Data Loss Prevention (DLP)

PII Data Discovery and De-Identification

Protecting Data at Risk with Data Loss Prevention


Data loss prevention (DLP) activities start with the profiling of data at risk, be it in motion or at rest. Next is the protection of that data with the proper application of security functions and protocols.


Leading DLP solutions offer scanning, filtering, highlighting, and monitoring solutions (to enforce protections) for data at risk. The granular data discovery and de-identification technology in these products:

  • IRI FieldShield for finding and statically masking data in RDBs and flat files
  • IRI CellShield for doing the same in Excel® spreadsheets
  • IRI DarkShield for data in unstructured text, images, documents, NoSQL, etc.
  • IRI Voracity for all of the above, and for managing big and small data in Eclipse™


can work alone or in tandem with a heat-mapping DLP or endpoint scanning solution to allow authorized users to profile (classify and search), protect (mask or delete), and prove (risk score and audit) they acted to prevent -- or at least nullify -- the loss of sensitive data.

Profile (Classify/Scan)

Discover sensitive data and its metadata through data-class, filter-, lookup-, pattern- and fuzzy-match searches of multiple sources simultaneously. Identify, isolate, diagram and report on data at multiple table, files, and other sources at once. Your own data governance efforts and application modeling tools like Global IDs and Micro Focus APM can also help.

Once data is in flat files or databases, IRI FieldShield can protect it from misuse. Built in data format (composite) template and range capabilities provide for content-aware identification and validation of columnar values. If you data is in those or any other source, you could use the same data class definitions in IRI DarkShield to locate and report on those values, too.

Protect (Mask/Delete)

Choose and apply built-in or custom data masking functions for sensitive fields. Choose which function to apply based on your need for:

  •     Security - how strong the encryption or other algorithm needs to be
  •     Speed - which functions conceal data (and/or reveal) faster
  •     Reversibility - whether you need to re-identify the data later
  •     Appearance - if the ciphertext needs to retain the original format

Apply these functions ad hoc or en masse using rules. For example, use pattern-matching expressions to automatically apply a format-preserving encryption key to certain tables, while using another key on others.

Direct the output to the same source or new target. Assert both data- and role-based access controls that persist, wherever the data may later exist. This goes well beyond what other encryption-only or DLP-centric solution providers offer.

Prove (Risk-Score/Audit)

Verify that you protected or de-identified the data at risk with statistical output and an audit trail. Job stats show column names, number of rows input/protected/output, and more.

The job specification script itself is self-documenting and easy to review in a text editor or in the GUI. It is also automatically integrated into a query-ready XML audit file. That log file also contains system information; e.g. who ran the job, where, and when.

Together with the sources and targets they identify, these records help validate the work you did to comply with data privacy laws.