Deterministic Data Masking

 

Next Steps
Home » Solutions » Data Masking

Quick Links

+
Overview Auditing CPRA CCMC DLP FERPA GDPR DPDP HIPAA PCI DSS DMaaS Static Dynamic Real-Time Test Data/TDM

IRI Data Masking Tools in Gartner Market Guide

Gartner recognized solution for enterprise privacy.


Gartner logo| Read More

Outsmart Risk. Classify, Find & Consistently Anonymize PII in Structured, Semi-Structured, and Unstructured Sources.

Classify, Locate, De-Identify, and Prove

Unmasked data can damage your company's reputation and cost it millions in fines. Award-winning on-premise data discovery and masking data anonymization tools from IRI have been repeatedly proven in a wide range of data breach nullification, privacy law compliance, and DevOps (test data) environments.

Use a fit-for-purpose IRI data 'shield' product (or more than one in the IRI Voracity data management platform) to find and mask sensitive data, preserve referential integrity, and prove it.

Whether you require static data masking for persistent storage, dynamic data masking or real-time protection, use a fit-for-purpose IRI data 'shield' product or the comprehensive platform to find and mask sensitive data while maintaining referential integrity in data masking.

  • Types of Sensitive Data
  • Personally Identifiable Information (PII)
  • Protected Health Information (PHI)
  • Primary Account Numbers (PANs)
  • Other Sensitive Information
world pins

Comply with Data Privacy Laws

Data privacy laws require that key identifiers be encrypted, pseudonymized, redacted, or scrambled, and that quasi-identifiers be anonymized to prevent re-identification. IRI data and database masking tools can find and obfuscate PII in multiple structured, semi-structured, and unstructured sources to meet the data erasure, portability and rectification requirements of the GDPR et al, and score re-ID risk for HIPAA, etc. Inquire about your mandates.

Click the acronyms above to learn more →

Apply Multiple Masking Methods

Use the centralized data class and rule library for IRI FieldShield or DarkShield, built on Eclipse™, to discover, classify, and mask data quickly and easily. Blur, encrypt, hash, pseudonymize, randomize, redact, scramble, tokenize, etc. Pair a deterministic data masking function to your search-matched data classes, and apply it consistently to preserve realism and referential integrity enterprise-wide.


Learn more about Static Data Masking vs Dynamic Data Masking vs Real-Time Masking techniques.

Which Data Masking Function Should I Use? →

IRI data masking
RBAC

Use Role Based Access Controls (RBAC) for Secure Masking

Decide and enforce who can access or use specific data sources and targets; masking rules and job scripts; data classifications and data layout definitions; decryption keys and log files; and, even the masking programs themselves. Establish different roles for different data sources, and different access rights based on those roles.

Define, Assign, and Follow RBAC Rules →

Leverage Multiple Audit Logs for Compliance Reporting

All IRI data obfuscation tools produce machine-readable audit logs that you can secure, query, and display, or export to SIEM tools, to: reliably document everything that's been changed, verify compliance with data privacy laws without tampering concerns, trigger alerts, and take action. This is how sensitive data auditing should work.

Learn More →

Auditability
Strategic planning with analytics

Enterprise Use Cases for Data Obfuscation Tools

  • DevOps & Software Testing: Utilize static data masking tools to create safe, high-fidelity clones or masked refreshes of production data. This ensures your developers can work with realistic, synchronized datasets without risking exposure.
  • Real-Time Analytics: Deploy dynamic data masking solutions to redact PII on-the-fly as it is queried by BI tools or third-party applications.
  • Legacy System Migration: Securely move data to the cloud by applying data masking software during the ETL process, ensuring compliance from the moment data leaves your on-premise servers.

Learn Which Data Masking Tool to Use

Product
Functionality
FieldShieldIRI FieldShield

Find, classify, mask, and risk-score PII across structured data sources, including legacy (flat COBOL, CSV, LDIF) files, ODBC-connected databases, cloud apps like Salesforce, etc. Use AES-256 FPE, blurring, hashing, redaction, pseudonymization, tokenization, etc.

Learn More →
DarkShieldIRI DarkShield

Discover, deliver, and delete sensitive information in structured, semi-structured and unstructured sources, including: text, JSON, XML, HL7/X12/FHIR, SQL, and flat files, MS & PDF documents (including embedded images), Parquet, relational databases (plus C/BLOB and free-floating text columns), NoSQL DBs (MongoDB, Cassandra, Elasticsearch, CosmosDB, Redis, Splunk, etc.), DICOM and other image formats, signatures, audio formats, and soon, handwriting and faces, too!

Learn More →
CellShieldIRI CellShield EE

Find, report on, mask, and audit PII in one or more Excel® spreadsheets at once using point-and-click options inside Excel itself. Search and mask intracellularly, protect formulas, and even entire sheets, too.

Learn More →
VoracityIRI Voracity

Get all three IRI data masking tools inside, plus test data management, within a total data lifecycle management platform that consolidates big data discovery, integration, migration, governance, and analytics. In addition to FieldShield, CellShield EE and DarkShield, Voracity includes IRI RowGen to generate synthetic, but realistic test data. Create (and mask) DB subsets, or generate smart test data from scratch for DB/ETL prototypes, analytic and AI models, product demos, and application or hardware stress-testing.

Learn More →
Describe Your Use Case

Resources for Data Masking Software

Compliance Toolkit for GDPR Compliance Toolkit for GDPR title screen Data-Centric Security Podcast | Outlook Series Outlook series data masking podcast Data Protector Suite PDF Data Protector Suite PDF Cover Data Masking White Paper Data Masking White Paper Data Protection Blogs Data Protection Blog Data Privacy LinkedIn Group IRI Data Masking LinkedIn Group

Frequently Asked Questions (FAQs)

1. What is data masking?
Data masking is the process of protecting sensitive information by replacing real values with fake but potentially realistic data. This helps prevent unauthorized access while maintaining the usability of data for testing, development, and analytics. Learn more about data masking software in this educational article.
2. How does deterministic data masking work?

Deterministic masking functions like format-preserving encryption and pseudonymization, are vital data obfuscation tools because they ensure that the same input always yields the same masked output. This is critical for maintaining referential integrity in data masking across disparate systems.

Deterministic data masking functions retain a computational or tabular relationship to original data values so that when applied, will produce the same masked result for every unique original plaintext value every time. This ensures consistency in test values across databases to preserve referential integrity, and supports repeatable processes like test case validation and data synchronization. IRI facilitates this through the association of deterministic data masking rules (like format-preserving encryption and lookup pseudonymization) to data classes.

3. What types of data can be masked?
Masking can be applied to personally identifiable information (PII), protected health information (PHI), payment card data (PANs), and other sensitive data elements across structured, semi-structured, and unstructured sources. Effective PII masking requires a tool that can handle multiple formats.
4. How do I choose the right data masking method?
The right method depends on your use case. For example, pseudonymization may suit testing environments, encryption for compliance, and redaction for secure reporting. IRI supports AES-256 encryption, hashing, tokenization, randomization, and more. See this article for more details.
5. What is the difference between static and dynamic data masking?
Static data masking modifies data at rest before it\'s shared or used. Dynamic data masking masks data in real-time during user access. IRI data masking tools support both of these constructs, as well as real-time masking through change data capture pipelines or database triggers. IRI offers both static and dynamic data masking solutions for hybrid environments. If you are building a test environment, visit our Test Data hub for more resources.
6. Can I mask sensitive data in Excel spreadsheets?
Yes. IRI CellShield EE enables you to discover, mask, and audit PII directly within Excel using a point-and-click interface, allowing you to protect specific cells, formulas, and even entire sheets. IRI FieldShield and IRI DarkShield also support Excel; IRI DarkShield can find and mask sensitive data in flat files, raw text, JSON, XML, HL7, X12, FHIR, PDFs, MS Office documents, Parquet, Relational Databases (SqlServer, Oracle, etc), and NoSQL DBs like MongoDB see this article comparing all three tools.
7. What file formats and systems does IRI DarkShield support?
IRI DarkShield can find and mask sensitive data in flat files, raw text, JSON, XML, HL7, X12, FHIR, PDFs, MS Office (Word, Excel, PowerPoint) documents, DICOM, image files (including signatures within), Parquet and audio files, Relational Databases (SqlServer, DB2, Oracle, etc), NoSQL DBs like MongoDB, Elasticsearch, Cassandra, CosmosDB, Redis, and Splunk indexes.
8. How do I maintain referential integrity while masking data?
By applying deterministic data functions like format-preserving encryption (FPE) and consistent pseudonymization. These methods ensure that relationships across tables or systems remain intact after masking; see FAQ #2 above.
9. Can I track and audit what data was masked?
Yes. IRI tools generate machine-readable audit logs that record what was changed, when, where, and by whom. These logs can be secured and integrated with SIEM tools for compliance and monitoring. This is a core requirement for enterprise data anonymization compliance. See this page for more information.
10. How does IRI help with data privacy law compliance?
IRI tools help satisfy privacy mandates like GDPR, HIPAA, CCPA, and PCI DSS by classifying, masking, and logging sensitive data actions. You can meet requirements for anonymization, re-ID risk scoring, erasure, and other data subject access requests (DSARs).
11. What is role-based access control (RBAC) in data masking?
RBAC allows administrators to define who can view or modify sensitive data, as well as who can access data masking jobs, encryption keys, and so onetc.. IRI users can deploy granular RBACs to protect sensitive data and/or data masking operations from unauthorized users in different ways.
12. Can I mask data across multiple systems at once?
Yes. IRI tools can process data from legacy files, modern databases, cloud platforms, and document stores. The IRI Workbench IDE centralizes control over discovery and masking jobs across your environment.
13. How does IRI Voracity support test data generation?
IRI Voracity includes RowGen, which can generate realistic, referentially correct test data. You can create synthetic data from scratch or subset and mask production data for test DBs and files, DevOps, analytics, and stress testing.
14. What is the benefit of using IRI Voracity instead of the standalone data masking tools?
IRI Voracity combines FieldShield, DarkShield, and CellShield EE in one platform. It also adds subsetting and test data synthesis (via IRI RowGen), and many big data management features, including data integration, migration, cleansing, wrangling and reporting … giving you total lifecycle control over your data. If you have RDBs, you might want to use FieldShield and DarkShield at different times for different use cases.
15. Can I use IRI tools in cloud environments?
Yes. IRI tools can run in any cloud VM or bare metal instance running Windows or Linux. IRI data masking tools also support most cloud file stores and databases, as well as sources like Salesforce and can be deployed on cloud-based VMs or containers. They also support hybrid environments for secure on-premise and cloud data masking.
16. How fast can I implement IRI data masking solutions?
Most IRI data masking tools are production-ready out of the box and include wizards to guide setup. Users can start masking sensitive data quickly through the Eclipse-based Workbench GUI, speeding time to compliance.
17. What industries benefit most from data masking?
Any industry handling sensitive data can benefit—especially finance, healthcare, retail, education, insurance, and government. IRI data masking tools are proven in high volume, high-compliance environments.
18. Can I try IRI data masking software before buying?
Yes. IRI offers free trial software and support for FieldShield, DarkShield, CellShield EE, and Voracity. You can evaluate their capabilities in your environment to determine the right fit for your use case.
19. How does sensitive data discovery improve the masking process?
Automated sensitive data discovery ensures that no PII is missed during the masking phase. By scanning dark data and hidden files first, you can apply PII masking rules consistently across your entire infrastructure, reducing the risk of a breach.
20. Is IRI data masking software compatible with AI and Machine Learning?
Yes. For AI training, enterprise data anonymization is critical. IRI allows you to generate high-fidelity, anonymized datasets that retain the statistical significance required for model training while ensuring that individual identities are perfectly protected. See this article for more information.
21. What makes IRI a leader in real-time data masking solutions?
IRI provides real-time protection through database triggers and change data capture (CDC) pipelines. This ensures that sensitive information is redacted instantly upon access.
22. Can I achieve global compliance with these data obfuscation tools?
Absolutely. IRI’s data obfuscation tools are designed to meet the strict requirements of international laws like the GDPR and India’s DPDP Act, allowing multinational corporations to manage PII masking from a centralized platform.
X

Types of Sensitive Data

  • Personally Identifiable Information (PII)
  • Protected Health Information (PHI)
  • Primary Account Numbers (PANs)
  • Other Sensitive Information

Personally Identifiable Information (PII)

While there is no set list of PII across all privacy laws, there are common elements used across these laws. In short, PII is information, when used alone or with other data, that identifies an individual. Government regulations like the CPRA, SSAE 18, SOC 2, and GDPR require that all PII be protected using specialized PII discovery and masking techniques within enterprise data anonymization workflows.

Protected Health Information (PHI)

In medical records, PHI identifies a health care recipient. US HIPAA regulations require that 18 key identifiers be effectively de-identified or anonymized.

Primary Account Numbers (PANs)

PANs are identifying numbers used in credit card transactions. The Payment Card Industry Data Security Standard (PCI DSS) requires card issuers, merchants, and testers to encrypt, tokenize, and otherwise protect this information.

Other Sensitive Information

Information like codes and formulas that constitute trade or military secrets need to be protected. You cannot afford to have this critical data lost in a data breach.

Sample Data Privacy Laws

  • HIPAA
  • GDPR
  • FERPA
  • FISMA
  • FFIEC
  • CPRA

HIPAA

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) implements industry-wide standards for health care information. Health care providers, organizations, and their associates are required to develop and follow procedures for PHI when it is transferred, received, handled, or shared. It applies to all forms of PHI, including written, electronic, and oral.

GDPR

Under the General Data Protection Regulation (GDPR), all personal data of a citizen from the European Union must be secured. Companies are required to protect any data that can directly or indirectly identify an individual ("data subject"). These identifiers include, but are not limited to:

  • Social Security Number
  • Credit Card Number
  • Bank Account Number
  • First Name
  • Last Name
  • Address
  • Zip Code
  • Email Address
  • Medical Information
  • Genomic Information
  • IP Address
  • Geolocation Data
  • Income and Tax Data
  • Race, Ethnicity, and Religious Affiliation
  • Sexual Orientation
  • Trade Union Membership
  • Birth Date
  • Password
  • Military ID
  • Passport Number
  • Driver\'s License Number
  • Vehicle License Number
  • Phone and Fax Numbers

The law also provides citizens with the Right to be Forgotten, or the ability to request that all information about them be removed from a company\'s possession. IRI data obfuscation products find that PII and PI you need in text, image, or facial form, and tell you where it is, and (immediately or later) automatically delete, deliver, and fix it so you can comply with GDPR right to erasure, portability and rectification provisions.

FERPA

The Family Educational Rights and Privacy Act (FERPA) is a federal law that protects the privacy of student records and information. FERPA gives rights and protections to parents and eligible students. Once a student reaches 18 years of age or enrolls in a post-secondary institution, he or she becomes an "eligible student," meaning all rights formerly controlled by the parents transfer to the student.

Under FERPA, a school may not generally disclose PII from an eligible student\'s records to third parties unless the student has provided written consent. Data protected includes PII and no less than the following additional information:

  • Student Name
  • Student ID Number
  • Family Member Names
  • Place of Birth
  • Mother\'s Maiden Name
  • Student Educational Records
  • Immunization Records
  • Health Records
  • Individuals with Disabilities (IDEA) Records
  • Attendance Records

FISMA

The Federal Information Security Management Act of 2002 (FISMA) is a federal law that recognizes the importance of data protection and information security to economic and national security interests. Every federal agency must develop, document, and implement an agency-wide course of action to secure the system and assets that support the agency, including those managed by another agency, contractor, or other sources.

Information that must be protected under FISMA includes PII and other sensitive information from these categories:

  • Medical
  • Financial
  • Contractor Sensitive
  • Security Management
  • Other information specified by executive order, specific law, directive, policy, or regulation

FFIEC

The Federal Financial Institutions Examination Council (FFIEC) is a government inter-agency body that sets uniform principles, standards, and report forms to promote uniformity in the supervisions of financial institutions. Additionally, the Council oversees real estate appraisal.

Banks, credit unions, and other financial institutions are subject to the rules enacted by the Council. In addition to PII and Non-Public Personal Information (NPI), these institutions need to protect:

  • Income
  • Credit Score
  • Collection History
  • Family Member PII and NPI

CCPA (now CPRA)

The California Consumer Privacy Act of 2018 (CCPA) and the newer CPRA version, protects the data of Californians from being collected and mishandled. The law grants the citizens of California the rights to know all the information a business collects on them, to forbid companies from selling their data, to delete their data, and more.

List of PII PHI PANs Other Information

  • Social Security Number
  • Credit Card Number
  • Bank Account Number
  • First Name
  • Last Name
  • Address
  • Zip Code
  • Email Address
  • Birth Date
  • Passwords
  • Military ID
  • Driver\'s License Number
  • Vehicle License Number
  • Phone Number
  • Fax Number
  • Names
  • Addresses / Zip Codes / Geocodes
  • Dates
  • Phone Numbers
  • Fax Numbers
  • Email Addresses
  • Social Security Numbers
  • Medical Record Numbers
  • Health Plan Beneficiary Numbers
  • Account Numbers
  • Certificate / License Numbers
  • Vehicle Identifiers
  • Device Identifiers
  • URLs
  • IP Addresses
  • Biometric Identifiers
  • Facial Images
  • Any Other Unique Identifiers

  • There is no list of PANs, as they are unique to individual accounts.

    A PAN is a 14, 15, or 16 digit number generated as a unique identifier for a primary account.

  • Codes
  • Formulas
  • Trade Secrets
  • Military Information
  • Classified Information
  • etc.
Share this page

Request More Information

Live Chat

* indicates a required field.
IRI does NOT share your information.

Follow us on

Solutions
Products
Customers
Services
Company
Support
News
Partners

Copyright © 2026 Innovative Routines International (IRI), Inc.

Live Chat More Info Newsletter
Live Demo Free Trial Get Quote

Get the IRI Newsletter

See Previous Newsletters