Organizations are legally required to ensure that their employees’ personal information remains confidential. Compliance can be as simple a process as shredding paper forms, but more likely it involves securing data held in computer systems; for example, payroll or HR.
One subset of information that particularly requires security is a class of data called personally identifiable information (PII). Our employers, schools and other organizations all collect and retain PII data about us inside the applications they use. This data includes fields like:
- Social security number
- Driver’s license number
- Passport number
- Date of birth
- Home address
- Phone number
- Employee number
Most of us understand the liability of sharing data like social security or passport numbers. But even an element like date of birth can pose a security risk, since when it is combined with other data points it can be used to identify an individual, possibly putting them at risk for identity theft or other types of fraud.
To mitigate this, modern applications comply with the principle of least privilege, that is, users are only granted access to the minimal amount of data they need to do their jobs. For example, only a select subset of employees is allowed to view sensitive HR information like salaries or social security numbers. This is implemented using role-level security, which grants data access based on pre-defined user roles.
Since they are used to output data, reporting systems face additional security challenges. Orbit recently completed the entire reporting component for Cook County IL’s massive ERP upgrade project. One important aspect of the project was implementing security that allowed the masking of personally identifiable information contained in their human resources and payroll systems.
Masking PII Data Improves Security
Data masking goes beyond row-level security to lock down data on the column, row and even individual field level. When the data is masked at this granular level, fields are hidden from users who don’t have the authorization to view them. Data masking prevents users from running their own queries to retrieve sensitive data, or accidentally exposing sensitive information in a shared report.
In the past two years, we’ve seen an increase in regulations, like the GDPR and California’s Consumer Privacy Act, which aim to secure personal data on a very granular level. As the legal repercussions of data breaches grow, so does the need for security. And for organizations and software vendors alike, the time to implement it in their reporting is already here.