Data Loss Prevention (DLP)

PII Data Discovery and De-Identification

Protecting Data at Risk with Data Loss Prevention


Data loss prevention (DLP) activities start with the profiling of data at risk, be it in motion or at rest. Next is the protection of that data with the proper application of security functions and protocols.


Leading DLP solutions offer scanning, filtering, highlighting, and monitoring solutions (to enforce protections) for data at risk. The granular data discovery and de-identification technology in these products:

  • IRI FieldShield for finding and statically masking data in DBs and files
  • IRI CellShield for doning the same in Excel spreadsheets
  • IRI DarkShield for finding and protecting data in unstructured sources
  • IRI Voracity for all of the above, and for managing big and small data in Eclipse™


can work alone or in tandem with other DLP solutions to allow authorized users to profile (classify), protect (mask), and prove (audit) they acted to prevent -- or at least nullify -- the loss of sensitive data.

Profile (Classify)

Discover sensitive data and its metadata through pattern and fuzzy-match searches of multiple sources. Identify, isolate, diagram and report on data at risk in databases, flat files, or Excel. Your own data governance efforts and application modeling tools like Global IDs and Micro Focus APM can also help.

Once data are in flat files or databases, IRI FieldShield can protect it from misuse. Built-in data format (composite) templates and range evaluation (selection) capabilities provide for content-aware identification and validation of columnar values.

Protect (Mask)

Choose and apply built-in or custom data masking functions for sensitive fields. Choose which function to apply based on your need for:

  • Security - how strong the encryption or other algorithm needs to be
  • Speed - which functions conceal data (and/or reveal) faster
  • Reversibility - whether you need to re-identify the data later
  • Appearance - if the ciphertext needs to retain the original format

Apply these functions ad hoc, or en masse using rules. For example, use pattern-matching expressions to automatically apply a format-preserving encryption key to certain tables, while using another key on others.

Direct the output to the same source or new target. Assert both data- and role-based access controls that persist, wherever the data may later exist. This goes well beyond what other encryption-only or DLP-centric solution providers offer.

Prove (Audit)

 Verify that you protected or de-identified the data at risk with statistical output and an audit trail. Job stats show column names, number of rows input/protected/output, and more.
The job specification script itself is self-documenting and easy to review in a text editor or in the GUI. It is also automatically integrated into a query-ready XML audit file. That log file also contains system information; e.g. who ran the job, where, and when.
Together with the sources and targets they identify, these records help validate the work you did to comply with data privacy laws.