Why is data masking important?

Data masking is necessary for situations where you need to share sensitive data from a production environment with non-production users, such as application developers. Production environments contain valuable and sensitive data, like phone numbers and credit card details, and require protection.

Copying sensitive data into a development environment without data masking increases the likelihood that the data is used inappropriately. Data masking ensures that the original sensitive data cannot be retrieved or accessed outside of the production environment. However, data masking still ensures that the masked records are fully functional in a development and test environment.

Security and Regulatory Compliance

SECURITY

With the Salesforce App, data only travels between your network and Salesforce. Data and credentials never pass through any third-party servers.

REGULATORY COMPLIANCE

Masking data is a business practice that minimizes the risk of data leaks and is also required by law. The Salesforce App can help organizations comply with the following regulatory requirements.

Health Insurance Portability and Accountability Act (HIPAA)

HIPAA protects the privacy and security of Protected Health Information (PHI) of patients. PHI-related data that is stored in databases or transmitted over a network needs to have complete data protection. The requirements for data protection as they relate to data masking are the following:

• Standard: Access Control. Implement technical policies and procedures for electronic information systems that maintain electronically protected health information to allow access only to authorized users or software programs.

Specification	Description
Unique user identification (Required)	Assign a unique name and/or number for identifying and tracking user identity.
Emergency access procedure (Required)	Establish (and implement as needed) procedures for obtaining necessary electronically protected health information during an emergency.
Automatic logoff (Addressable)	Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.

For a complete list of specifications, see Section 164.312 - Technical safeguards.

Payment Card Industry (PCI)

Requires cardholder data security as part of the Payment Card Industry Data Security Standard (PCI DSS) enforced by Visa and MasterCard.

Data Protection Act (DPA)

Requires all public and private organizations operating in the UK to protect personal data in databases, applications, and endpoint devices.

Personally Identifiable Information (PII)

Requires that sensitive information, which can be used to identify an individual, should be accessed on a strict and need-to-know basis. Also, data protection is required for most US states, the UK, and the European Union (EU).

General Data Protection Regulation (GDPR)

Requires data protection and privacy for all individuals within the EU. It also applies to personal data outside the EU.

Supported Field Types

The Salesforce App supports data masking for the following field types:

• Boolean
• Email
• Currency
• Date
• Date Time
• Double
• Encrypted string
• Number
• Location
• Multi-Picklist
• Percent
• Phone
• Picklist
• String / Text Area
• Time
• URL

Data Masking Definitions

The Salesforce App enables you to mask data at the organization level, the project level, and/or the data template level. As a best practice, apply a data masking definition at the organization level to mask commonly regulated data. This also ensures the consistent masking of sensitive data across the entire organization.

You can create data masks in the Salesforce App using the following two ways.

• On the Salesforce App console, navigate to Settings -> Data Mask to create a data mask at the organization or project level.

• Click the Data Template tab to create a data mask for a specific data template.

For more information, see Applying a Data Mask.

Data mask definitions created at the organizational or project level take precedence over those created within the current data template. Consider the following example:

• The administrator of an organization creates a data mask definition to mask Social Security Number fields using a regular expression pattern or substitution values. 

• A developer also adds a data mask definition to mask Social Security Number fields with a different regular expression pattern or substitution values.

• In this scenario, the data mask definition created by the administrator is applied as it is created at an organization level.

Deterministic and Non-Deterministic Masking

Data mask substitutions can be both deterministic and non-deterministic. 

Deterministic masking ensures that a given input value from the source environment always maps to the same output value in the destination environment. 

For example, if the email john@www.example.com is masked as test@www.example.com, then every occurrence of john@www.example.com in the data copy is masked as test@www.example.com.

Non-deterministic masking generates different masked values for a given input value from the source environment. 

For example, if the email john@www.example.com is masked as test@www.example.com in the first occurrence, then the second occurrence of john@www.example.com in the data copy will be masked to a different value.

Note: The Salesforce App uses non-deterministic masking substitution by default. To set deterministic masking substitution, see Mask Type.