Why FieldShield Is Better


Next Steps
FieldShield Overview Features Technical Details GUI Platforms & Pricing Why It's Better Resources

Why is IRI FieldShield the best choice among data masking tools for databases and flat files? Learn why the first commercial data masking product off the mainframe is still regularly chosen by businesses and government agencies around the world interested in profiling and protecting personally identifiable information (PII), complying with data privacy laws, nullifying data breaches and anonymizing production data for testing.

Browse through these nine areas of rationale for some of the differentiating product highlights, and peruse the other tabbed pages on FieldShield above. Please also review our robust data masking and test data sections, and self-learning content on point here, to learn even more.



Only FieldShieldincludes multiple data source profiling tools and scanning methods to help you classify and locate PII in flat files, databases, Excel, and cloud storage repositories. Build statistical reports and charts, ER diagrams, multiple searches, and new target schema.

Only FieldShield protects sensitive data, at rest or in transit, with dozens of masking functions across 15 different categories to support an unlimited number of business rules and data-centric conditions. You can mask multiple database and file sources separately, or in combination (e.g., ETL environments) with other operations in the same job and I/O pass.

Static data masking jobs can run on source (and on the fly to) or on replicated data through: 1) the command-line executable, 2) API calls (see the SDKfor .NET, C/C++, and Java), 3) the free IRI Workbench Eclipse™ GUI for FieldShield, 4) batch scripts, 5) job schedulers, 6) CI/CD pipelines; 7) SQL procedures, 8) real-time DB refresh operations in IRI Ripcurrent; or, 9) third party programs making system calls. Also available are several methods for dynamic data masking (and even decryption), in addition to static data masking, using FieldShield.


The need-based, field-level protections in FieldShield complete faster than full database or device-centric encryption approaches, especially in real-time. FieldShield masking functions also consume less CPU and I/O. They can even run on a conditional basis, tied to new or specific rows, ranges of values, or discrete values.

FieldShield also uses the decades-proven and -enhanced big data movement engines of its parent product, IRI CoSort to scale performance in volume linearly. A 21-million row Oracle table with multiple columns to encrypt was masked and updated from a LAN-connected Windows PC using FieldShield in 11 minutes. Most masking jobs run faster, as do classification and search operations across huge tables and schema.

In IRI Voracity, there are also Hadoop options to run FieldShield jobs that scale horizontally and elastically -- without recoding-- too. So if performance in volume that does not rely on your SQL engine is a concern, FieldShield is the only choice.


FieldShield allows you to specify data protections on a conditional basis using either SQL SELECT syntax or /INCLUDE-OMIT logic in your jobs, so that you can target protection function based on a pattern, value, or range in a specific column or string. Moreover, because FieldShield uses the power of the CoSort SortCL data manipulation and formatting program, you can leverage its syntax and features to accommodate custom business logic requiring joins, substrings, sequencing, statistical calculations, aggregations, data validation and cleansing, reporting and more.

With FieldShield, you can of course choose a protection for each field from any of the masking function categories, or your saved rules, based on your business rules. Consider a health insurance claim table with 19 columns, 3 of which have PHI: pseudonymize the name, mask the SSN, encrypt the medical billing code, and leave the remaining data alone.

FieldShield data masking functionality also seamlessly extends into various test data scenarios in IRI Workbench, including the application of masking functions in the database subsetting wizard, ETL operations, direct population of referentially correct tables in lower non-production environments, or the virtualization of test data for immediate DevOps needs.


Most encryption solutions have one method or key, and cover an entire data source or device. If compromised, everything is exposed. With FieldShield, other fields are still protected even if one is breached. Multiple encryption functions and keys for different fields and different recipients also help, as do the choice of three internal key management methods plus proven integrations with the Microsoft Azure Key Vault and Townsend Security Alliance Key Manager system.

Several non-reversible data masking and obfuscation functions, as well as simple field removal, also enhance security; see our articles on data masking function choice and this on data deletion.

FieldShield jobs, data definitions, audit files, and related assets can be secured through a free, distributed metadata management hub and controlled on the basis of roles in multiple ways.

Security of the masked data is also enhanced through FieldShield's included risk measurement capabilities. Research and marketing data sets with masked identifiers can still have quasi-identifiers unmasked. FieldShield users can score re-identification risk and further generalize their data to preserve its utility while reducing the ability of attackers to expose individuals in the data set.


FieldShield can produce a single secured output for multiple recipients, with selective authorization to reveal the plain text controlled by managed en(de)-cryption keys. This reduces protection time, storage, and the complexity (synchronization problem) of managing disparate versions of the output.

FieldShield can also produce multiple outputs for distributed anonymization scenarios. Either way, however, by specifying all the protections in one FieldShield program, there is only one job to create, manage, and audit.

You can easily apply a common protection rule to multiple tables at once (without Java), and re-use that rule in other data protection, etc. jobs. This GUI-supported feature saves job design time, automates rule application, and preserves referential integrity.

Compliance team members can unify and control their data and FieldShield metadata assets in the cloud with a free metadata management hub (e.g., EGit).


FieldShield uses self-documenting 4GL scripts to define the layouts and masking of table columns and file fields. And with the IRI Workbench GUI, built on Eclipse™, even the simple syntax need not be learned or hand-coded. Scripts interact with a color-coded syntax-aware and graphical form editor with graphical outlines, as well as parameter modification dialogs and transform mapping diagrams all interactively, and in the same pane-of-glass.

User-friendly data discovery and job definition wizards also help you design and build those scripts automatically. Data and job specs are easy to modify in the GUI or any text editor ... something else other data masking tools don't offer.


FieldShield runs on all Unix, Linux, and Windows platforms, and operates on all ODBC-connected database tables, and the sequential file formats common to most applications and mainframes, including files with header and footer records.

FieldShield also uses the same metadata and Eclipse GUI (IRI Workbench) as:

  • IRI DarkShield for finding and masking PII in multiple unstructured sources
  • IRI CellShield EE for finding and masking PII in Excel sheets LAN-wide
  • IRI Ripcurrent for real-time replication and masking using FieldShield data classes and functions
  • IRI CoSort for data transformation and reporting
  • IRI RowGen for realistic test data synthesis or subsetting
  • IRI NextForm for database, file, and data conversion and replication
  • IRI FACT (Fast Extract) for unloading very large databases
  • IRI Voracity for total data management; i.e., discovery, integration, migration, governance, and analytics, where FieldShield data masking functions can be expressed and executed in the same job and I/O pass with data transformation, database subsetting, cleansing, replication, and reporting operations for example.

Many of the same masking functions in FieldShield are also plug-compatible with IRI CellShield for masking PII ergonomically in Excel spreadsheets and the IRI DarkShield API for masking PII in unstructured text/log files, PDF/MS Office documents, NoSQL databases, and images.

You can also run FieldShield job scripts alongside WindocksActifio or Commvault cloning operations to seamlessly mask copies of the databases you are virtualizing/replicating for testing. Similarly for integrated test data provisioning, FieldShield, DarkShield, or RowGen jobs can be called into Amazon Code Pipeline, Azure DevOps, GitLab, and Jenkins CI/CD operations.

FieldShield data definition files work with all IRI products, and are compatible with DataSwitcherwin (AnalytiX DS) Mapping Manager and the Meta Integration Model Bridge (MIMB). Their .ddf data layout file support means you can quickly leverage the existing metadata in your ETL, BI, and modeling tools for FieldShieldand other IRI software.


FieldShield creates data mapping diagrams and queryable XML (and soon JSON) job logs to verify the steps you took to comply with data privacy regulations. The logs contain the runtime and application environment that auditors need. The logs can be public or private (e.g., via free EGit asset security), and populate SIEM tools like Splunk through add ons like this.

FieldShield can also score the risk of re-identification based on the distinction and separation values it finds in your data's indirect, or quasi-identifiers, and produces graphs and reports to help you further generalize those values and comply with FERPA and the HIPAA Expert Determination Rule.


FieldShield as a standalone product is licensed for perpetual use in the low five figures, and is discounted in volume and distributed runtime integration scenarios. Five FieldShield masking engine licenses are alternatively included at no charge -- along with IRI CellShield EE, IRI DarkShield, and IRI RowGen (for test data synthesis and DB subsetting) -- in the base tier of IRI Voracity data management platform subscriptions.

IRI is a stable, US-based company (since 1978) not weighed down by external shareholders or bloated marketing expenses. Customers appreciate these savings, and the included use of compatible FieldShield functions within broader Voracity data management platform operations involving data discovery, integration, migration, governance, and analytics.

Share this page

Request More Information

Live Chat

* indicates a required field.
IRI does NOT share your information.