Data masking replaces sensitive data with realistic but fictional substitutes that preserve the format and structure of the original. A Social Security number might be masked as a different nine-digit number. Masked data can be used for testing, development, and analytics without exposing real sensitive information.
Static masking creates a permanent copy with sensitive values replaced. Dynamic masking intercepts queries in real time, returning masked values to unauthorized users while authorized users see real data.
CISSP Relevance
Data masking falls under Domain 2 (Asset Security) as a data protection technique. CISSP candidates must understand how masking, tokenization, and encryption differ and when each is the appropriate tool for protecting sensitive data.
External reference: NIST Glossary Data Masking
Related terms: Tokenization, Data Classification