Using Data Masking for Balancing Security and Performance in Data Warehousing

Abstract

Data Warehouses (DWs) are the core of sensitive business information, which makes them an appealing target. Encryption solutions are accepted as the best way to ensure strong security in data confidentiality while keeping high database performance. However, this work shows that they introduce massive storage space and performance overheads to a magnitude that makes them unfeasible for DWs. This work proposes a data masking technique for protecting sensitive business data in DWs which balances security strength with database performance, using a Formula based on the mathematical modular operator and simple arithmetic operations. The proposed solution provides apparent randomness in the generation and distribution of the masked values, while introducing small storage space and query execution time overheads. It also enables a false data injection method for misleading attackers and increasing the overall security strength. It can be easily implemented in any DataBase Management System (DBMS) and transparently used, without changes to application source code. Experimental evaluations using a real-world DW and TPC-H decision support benchmark implemented in leading DBMS Oracle 11g and Microsoft SQL Server 2008 demonstrate its overall effectiveness. Results show the substantial savings of its implementation costs when compared with state of the art encryption solutions provided by those DBMS and that it outperforms those solutions in both data querying and insertion of new data.