacks.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are the main differences between data masking and encryption?
Open an interactive chat with Bash
Why is encryption in transit crucial for handling PII?
Open an interactive chat with Bash
In what scenarios would data masking be appropriate?