IRI FieldShield is a robust startpoint data security, privacy law compliance, and test data provisioning package that finds, classifies, and consistently shields personally identifiable information (PII) in multiple database tables and structured (flat or compressed) file formats -- on premise or in the cloud, static or streaming -- with one or more data masking functions.
FieldShield is also a deterministic, content-aware data loss prevention tool because it applies the specific protections you need to only the columns (fields) that need protecting. It also scores the risk of re-identification from quasi-identifiers, and provides extensive audit trails to document job procedures and performance.
Click on the technical attributes of FieldShield below to learn more:
Classification & Discovery
According to Gartner's data masking analysts, only about half of enterprises with sensitive data at rest know where it is. Included cross-platform DB and file profiling tools in FieldShield classify, locate, and diagram PII based on pattern, value-lookup, and fuzzy search matches. Additional search wizards automate the discovery of PII based on data classes, column names, and RegEx patterns across multiple files, tables, schemas and databases.
FieldShield users can apply the same or different functions to any number of columns in any number of sources, simultaneously. FieldShield delivers data-centric protection in 14 off-the-shelf functional categories, and the ability to define (customize) your own masking routine:
- multiple, NSA suite B and FIPS-compliant encryption and decryption algorithms, including format-preserving encryption
- SHA-1 and SHA-2 hashing
- ASCII de-ID (bit scrambling)
- binary encoding
- data blurring (random noise)
- and bucketing / generalization (anonymization)
- redaction (string masking), effectively also erasure
- reversible and non-reversible pseudonymization
- expression (calculation / shuffle) logic
- conditional / partial filtering (omission)
- custom value replacement and type/format conversion
- byte shifting and sub-string functions
- tokenization (for PCI)
The "shield" you choose for each field depends on your need for security, reversibility, appearance, and speed. In addition to the built-in functions, you can also write and call your own field functions at runtime.
Differential masking functions applied to different classes of data mean multiple ways to harden data in a single record. Field (column)-level protections are also safer because even if there is a breach based on access to a given column decryption key, for example, the other columns may still have their own protection applied. Contrast that to a single password opening access to everything in the database, table, file, or volume.
FieldShield also uses state-of-the-art encryption algorithms that are difficult to crack. You can strengthen encryption with random tokenization, hashing, and secure, changing encryption keys. The data obfuscation techniques in FieldShield can also forever (irreversibly) redact original values. A non-reversible data masking method like redaction or filtering removes any computational basis for deriving the original value.
Field-level protection is inherently efficient; i.e., you apply protections surgically to selected rows and columns rather than in bulk. Where the data are large, FieldShield uses the advanced data movement algorithms and resource exploitation techniques for which its parent IRI CoSort (big data transformation and reporting) product is famous.
You can also combine FieldShield with IRI FACT (Fast Extract) to unload very large database (VLDB) tables into flat files for faster protection operations. If you use the parent CoSort SortCL program, you can run the same protections during data transformation, cleansing, mapping, and pre-load sorting jobs that feed BI and DB targets.
And if you use FieldShield in the Voracity platform equipped with the premium VGrid (Voracity gateway) option for Hadoop, you can run many of the same data masking jobs interchangeably in MapReduce2, Spark, Spark Stream, Storm or Tez.
FieldShield includes automated, peer-reviewed statistical analysis and graphical scoring of re-identification risk to support compliance with FERPA, the HIPAA Expert Determination Method security rule, and Recital 26 of the GDPR.
The PII discovery processes in FieldShield can be used not only to classify data, but also to create a record of where it was found, and to extract search results into formats you can use to deliver that data to requesters in compliance with GDPR data portability provisions. Data erasure and cleansing through included capabilities also support the Rights to be Forgotten and to Rectification.
FieldShield provides an audit trail in query-ready log files for every masking job. Those logs record all the scripted metadata for the source data and target data and masking functions, plus salient runtime environment for user accountability.
Finally, FieldShield provides for real time security through multiple methods, including: role-based access controls, robust encryption key management, direct support for SQL SELECT and UPDATE logic, and masking routines called into your applications.
Ease of Use
Column encryption from database vendors is cumbersome and limited to their platform or a few functions. Other data masking tools on the market are clunky, and job design and modification in them are difficult. Preserving referential integrity with them has also been an issue.
Static Data Masking jobs in FieldShield, on the other hand, are defined in self-documenting 4GL scripts that clearly identify source field layouts and target field protections and formats. The scripts are easy to modify and share securely with developers and end-users of FieldShield who need to mask or unmask data.
FieldShield scripting and language learning, however, are not required! With the free IRI Workbench GUI for FieldShield built on Eclipse™, you get a familiar, graphical IDE with:
- single- and multi-source data masking job creation wizards
- automated PII discovery, classification, and metadata definition
- re-ID risk scoring for HIPAA Expert Determination Method, FERPA and GDPR compliance
- master data definition and protection
- automatic masking rule application across semantically-matched column names or data classes
- project management (teaming) and version control
- encryption key management
- XML job audit logs for verifying privacy law compliance
FieldShield jobs launch from and run anywhere you need them to. Choose from ad hoc or scheduled execution from IRI Workbench, on a Unix/Linux/Windows command line, or from any application or automation tool you prefer.
Programmers find FieldShield easy to use for dynamic data masking because the SDK IRI publishes for C/C++, Java, and .NET developers is relatively short and simple.
FieldShield users enjoy immediate metadata links, job scripting compatibility, and graphical integration with the re-ID risk scoring, data transformation (integration and staging), synthetic test data generation and DB subsetting, data migration and replication, data cleansing and enrichment, plus 2D reporting, analytics and data wrangling functionality in the IRI Workbench GUI for IRI Voracity, the "total data management" platform. Upgrading to Voracity and its default, FieldShield-compatible SortCL program allows you to add data masking to the same job script and I/O pass with multiple data manipulations.
FieldShield also shares data classification and masking functions with IRI Ripcurrent for incremental real-time DB masking and with IRI DarkShield for semi- and un-structured data sources. In addition to handling the variety and volume of big data, FieldShield and other IRI data masking tools supported in Workbench and included in Voracity also handle different aspects of data velocity; i.e., Ripcurrent (above), in SQL statements, pipes, programs and message queues, as well as via dynamic data masking or ad hoc / scheduled batch jobs.
FieldShield and other IRI tool data definition file (.ddf) metadata is also supported by DataSwitch, erwin (Quest) Mapping Manager, and the Meta Integration Model Bridge (MIMB). These tools convert metadata already defined in third-party BI, CRM, DB, ETL, and data modeling tools into FieldShield DDF. FieldShield is also compatible with Windocks, Actifio and Commvault database cloning software. All of this makes it easier for you to protect data in your current environment.
FieldShield functionality has been on the market in CoSort since 2007 and on its own as a standalone product since 2011. It is supported in GUI, CLI or API modes by IRI directly, its authorized representatives in major cities around the world, and third-party cyber security consulting partners. These experts are all vested in your success and are committed to rapid, responsive help on your use cases or trouble tickets with or without formal SLAs.
Expect the same level of support years into your use of the product that you received during your evaluation and proof of concept phases as your needs change. We are happy to provide you with references who will speak to their experiences with IRI data masking technology and support.