Data Protection Methods
Techniques to secure data including encryption, hashing, masking, tokenization, obfuscation, segmentation, and permission restrictions. Understanding when to use each method and their strengths and limitations.
Understanding Data Protection Methods
Multiple techniques exist to protect sensitive data, each with specific use cases and trade-offs. Understanding when to use encryption versus tokenization versus masking determines whether data is truly protected.
Key data protection methods: • Encryption — Transforms data using cryptographic keys • Hashing — One-way transformation for integrity/passwords • Masking — Hides portions of data while preserving format • Tokenization — Replaces data with non-sensitive tokens • Obfuscation — Makes data difficult to understand
Heartland Payment Systems' 2008 breach exposed 130 million credit cards. After the breach, they pioneered end-to-end encryption and tokenization—demonstrating how proper data protection methods could have prevented the massive exposure.
Choosing the right protection method depends on the use case, data type, and compliance requirements.
Why This Matters for the Exam
Data protection methods are heavily tested on SY0-701 because selecting the wrong method leaves data vulnerable. Questions cover when to use each technique and understanding their differences.
Understanding protection methods helps with compliance (PCI-DSS has specific tokenization/encryption requirements), secure development, and architecture decisions.
The exam tests both conceptual understanding and practical selection scenarios.
Deep Dive
How Does Encryption Protect Data?
Encryption transforms readable data (plaintext) into unreadable data (ciphertext) using cryptographic keys.
Encryption Characteristics:
| Aspect | Description |
|---|---|
| Reversible | Yes, with correct key |
| Output size | Similar to input |
| Use case | Confidentiality |
| Key requirement | Required for encrypt/decrypt |
Encryption Types:
| Type | Keys | Speed | Use Case |
|---|---|---|---|
| Symmetric | Same key | Fast | Data encryption |
| Asymmetric | Key pair | Slow | Key exchange, signatures |
Encryption Examples:
Plaintext: 4111-1111-1111-1111 Encrypted: A7x9Kp2mQr5tVw8y... Original data protected Reversible with key Same format not preserved
How Does Hashing Protect Data?
Hashing creates a fixed-size fingerprint from any input. It's one-way—you can't reverse a hash to get the original.
Hashing Characteristics:
| Aspect | Description |
|---|---|
| Reversible | No (one-way function) |
| Output size | Fixed (SHA-256 = 256 bits) |
| Use case | Integrity, passwords |
| Deterministic | Same input = same hash |
Hashing Use Cases:
| Use Case | Purpose |
|---|---|
| Password storage | Store hash, not password |
| File integrity | Detect modifications |
| Digital signatures | Sign hash of document |
| Deduplication | Identify duplicate files |
Hashing Examples:
Password: "MySecurePass123" SHA-256: e5a3b2c1d4f6789... Cannot reverse to get password Compare hashes for verification Salt + hash prevents rainbow tables
What Is Data Masking?
Masking hides portions of data while preserving format and partial visibility.
Masking Characteristics:
| Aspect | Description |
|---|---|
| Reversible | Depends on type |
| Format preserved | Yes |
| Partial visibility | Yes |
| Use case | Display, testing |
Masking Types:
| Type | Description | Example |
|---|---|---|
| Static | Permanently masked copy | Test environments |
| Dynamic | Masked at query time | Production display |
| On-the-fly | Masked during transfer | Data exports |
Masking Examples:
Credit card: Original: 4111-1111-1111-1111 Masked: ****-****-****-1111 SSN: Original: 123-45-6789 Masked: ***-**-6789 Email: Original: john.smith@company.com Masked: j***.s****@company.com
What Is Tokenization?
Tokenization replaces sensitive data with non-sensitive tokens that map back to the original in a secure vault.
Tokenization Characteristics:
| Aspect | Description |
|---|---|
| Reversible | Yes, via token vault |
| Format preserved | Can be |
| Original stored | In secure vault only |
| Use case | Reduce compliance scope |
Tokenization vs Encryption:
| Aspect | Encryption | Tokenization |
|---|---|---|
| Mathematical | Yes | No |
| Key management | Required | Token vault |
| Format preservation | No | Optional |
| PCI scope reduction | No | Yes |
Tokenization Example:
Payment flow: 1. Card entered: 4111-1111-1111-1111 2. Sent to tokenization service 3. Token returned: tok_8x7y6z5w4v 4. Token stored in application 5. Original card in secure vault only Benefits: - Application never stores real card - Token useless if stolen - PCI scope reduced to tokenization provider
What Is Obfuscation?
Obfuscation makes data or code difficult to understand without destroying functionality.
Obfuscation Uses:
| Use | Description |
|---|---|
| Code protection | Hide software logic |
| Data masking | Make data unreadable |
| Steganography | Hide data in other data |
| Minimization | Remove identifying info |
Obfuscation Examples:
Code obfuscation: Before: function calculateTotal(price, qty) After: function _0x4f2a(_0x1b,_0x3c) Data obfuscation: Before: John Smith, 42, New York After: User_8273, [redacted], [redacted]
How Do Segmentation and Permission Restrictions Protect Data?
Data Segmentation:
- •Separating data into isolated segments to limit exposure.
| Segmentation Type | Description |
|---|---|
| Network | VLANs, subnets for data zones |
| Database | Separate databases for sensitive data |
| Application | Different apps for different data |
| Encryption | Different keys for different data |
Permission Restrictions:
| Control | Description |
|---|---|
| Access Control Lists | Define who can access what |
| Role-Based Access | Access based on job role |
| Attribute-Based | Access based on attributes |
| Just-in-Time | Temporary elevated access |
Permission Example:
Database: Customer Records
HR Role: Full access to employee records
No access to payment data
Finance Role: Full access to payment data
No access to medical records
Developer Role: Read masked/tokenized data
No access to production PIIHow Do You Choose the Right Protection Method?
Method Selection Guide:
| Need | Method |
|---|---|
| Confidentiality, need original | Encryption |
| Verify integrity only | Hashing |
| Store passwords | Hashing (with salt) |
| Display partial data | Masking |
| Reduce PCI scope | Tokenization |
| Test environment data | Masking |
| Protect code logic | Obfuscation |
| Limit blast radius | Segmentation |
| Control who accesses | Permissions |
How CompTIA Tests This
Example Analysis
Scenario: An e-commerce company processes credit cards. They want to: (1) store card numbers for repeat purchases, (2) display last 4 digits on receipts, (3) verify order integrity, and (4) limit which employees can see full card numbers. Design a protection strategy.
Analysis - Multi-Method Data Protection:
Requirements Mapping:
| Requirement | Protection Method |
|---|---|
| Store cards for reuse | Tokenization |
| Display last 4 | Masking |
| Verify integrity | Hashing |
| Limit access | Permission restrictions |
Implementation:
1. Tokenization for Storage:
Customer provides: 4111-1111-1111-1111
↓
[Tokenization Service]
↓
Token returned: tok_cus_8x7y6z5w
↓
Application stores token only
Original card in PCI-compliant vault
Repeat purchase: App sends token
Tokenization service charges real card2. Masking for Display:
Receipt display: Card: ****-****-****-1111 Customer portal: "Pay with card ending in 1111" Support view: Card: xxxx-xxxx-xxxx-1111
3. Hashing for Integrity:
Order placed: Order data + SHA-256 = hash stored Verification: Recalculate hash Compare with stored hash If match → order not tampered
4. Permission Restrictions:
Role: Customer Service Rep Access: Token + last 4 digits only Cannot: See full card number Role: Finance Admin Access: Full transaction data via vault Requires: MFA + approval workflow Role: Developer Access: Masked/tokenized test data Cannot: Access production card data
PCI-DSS Benefit:
Without tokenization: - All systems touching cards in PCI scope - Extensive compliance requirements With tokenization: - Only tokenization service in full PCI scope - Application stores tokens, not cards - Reduced scope, lower compliance cost
Key insight: Different protection methods serve different purposes. Use tokenization for storage to reduce scope, masking for display, hashing for integrity, and permissions for access control. Layering methods provides comprehensive protection.
Key Terms
Common Mistakes
Exam Tips
Memory Trick
Protection Method Memory - "EMHOT SP":
- •Encryption = Exchange with key (reversible)
- •Masking = Mask part, show some (****-1234)
- •Hashing = Hash is one-way (can't reverse)
- •Obfuscation = Obscure, hard to read
- •Tokenization = Token replaces (vault stores real)
- •Segmentation = Separate data
- •Permissions = People restrictions
Encryption vs Hashing: "Encryption can Escape (decrypt)" "Hashing is a Hotel California—you can check in but never leave"
Tokenization vs Encryption: "Token = Trade the real thing for a ticket" "Encrypt = Lock it in a box with a key"
When to Use What: "Store secrets → Encryption" "Store passwords → Hashing" "Show partial → Masking" "Scope reduction → Tokenization"
PCI Memory: "Tokenize to Trim PCI scope" Tokens aren't card data, so systems with tokens have reduced compliance burden
Test Your Knowledge
Q1.A company wants to verify that a downloaded file hasn't been modified. Which protection method should they use?
Q2.A company wants to store credit card numbers for repeat purchases while reducing PCI compliance scope. What method should they use?
Q3.How should passwords be stored in a database?
Want more practice with instant AI feedback?
Continue Learning
Ready for the Exam?
See exactly where you stand on this concept and 182 others.
99% pass rate · Pass guarantee