Question 32
Domain 2: Data Protection and Identity SecurityWhen implementing data masking for non-production cloud environments, which approach BEST balances security with utility for testing purposes?
Correct answer: B
Explanation
Format-preserving masking keeps the data usable for testing because it preserves the original structure, while masking sensitive values. Maintaining referential integrity ensures related records still match, which is essential for realistic non-production testing without exposing production data.
Why each option is right or wrong
A. Replacing all data with random characters
B. Using format-preserving masking that maintains referential integrity
Format-preserving masking is the strongest fit here because it replaces sensitive values while keeping the same data type, length, and field structure, which preserves application behavior in test environments. Maintaining referential integrity is critical under common privacy and security control frameworks for non-production data handling, including NIST SP 800-122 guidance on protecting PII and ISO/IEC 27001 Annex A controls for data masking, because linked records must still join correctly for realistic testing.
C. Removing all sensitive fields entirely
D. Using the same static mask values for all records