2.4.4. Obfuscation Techniques

💡 First Principle: Obfuscation protects data by making it unreadable or unlinkable without necessarily using encryption. These techniques reduce exposure even when data is accessed. Each technique serves a different purpose, and the exam expects you to match the technique to the scenario.

Steganography — hiding data within other data (image, audio, video files). Unlike encryption, which makes data unreadable, steganography hides the existence of the data. The attacker doesn't know there's a message to find. A seemingly normal photograph could contain embedded text visible only with the right tool. Steganography is often used in combination with encryption — first encrypt the message, then hide it in a carrier file for an additional layer of protection.

Tokenization — replacing sensitive data with non-sensitive placeholder tokens. The mapping between tokens and original values is stored in a secure token vault. The token has no mathematical relationship to the original, so intercepting it reveals nothing. Common for credit card numbers — a payment system processes tokens while the actual card numbers are locked in the vault. Tokenization is key to reducing PCI DSS scope because systems handling tokens aren't processing actual cardholder data.

Data masking — replacing real data with realistic but fictional data (e.g., replacing "John Smith" with "Jane Doe"). Unlike tokenization, masked data doesn't map back to originals — the replacement is irreversible. Used in development and testing environments to allow realistic testing without exposing production data. Static masking creates a permanently masked copy; dynamic masking masks data on-the-fly based on user permissions.

Minimization and anonymization — reducing data to the minimum needed and removing identifying information. Anonymization (when done properly) makes re-identification impossible; pseudonymization replaces identifiers with artificial ones (reversible with a key).

⚠️ Exam Trap: Tokenization preserves a mapping (reversible from the vault). Data masking does not (irreversible in the masked copy). Steganography hides existence. Encryption makes unreadable. Four different techniques with different purposes — don't confuse them.