Static Data Masking

Persistent data masking, or Static Data Masking (SDM) is the primary method of protecting specific data elements at rest. These "elements" are typically database column or flat-file field values that are considered sensitive. These fields may contain personally identifiable information (PII), protected health information (PHI), primary account numbers (PAN), trade secrets, or other private values.

The "startpoint" data-centric security product IRI FieldShield -- or the IRI CoSort product and IRI Voracity platform that include the same capabilities -- provide more data discovery and SDM functions for more data sources than any other data masking tool. They now also include a state-of-the-art re-ID risk scoring wizard.

Available per-field/column functions include:

• multiple, NSA Suite B and FIPS-compliant encryption (and decryption) algorithms, including format-preserving encryption
• SHA-1 and SHA-2 hashing
• ASCII de-ID (bit scrambling)
• binary encoding
• data blurring and generalization
• randomization
• redaction (string masking)
• reversible and non-reversible pseudonymization
• expression (calculation / shuffle) logic
• conditional / partial filtering (omission)
• custom value replacement
• byte shifting and sub-string functions
• tokenization (for PCI)

You can also "roll your own" external data masking function. This allows you to call a custom field protection at runtime instead of a built-in function.

Whether built-in or custom, you can apply functions conditionally to specific rows or columns, and across tables through protection rules you can define, store, and re-use. It is also possible to apply these functions in a dynamic data masking (DDM) context.

Create, run, and manage your data masking jobs in a free state-of-the-art GUI, built on Eclipse.™ Or, use the same, simple, self-documenting 4GL metadata defining your data layouts and protections in a command line environment.

If you have sensitive data in Excel, check out IRI CellShield. CellShield supports many of the same encryption, redaction and psedudonymization functions as FieldShield.

If you have sensitive data in unstructured text, log, MS Office, Parquet or PDF files, or in semi- or unstructured RDB columns or NoSQL DB collections, check out IRI DarkShield. The DarkShield API supports all, and the DarkShield GUI supports at least half, of the static data masking functions in the categories listed above. The same deterministic (consistent) data masking results apply across all the IRI shield tools so you can preserve data (and referential) integrity across the all enterprise data sources they protect.