FieldShield BFSI Use Case: Static & Dynamic Data Masking
This in-production review of IRI FieldShield was performed and reported by an IT Department Vice President at a Midwestern insurance company.
Background
Our company provides product and property insurance and reinsurance for business customers in 41 states. We work closely and routinely with a US government oversight agency which imposes strict security rules on PII, and on who has access to that PII in non-production environments, which are:
- Dev - Development utilized by developers for initial unit testing
- Qual - Quality, utilized by QA's to perform quality assurance testing
- CRT - Certified, utilized by business users for UATs performed prior to production release
The data in our production environment is restricted by roles and permission which the oversight agency deems to be in compliance with the policy. We decided to begin encrypting PII in all non-production environments and licensed IRI FieldShield software to accomplish this process. We use FieldShield in both static and dynamic data masking contexts to protect and use data stored in 58 Oracle 12c and IBM iSeries DB2 tables (and growing).
Static Data Masking with FieldShield Script Executions
We use FieldShield's format and type preserving encryption functions to encrypt bank account numbers, SSN/EIN's, etc. during our non-production database refresh processes. The encryption process works great and allows us to be in compliance with the oversight agency's requirements. The masking jobs are designed in IRI Workbench and run fast enough to use a Windows Server 2016 PC equipped with just 2 CPUs, 4GB of RAM and 160GB of disk capacity.
We encrypt 58 tables with FieldShield's static data masking feature. The largest of these has over 306,000 rows, and the next largest has almost 207,000. The majority of tables we encrypt have fewer than 1,000 rows each. The largest took just under 5 minutes to encrypt, and the second largest took just over 3 minutes.
Dynamic Data Unmasking with FieldShield Library Calls
There are also situations where we need the real value that was encrypted. For instance, in order to test the ACH process, we have to send real bank account numbers to out bank's test environment. Another instance requires verification of SSN/TIN's with the federal government, and in order to test this process we have to send real SSN/TIN's.
We are putting code in place within these processes that dynamically invoke the FieldShield dec_fp_aes256_alphanum decryption function in Java, which is documented in IRI's SDK for FieldShield. Our application converts the statically encrypted values back to real values that our bank and the federal government will recognize.
We need the decryption to happen in real time within the application, and find that it effectively limits visibility of the real data. In fact, utilizing this method keeps us in compliance because our staff will not have direct access to the decrypted values. This is still an area of development for us, and we may also utilize IRI's C# library to accommodate applications in both languages -- wherever non-persistent decrypted values are required.
Additional Points
We selected FieldShield because it uniquely allowed us to work with both Oracle and iSeries DB2, and provided the ability to encrypt and decrypt and keep the values consistent over time.
IRI Workbench is also a rich development environment built on Eclipse™ that we can use for both static and dynamic masking job design, and we note its built in PII discovery and classification, and database profiling and administration functionality.
IRI as a vendor has also been particularly responsive to our needs during the product evaluation, and in our subsequent development and roll-out support calls.
