Skip to main content

Data Tokenization

Data tokenization is an advanced data protection method that enables you to secure sensitive data at rest while maintaining operability.

What is Tokenization?

Tokenization is a scalable solution to bolster your organization’s data security and governance. It enables you to tokenize and detokenize values by substituting sensitive data with non-sensitive tokens at high throughputs.

What Tokenization Supports

Tokenization supports

  • the scale of technologies (such as Snowflake) where you might need to quickly tokenize or detokenize datasets containing millions or billions of values.

  • deterministic and non-deterministic tokens and is accessible through an API to perform the following jobs:

    • exchange values for tokens

    • exchange tokens for values

    • delete tokens and their associated values from the token vault

Benefit of Tokenization

  • It's secure. Tokenization substitutes the original value with a randomly generated token. If someone successfully obtains the token, then they have nothing of worth. There’s no encryption key or any other mathematical relationship to the original data;  sensitive data remains secure in a separate token vault. Unlike encryption technologies or vaultless tokenization, there is no way to decode the data without access to the token vault.

  • It's operational. Tokenization offers determinism, which allows you to perform accurate analytics on the data in the cloud. If you provide a particular set of inputs, then you get the same outputs every time. Deterministic tokens enable you to perform SQL operations, such as joins or WHERE clauses, without the need to detokenize the data, protecting consumer privacy without interrupting analyst operations.

  • It's retrievable. Unlike hashing, tokenization allows you to retrieve the original value in the event you need it.

  • It's scalable. ALTR’s tokenization is a highly scalable solution that fits with technologies like Snowflake where you might need to tokenize or detokenize millions or billions of values at a time.

How Tokenization Works

When a value is tokenized, it is substituted for a random UUID with no mathematical relationship to the original value. The original value is encrypted and stored in a token vault to support detokenization. When an authorized user requests to exchange a token for a value, then a lookup is performed in the token vault for that token. If the token exists, then its corresponding value is decrypted and returned.

Tokenization optionally supports deterministic tokens, where a value returns the same token every time it is tokenized. Deterministic tokens enable users to perform joins and WHERE clauses in queries on tokenized data without having to detokenize it; they can still operate on data even if they don’t have access to the original value. Deterministic and non-deterministic tokens have different tokenization headers returned when tokenized: vaultd_{token} and vaultn_{token} respectively.

Using Tokenization

Access to ALTR's Vaulted Tokenization API is required to tokenize data. To use this API, you must be on an ALTR plan that includes tokenization access and you must generate API credentials to access the relevant endpoints. Refer to API for information on creating API credentials. If you would like access to tokenization, contact ALTR Support.

Detokenizing data can be done from ALTR's Vaulted Tokenization API or through ALTR's integration of detokenization with data access policies. Refer to Tokenization Access Policies for more information.