Three techniques for protecting sensitive data in cloud environments — when to redact, when to tokenize, and when to obfuscate — with honest assessments of the limits of each approach.
Sign in to mark this article as read and track your progress.
Encryption is binary — data is either encrypted (and unusable without the key) or decrypted (and fully exposed). Real business requirements are more nuanced: analytics teams need to work with customer data without seeing actual credit card numbers; developers need realistic test data without production PII; logs need to be searchable without containing passwords.
Redaction, tokenization, and obfuscation are the tools that bridge this gap.
Redaction removes or masks sensitive data before it is shared, logged, or processed.
| Pattern | What It Does | Example |
|---|---|---|
| Nulling/Blanking | Replace with null or empty string | SSN: NULL |
| Character masking | Replace characters with a symbol | 4111 **** **** 1234 |
| Partial reveal | Show first/last N characters | AADHAAR: XXXX-XXXX-3456 |
| Value substitution | Replace with a different but realistic value | john.doe@example.com → user123@test.local |
| Date shifting | Shift dates by a random offset | Preserves age relationships without actual birth dates |
Tokenization replaces sensitive data with a non-sensitive substitute (token) that maps back to the original value in a secure token vault.
Original: 4111 1111 1111 1111 (Visa card number)
Token: 7842 3901 5523 8847 (meaningless to anyone without vault access)
Token vault (secured separately):
7842 3901 5523 8847 → 4111 1111 1111 1111
The token is format-preserving (same length, same character class) so it drops into existing systems without schema changes. Only the token vault holds the mapping — and the vault is hardened, audited, and access-controlled separately.
| Feature | Encryption | Tokenization |
|---|---|---|
| Key required for reversal | Yes — decrypt with key | No — look up in vault |
| Data format | Changes (ciphertext is not format-preserving) | Preserved (same format and length) |
| Performance | Fast (local AES) | Vault lookup required |
| PCI-DSS applicability | Card data still in scope | Tokens are out of PCI-DSS scope |
| Best for | Files, volumes, databases | Payment card numbers, SSNs, healthcare IDs |
Tokenization is the primary mechanism for reducing PCI-DSS scope — if no system stores actual card numbers (only tokens), those systems are excluded from the PCI audit.
Obfuscation disguises sensitive information to make it less recognisable or useful without making it entirely inaccessible.
| Technique | What It Does | Limitation |
|---|---|---|
| Data masking | Replace real data with fictional but realistic data | Masked data is still usable for testing but not analytically accurate |
| Pseudonymisation | Replace identifiers with pseudonyms consistently | Re-identification is possible if pseudonym mapping is exposed |
| Generalisation | Replace specific values with ranges (age 34 → age 30-39) | Reduces analytical precision |
| Noise addition | Add statistical noise to numerical data | Accuracy degrades with noise level |
| Shuffling | Randomly reassign values within a column | Breaks row-level relationships |
Obfuscation is not security. It is a privacy-enhancing technique for analytics and testing. It does not provide the mathematical guarantees of encryption. A determined attacker with access to population data can often re-identify obfuscated individuals through linkage attacks.
When you must guarantee data deletion in a cloud environment (DPDP Act right to erasure, GDPR Article 17), cryptographic erasure is the standard technique:
This technique satisfies regulatory deletion requirements even where physical overwriting is impossible.
| Requirement | Recommended Technique |
|---|---|
| Protect data at rest from unauthorised access | Encryption |
| Allow analytics without exposing PII | Redaction or pseudonymisation |
| Remove card numbers from PCI scope | Tokenization |
| Generate test data from production | Data masking |
| Satisfy right-to-erasure obligations | Cryptographic erasure |
Encryption protects data from unauthorised access. Redaction, tokenization, and obfuscation protect data from authorised but inappropriately scoped access — ensuring teams get the data they need without the sensitive fields they should not see. Know when each technique applies and never confuse obfuscation with encryption.