Why FieldShield Is Better

Consider Key Advantages and Differentiators

Why is IRI FieldShield the best choice for profiling and protecting personally identifiable information (PII), complying with data privacy laws, nullifying data breaches and masking production data for testing? Click through these nine reasons, and peruse the other tabbed pages on FieldShield above. Surf our robust data masking and test data sections to learn even more.


Only FieldShield includes multiple data source profiling tools and scanning methods to help you classify and locate PII in flat files, databases, and dark data repositories. Build statistical reports and charts, ER diagrams and multiple searches.

Only FieldShield protects sensitive data, at rest or in transit, with masking functions in 14 different categories to support an unlimited number of business rules and data-centric conditions. You can mask multiple database and file sources separately, or in combination (e.g., ETL environments) with other operations in the same job and I/O pass.

Protection jobs can run through an executable or SDK (.NET, C/C++, and Java), via free Eclipse™ GUI, the command line, batch scripts, DB applications, SQL procedures, or any program making a system or API call. Thus it is possible to effect dynamic data masking and unmasking (encryption and decryption as well) in a number of ways, in addition to static data masking, using FieldShield.


Most encryption solutions have one method or key, and cover an entire data source or device. If compromised, everything is exposed. With FieldShield, other fields are still protected even if one is breached. Multiple encryption functions and keys for different fields and different recipients also help, as do the choice of three internal key management methods plus proven integrations with the Microsoft Azure Key Vault and Townsend Security Alliance Key Manager system.

Several non-reversible data masking and obfuscation functions, as well as simple field removal, also enhance security; see our articles on data masking function choice and this on data deletion.

FieldShield jobs, data definitions, audit files, and related assets can be secured through a free, distributed metadata management hub and controlled on the basis of roles in multiple ways.

Security of the masked data is also enhanced through FieldShield's included risk measurement capabilities. Research and marketing data sets with masked identifiers can still have quasi-identifiers unmasked. FieldShield users can score re-identification risk and further generalize the data to preserve its utility while reducing the ability of attackers to expose individuals in the data set.


FieldShield runs on all Unix, Linux, and Windows platforms, and operates on all ODBC-connected database tables, and the sequential file formats common to most applications and mainframes, including files with header and footer records.

FieldShield also uses the same metadata and Eclipse GUI (IRI Workbench) as:

  • IRI DarkShield for finding and masking PII in multiple unstructured sources
  • IRI CellShield EE for finding and masking PII in Excel sheets LAN-wide
  • IRI CoSort for data transformation and reporting
  • IRI RowGen for realistic test data synthesis or subsetting
  • IRI NextForm for database, file, and data conversion and replication
  • IRI FACT (Fast Extract) for unloading very large databases
  • IRI Voracity for total data management; i.e., discovery, integration, migration, governance, and analytics, where FieldShield data masking functions can be expressed and executed in the same job and I/O pass with data transformation, cleansing, and reporting operations for example.

Some of the same masking functions in FieldShield are also plug-compatible with IRI CellShield for masking PII in Excel spreadsheets and IRI DarkShield for masking PII in unstructured text/log files, PDF/MS Office documents, NoSQL databsaes, images, and faces.

You can also run FieldShield job scripts alongside Actifio or Commvault cloning operations to seamlessly mask copies of the databases you are replicating.

FieldShield data definition files work with all IRI products, and are compatible with erwin (AnalytiX DS) Mapping Manager and the Meta Integration Model Bridge (MIMB). Their .ddf support means you can quickly leverage the existing metadata in your ETL, BI, and modeling tools for FieldShield and other IRI software.


The need-based, field-level protections in FieldShield complete faster than full database or device-centric encryption approaches, especially in real-time. FieldShield masking functions also consume less CPU and I/O. They can even run on a conditional basis, tied to new or specific rows, ranges of values, or discrete values.

FieldShield also uses the decades-proven and -enhanced big data movement engines of its parent product, IRI CoSort to scale performance in volume linearly. A 21-million row Oracle table with multiple columns to encrypt was masked and updated from a LAN-connected Windows PC using FieldShield in 11 minutes.

In IRI Voracity, there are Hadoop options to run FieldShield jobs to scale horizontally and elastically -- without recoding -- too. So if performance in volume is a concern, FieldShield is the only choice.


FieldShield can produce a single secured output for multiple recipients, with selective authorization to reveal the plaintext controlled by managed en(de)-cryption keys. This reduces protection time, storage, and the complexity (synchronization problem) of managing disparate versions of the output.

FieldShield can also produce multiple outputs for distributed anonymization scenarios. Either way, however, by specifying all the protections in one FieldShield program, there is only one job to create, manage, and audit.

You can easily apply a common protection rule to multiple tables at once (without Java), and re-use that rule in other data protection, etc. jobs. This GUI-supported feature saves design time, automates rule application, and preserves referential integrity.

Compliance team members can unify and control their data and FieldShield metadata assets in the cloud with a free metadata management hub (e.g., EGit).


FieldShield creates data mapping diagrams and queryable XML job logs to verify the steps you took to comply with data privacy regulations. The logs contain the runtime and application environment that auditors need. The logs can be public or private (e.g., via free EGit asset security), and populate SIEM tools like Splunk through add ons like this.

FieldShield can also score the risk of re-identification based on the distinction and separation values it finds in your data's indirect, or quasi-identifiers, and produces graphs and reports to help you further generalize those values and comply with FERPA and the HIPAA Expert Determination Rule.


FieldShield allows you to specify data protections on a conditional basis using either SQL SELECT syntax or /INCLUDE-OMIT logic in your jobs, so that you can target protection function based on a pattern, value, or range in a specific column or string.

Choose a protection for each field from any of the 14 functional categories, or your saved rules, based on your business rules. Consider a health insurance claim table with 19 columns, 3 of which have PHI: pseudonymize the name, mask the SSN, encrypt the medical billing code, and leave the remaining data alone.

FieldShield masking functionality also seamlessly extends into various test data scenarios in IRI Workbench, including the application of masking functions in the database subsetting wizard, ETL operations, direct population of referentially correct tables in lower non-production environments, or the virtualization of test data for immediate DevOps needs.


FieldShield uses self-documenting 4GL scripts to define the layouts and masking of table columns and file fields. And with the IRI Workbench GUI, built on Eclipse™, even the simple syntax need not be learned or hand-coded. Scripts interact with a color-coded syntax-aware and graphical form editor with graphical outlines, as well as parameter modification dialogs and transform mapping diagrams all interactively, and in the same pane-of-glass.

User-friendly data discovery and job definition wizards also help you design and build those scripts automatically. Data and job specs are easy to modify in the GUI or any text editor ... something else other data masking tools don't offer.


FieldShield as a standalone product is licensed for perpetual use in the low five figures, and is discounted in volume and distributed runtime integration scenarios. Five FieldShield masking engine licenses are alternatively included at no charge -- along with IRI CellShield EE, IRI DarkShield, and IRI RowGen (for test data synthesis and DB subsetting) -- in the base tier of IRI Voracity data management platform subscriptions.

IRI is a stable, US-based company (since 1978) not weighed down by external shareholders or big marketing expenses. Customers appreciate these savings, or the included use of all FieldShield capabilities within the broader Voracity data management platform for data discovery, integration, migration, governance, and analytics.