What’s tokenization? Is that different from encryption? Here’s a breakdown of the differences and similarities between the two, and how they can help protect enterprise business.
Encryption and tokenization are both important tools for securing private and sensitive data in rest within enterprise companies. However, many companies still fail to implement them into their security policies, which they need to reconsider due to the new legislation that requires those technologies for compliance, such as the General Data Protection Regulation (GDPR). However, while they’re similar, encryption and tokenization are not exactly the same.
Let’s look at how the two technologies differ.
Encryption is an enormous subject that can’t be easily boiled down, but generally, it’s a process that uses an algorithm to turn sensitive data, or plaintext, into unreadable ciphertext. To read encrypted files, employees (or automated machines) need an encryption key, which should only be handled by the most trusted administrators.
Encryption encompasses a myriad of uses including the protection of data being transferred via networks such as email through the Internet, bank ATMs, Bluetooth devices, mobile devices, and Digital Rights Management systems.
Meanwhile, tokenization eschews a mathematical algorithm in favor of a process that involves substituting real data and personal identifiers with random codes, or tokens. Employees use a master table, or database, or “token vault”, to map codes to the identifiers to work with data. The real data stored in the vault is often protected by encryption, but the advantage of tokens is they lack a mathematical meaning or key that can revert them back to real data.
Tokenization requires less resources to process, so tokens can be processed more quickly. The result is a secure yet flexible method of hiding sensitive information, with a low risk of exposure. Applications can still operate using tokens instead of the original data.
Tokenization is commonly used to protect bank accounts, criminal records, driver’s license numbers, medical records, voter registration information, and other types of personally identifiable information.
So, the main difference between encryption and tokenization is how they handle data. Encryption scrambles information and requires careful encryption key management, while tokenization effectively removes and replaces information from a system. Both are cryptographic data security methods that ultimately serve the same purpose. Which process a company chooses is ultimately up to the types of data processed, and the interpretation of specific compliance requirements. Ideally, companies should implement both solutions to provide the maximum amount of data control and security. In the case of the GDPR, which has a global reach beyond companies located in the European Union, encryption of personally identifiable data is a definite requirement.
Further reading:
Data Protection by Pseudonymization
