Which of the following strategies most effectively protects sensitive data at rest in a database?

Hashing converts data into a fixed-size string of characters, which is generally irreversible. While it can protect data integrity and is useful for password storage, it does not allow for the original data to be retrieved. Therefore, it is less effective for protecting sensitive data at rest when retrieval is necessary.

Masking involves altering data to hide its original value, often by replacing it with asterisks or other characters. While it can be useful for anonymizing data, it does not provide a secure method for storing sensitive information, as the original data remains accessible in some form. Masking is less suitable for protecting data at rest compared to tokenization.

Obfuscation involves making data difficult to understand, often through encoding or transformation techniques. While it can deter casual observers from accessing the data, it does not provide the same level of security as tokenization, especially since the obfuscated data can potentially be reversed if the method is known.